There was a small, but important error in the proxy configuration... I had to pass the /api/ part to a proxy again with a [P] directive, not just the [L]. So the correct proxy definition is: <Directory /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static> Options FollowSymLinks Order Allow,Deny Allow from all </Directory> <Proxy http://localhost:8080> AuthType Basic AuthName "GALAXY@GHI. Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL "ldap://__YOUR_LDAP_SERVER/ou=Users - Employees,dc=genomichealth,dc=com?sAMAccountName?sub?(objectClass=*)" AuthzLDAPAuthoritative off AuthLDAPBindDN __USERNAME__ AuthLDAPBindPassword __PASSWORD Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e </Proxy> #Extended the timeout since some GALAXY actions can take a long time TimeOut 60000 RewriteEngine on ReWriteRule ^(/api/.*) http://localhost:8081$1 [P,L] RewriteRule ^/static/style/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^/admin/jobs(.*) http://localhost:8079/admin/jobs$1 [P] RewriteRule ^(.*) http://localhost:8080$1 [P] On Feb 14, 2013, at 02:41 PM, Anthonius deBoer <thondeboer@me.com> wrote: Hi, I have been struggling with setting up my galaxy system to allow it to use the LDAP authentication for users that come in through the frontend, while not wanting to have to use authentication when user want to access through the API....I found some solution and I thought I'd share it with the world so that people may learn from this and maybe also tell me if I am doing something wrong, or worse, insecure! I setup two web servers in the universe file at localhost:8080 and localhost:8081. For the one at 8080 i require authentication, for the one at 8081 I do not in the settings for apache proxy server shown below.... The I setup a ReWriteRule for anything addressed to /api/ and route that to the one at 8081, that does not require authentication, while everything else goes through 8080 which does... It seems to work nicely, although I have a nagging feeling this leaves open some backdoors somewhere, but please tell me if I do... <code> <Directory /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static> Options FollowSymLinks Order Allow,Deny Allow from all </Directory> <Proxy http://localhost:8080> AuthType Basic AuthName "GALAXY@GHI. Please log in with your Windows account" AuthBasicProvider ldap AuthLDAPURL "ldap://__YOUR_LDAP_SERVER/ou=Users - Employees,dc=genomichealth,dc=com?sAMAccountName?sub?(objectClass=*)" AuthzLDAPAuthoritative off AuthLDAPBindDN __USERNAME__ AuthLDAPBindPassword __PASSWORD Require valid-user RequestHeader set REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e </Proxy> #Extended the timeout since some GALAXY actions can take a long time TimeOut 60000 RewriteEngine on ReWriteRule ^(/api/.*) http://localhost:8081$1 [L] RewriteRule ^/static/style/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/favicon.ico [L] RewriteRule ^/robots.txt /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/robots.txt [L] RewriteRule ^/admin/jobs(.*) http://localhost:8079/admin/jobs$1 [P] RewriteRule ^(.*) http://localhost:8080$1 [P] </code> Thon ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/