Question: Galaxy + Apache + External Authentication
gravatar for Assaf Gordon
9.8 years ago by
Assaf Gordon320
United States
Assaf Gordon320 wrote:
Hello, I'm trying to setup galaxy to run with apache and external authentication - and I can't get this to work. (This is a not a galaxy question per se, more of an apache question, but hopefully you can still help me). First step was to setup apache/galaxy with mode rewrite - works perfectly. I've added these two lines to a 'conf' file in /etc/httpd/conf.d: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] Browsing to http://myserver/galaxy indeed goes to galaxy and works ok. Then, I've tested a simple authentication directive (independent of galaxy): Alias /galaxy "/home/gordon/galaxy" <directory home="" gordon="" galaxy=""> AuthType Basic AuthName "Restricted Files" AuthUserFile /home/gordon/httpd_passwords Require user gordon </directory> And this also works OK. Now I want to combine the two - but it doesn't work. My "ReWriteRule" are ignored when they are inside a <directory> clause. I've also tried <location> - same results. Any ideas ? Thanks, Gordon
galaxy • 2.0k views
ADD COMMENTlink modified 9.8 years ago by Nate Coraor3.2k • written 9.8 years ago by Assaf Gordon320
gravatar for Nate Coraor
9.8 years ago by
Nate Coraor3.2k
United States
Nate Coraor3.2k wrote:
Gordon, The RewriteRules should work with a Location directive, but outside of it: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <location galaxy=""> AuthType Basic AuthName "Restricted Files" AuthUserFile /home/gordon/httpd_passwords Require user gordon </location> I imagine the Alias directive would cause problems with the RewriteRules. --nate
ADD COMMENTlink written 9.8 years ago by Nate Coraor3.2k
Thank you for your help - I finally got it working. Every user in the domain is automatically logged-in - it's beautiful. I should have done this a long time ago. Interestingly, the "REMOTE_USER" rule didn't work for me - I'm using mod_authzldap and for some unknown reason using the rewrite rules from galaxy's wiki causes HTTP_REMOTE_USER to always be "(null)" when used with the proxy rules (the HTTP_REMOTE_USER was fine when passed to php scripts without proxy). The apache configuration clause which works for me is: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <location "="" galaxy"=""> AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user # mod_authzldap creates 'AUTHENTICATE_XXXX' environment variables # for the arguments in the LDAP URL. # Convert the authenticated user name into a HTTP_REMOTE_USER. RequestHeader add REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e </location> While trying to make sense of this mess (apache + mod_rewrite + mod_proxy + mod_authzldap + galaxy ), the following tricks helped: --1-- Trying mod_rewrite and apache-proxy without authentication: RewriteEngine on ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] At first I got "HTTP-500 Server Error". The /var/log/httpd/error_log file showed the following error: [error] (13)Permission denied: proxy: HTTP: attempt to connect to (*) failed This is caused by SELinux (installed by default on CentOS) that blocks the apache process from initiating network connections. The following command fixed it: $ sudo /usr/sbin/setsebool httpd_can_network_connect 1 More info at --2-- Checking the authentication clause without rewrite rules and without proxy. <directory "="" var="" www="" html="" protected"=""> AuthName "Please login with your CSHL account" AuthType Basic AuthBasicProvider ldap AuthzLDAPAuthoritative off AuthLDAPURL "ldap://[LDAP-SERVER]/?sAMAccountName?sub?(objectClass=*)" NONE AuthLDAPBindDN [LDAP-User-account] AuthLDAPBindPassword [LDAP-User-Password] Require valid-user </directory> And inside "/var/www/html/protected", create a simple PHP script which shows the server variables: $ cat /var/www/html/protected/index.php \n"; print_r($_SERVER); echo "\n"; ?> When you browse to http://[server]/protected, and login with the right username and password, you get a list of all the server variables (That's how I discovered the 'AUTHENTICATE_SAMACCOUNTNAME'): Array ( [ ... many other variables not shown ... ] [SCRIPT_URL] => /protected/ [SCRIPT_URI] => http://XXXXXXX/protected [AUTHENTICATE_SAMACCOUNTNAME] => gordon [HTTP_HOST] => XXXXXX [PATH] => /sbin:/usr/sbin:/bin:/usr/bin [SERVER_ADMIN] => root@localhost [SCRIPT_FILENAME] => /var/www/html/protected/index.php [REMOTE_PORT] => 42695 [REMOTE_USER] => gordon [AUTH_TYPE] => Basic [GATEWAY_INTERFACE] => CGI/1.1 [SERVER_PROTOCOL] => HTTP/1.1 [REQUEST_METHOD] => GET [QUERY_STRING] => [REQUEST_URI] => /protected/ [SCRIPT_NAME] => /protected/index.php [PHP_SELF] => /protected/index.php [PHP_AUTH_USER] => gordon [PHP_AUTH_PW] => XXXXXXXXXX [REQUEST_TIME] => 1235107649 ) Althought "REMOTE_USER" is listed as a valid server variable, I could not get it to work with the proxy, and had to look for another solution. --3-- Add the following lines in "./lib/galaxy/web/framework/middleware/", line 71: for k,v in environ.items(): sys.stderr.write ( "%s:\t%s\n" % ( k, v ) ) With these, galaxy prints every environment variable it receives, and debugging gets much easier. You can quickly see if there is an HTTP_REMOTE_USER variable, and whether it contains valid data or the string "(null)". --4-- Add a fixed HTTP_REMOTE_USER value in the apache configuration. This tests the proxy connection between apache and galaxy: ReWriteRule ^/galaxy$ /galaxy/ [R] RewriteRule ^/galaxy(.*) http://localhost:8080$1 [P] <location "="" galaxy"=""> RequestHeader add REMOTE_USER gordon </location> If everything is setup correctly, galaxy should automatically login with the user 'gordon'. Together with step 3, you can easily see if external authentication works or not. --5-- Try to get the authenticated user name from the authentication module to the HTTP_REMOTE_USER variable. The Galaxy wiki ( recommends putting the following statements: RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e These didn't work for me. To debug it, I added the following statements: RewriteLog /tmp/rewrite.log RewriteLogLevel 9 And then "tail -f /var/rewrite.log". On my server, it always showed: ... RewriteCond: input='false' pattern='^false$' => matched RewriteCond: input='' pattern='(.+)' => not-matched ... Which means the first condition (IS_SUBREQ) matched, but the second condition (LA-U:REMOTE_USER) never matched - because REMOTE_USER environment variable was empty or null. As I've noted, the solution in my case was to use a different variable (AUTHENTICATE_SAMACCOUNTNAME). Maybe there's a way to get REMOTE_USER to work - but I don't know it. Regards, Gordon. Nate Coraor wrote, On 02/19/2009 12:33 PM:
ADD REPLYlink written 9.8 years ago by Assaf Gordon320
Please log in to add an answer.


Use of this site constitutes acceptance of our User Agreement and Privacy Policy.
Powered by Biostar version 16.09
Traffic: 171 users visited in the last hour