On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu> wrote:

On 10/13/2015 11:34 AM, Ryan G wrote:
> We have Apache set up to authenticate users off our LDAP. If they
> authenticate correctly, they are then forwarded on through the proxy.

So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may
not mean this.

>
> What I want is to prevent users from hitting the galaxy URL directly.
> If they, do I want to automatically redirect them to the proxy.

Under mod_auth_ldap this should be done for you.

(Worst case scenario you could write some mod_rewrite logic that checks
for the remote_user header and returns a 301 if it's missing with the
location of your login page)

>
>
> On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu
> <mailto:esr@tamu.edu>> wrote:
>
> Hi Ryan,
>
> On 10/13/2015 09:50 AM, Ryan G wrote:
> > Hi all - In regards to external user authentication that I have working
> > now (see thread below). When users try to go to the actual Galaxy page,
> > they get the message:
> >
> >
> > Access to Galaxy is denied
>
> That's expected for External User Auth if you don't have the REMOTE_USER
> header set properly.
>
> >
> > Galaxy is configured to authenticate users via an external method (such
> > as HTTP authentication in Apache), but no shared secret key was provided
> > by the upstream (proxy) server.
> >
> > Please contact your local Galaxy administrator. The variable
> > |remote_user_secret| and |GX_SECRET| header must be set before you may
> > access Galaxy.
> >
> >
> >
> > That's fine and all but I'd like to have them redirected to the real
> > login page. Is there a way to do this? I didn't see anything obvious
> > and was thinking of adding a parameter to galaxy.ini and have Galaxy
> > automatically forward them after 5 seconds or so.
>
> What external auth mechanism are you using?
>
> >
> > Ryan
> >
> >
> > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>
> wrote:
> >
> > Hi all - In regards to external user authentication that I have
> > working now (see thread below). When users try to go to the actual
> > Galaxy page, they get the message:
> >
> >
> > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>
> wrote:
> >
> > I finally got around to this and all is working well. I
> > submitted 2 patches to remoteuser.py to assist in debugging
> > incorrect set ups.
> >
> > Last question - When a user logs out, they get the page ""Access
> > to Galaxy user controls is disabled". I've set the
> > remote_user_logout_href parameter to a different website, but
> > they still get the "Access to Galaxy user controls is disabled".
> >
> > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I
> > think at that point its too late.
> >
> >
> >
> > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G
> > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>
> wrote:
> >
> > Yes, I have a test server I'm going to check this one.
> > thanks for the link, that's perfect...I'll add some
> > debugging code in here to see what's going on.
> >
> > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker
> > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>
> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>> wrote:
> >
> > Do you have a way to verify the "HTTP_MAIL" header is
> > actually being passed through your proxy server?
> >
> > The problem is that Galaxy still doesn't think it's
> > receiving the expected headers, so there isn't a good
> > way that it can tell you more about what might be going
> > on. If you're able to tweak Galaxy (using a test
> > server) and add a few logging statements the code, this
> > would be good places to check what's going on (print the
> > `environ` dictionary associated with that request, along
> > with self.remote_user_header to see what Galaxy is
> > actually trying to use):
> >
> > https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
> >
> > -Dannon
> >
> > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G
> > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>
> wrote:
> >
> > It turns out our authentication system passes a
> > header 'HTTP_MAIL' which contains the users email
> > address. In galaxy.ini, I have
> >
> > use_remote_user = True
> > remote_user_header = HTTP_MAIL
> >
> > After restarting,Galaxy still gives the same error.
> >
> > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker
> > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>
> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>> wrote:
> >
> > Hi Ryan,
> >
> > It may be that Galaxy is looking for a different
> > remote user header than your proxy is setting.
> > I believe by default we look for
> > HTTP_REMOTE_USER, but this is configurable in
> > galaxy.ini (so, you could set yours to HTTP_USER
> > there). Let me know if this doesn't sort it out
> > for you and we can dig deeper!
> >
> > -Dannon
> >
> > On Mon, Aug 31, 2015 at 3:42 PM, Ryan G
> > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> > <mailto:ngsbioinformatics@gmail.com

> <mailto:ngsbioinformatics@gmail.com>>> wrote:
> >
> > Hi all - I'm trying to use external user
> > authentication with Galaxy. The external
> > authentication passes to Galaxy the
> username
> > with the mail domain at HTTP_USER.
> >
> > In galaxy.ini, I enable:
> > use_remote_user = True
> >
> >
> > When I try to access Galaxy, I get the
> message:
> > Galaxy is configured to authenticate users
> > via an external method (such as HTTP
> > authentication in Apache), but a username
> > was not provided by the upstream (proxy)
> > server. This is generally due to a
> > misconfiguration in the upstream server.
> >
> > But nothing in paster.log indicating what
> > the error is.
> >
> > How do I track this down?
> >
> >
> >
> >
> ___________________________________________________________
> > Please keep all replies on the list by
> using
> > "reply all"
> > in your mail client. To manage your
> > subscriptions to this
> > and other Galaxy lists, please use the
> > interface at:
> > https://lists.galaxyproject.org/
> >
> > To search Galaxy mailing lists use the
> > unified search at:
> >
> http://galaxyproject.org/search/mailinglists/
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > ___________________________________________________________
> > Please keep all replies on the list by using "reply all"
> > in your mail client. To manage your subscriptions to this
> > and other Galaxy lists, please use the interface at:
> > https://lists.galaxyproject.org/
> >
> > To search Galaxy mailing lists use the unified search at:
> > http://galaxyproject.org/search/mailinglists/
> >
>
> --
> Eric Rasche
> Programmer II
>
> Center for Phage Technology
> Rm 312A, BioBio
> Texas A&M University
> College Station, TX 77843

> 404-692-2048 <tel:404-692-2048>
> esr@tamu.edu <mailto:esr@tamu.edu>

> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client. To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
> https://lists.galaxyproject.org/
>
> To search Galaxy mailing lists use the unified search at:
> http://galaxyproject.org/search/mailinglists/
>
>

--
Eric Rasche
Programmer II

Center for Phage Technology
Rm 312A, BioBio
Texas A&M University
College Station, TX 77843
404-692-2048
esr@tamu.edu