Galaxy Tool Shed use when using nginx as an authentication proxy

Question: Galaxy Tool Shed use when using nginx as an authentication proxy

4.6 years ago by

United States / Boston / Harvard Medical School

Hello,

I've been unable to find a solution to this issue, and my local installation log files have not yet shown me exactly what I am missing in my configuration. I have configured galaxy to utilize nginx as an authentication proxy. The proxy is making use of PAM to allow LDAP accounts to authenticate to the local installation. This is working as intended, however when I attempt to install tools in the main tool shed I am getting a curious error, which I think is due to a misconfiguration of my proxy, but I am not sure how I should go about resolving it.

My nginx.conf is as follows:

        ##
        # Galaxy configuration
        ##
        upstream galaxy_app {
        server localhost:8080;
        }
        server {
                client_max_body_size 10G;
                # ... other server stuff ...
                location / {
                auth_pam "Basic Auth Realm Name";
                auth_pam_service_name "nginx";
                proxy_pass http://galaxy_app;
                proxy_set_header REMOTE_USER $remote_user;
                proxy_set_header X-Forwarded-Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header X-URL-SCHEME https;
                }
                location /_x_accel_redirect/ {
                internal;
                alias /;
                }
        }
}

I have made the requisite corresponding configuration changes to my universe_wsgi.ini file.

host = 0.0.0.0
nginx_x_accel_redirect_base = /_x_accel_redirect
upstream_gzip = True
set_metadata_externally = True
use_remote_user = True
remote_user_maildomain = our.domain.is.here
require_login = True
allow_user_creation = False

nginx and Galaxy start up, and I am able to login using my LDAP account and my administrative rights seem to work in all aspects except for tool installation.

Attempting to install a tool, I am able to navigate to Admin-->Search and Browse Tool Sheds

I select a tool for installation however and upon clicking "Install to Galaxy" I am greeted with the following within the installation pane:

Unable to connect

Firefox can't establish a connection to the server at <our_local_install_server_name_is_here>.

My question is, is there something additional that I must specify to the nginx proxy to enable this connection to take place? I am assuming that the proxy configuration is the issue as I was able to previously install tools prior to configuring the proxy and enabling PAM authentication.

I was unable to find anything related to this particular error and my initial setup of the proxy was based off of the documentation located here: https://wiki.galaxyproject.org/Admin/Config/nginxProxy

Regards,

Dan Shea
West Quad Computing Group
Harvard Medical School

toolshed galaxy local nginx • 2.4k views

ADD COMMENT • link •

modified 4.5 years ago by Srinivas • 50 • written 4.6 years ago by daniel.john.shea • 10

4.5 years ago by

Brad Langhorst • 100

United States

Brad Langhorst • 100 wrote:

I don't have a good answer for you... but since no one else has replied I'll share how I've handled this.

Like you, we are using ldap auth. If i enable it in the toolshed (running at galaxy.neb.com/toolshed), tools cannot be installed.

My solution has been to create a local user for toolshed admin and allow unauthenticated access.

That works for me since I'm the only person installing local tools.

ADD COMMENT • link written 4.5 years ago by Brad Langhorst • 100

Thanks Brad! I will give that a go and hopefully that should serve our needs. Have a great day!

Dan Shea

ADD REPLY • link written 4.5 years ago by daniel.john.shea • 10

4.5 years ago by

Srinivas • 50

United States

Srinivas • 50 wrote:

Thanks for the question and the tip.

I was able to get this work by:

Provisioning a local user while logged in as an admin user
Creating a copy of the universe_wsgi.ini file and editing it to:
- create a new web server on a different port
- removing authentication related settings
- setting "admin_users" to user created in step 1
Creating a copy of the run.sh file and editing it to reference the file created in step 1
Executing run.sh to spawn the new server
Logging in to the new server at the specified port as the user created in step 1

ADD COMMENT • link modified 4.5 years ago • written 4.5 years ago by Srinivas • 50

Please log in to add an answer.

Similar posts • Search »