On Tue, May 25, 2010 at 04:03:12PM +0200, Davide Cittaro wrote:
Whoa, sorry to bother you so much... I think I'm getting to the end step by step. As my apache still needs to serve some directories without authentication I've decided to setup a virtualhost listening to 8080 which is now proxy galaxy (listening to 8081). I've tried to follow your instructions but I believe most of the rewritecond and requestheader directive can be skipped. In principle I'm querying LDAP with this:
AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail
I've checked this with a cgi script which prints evnironmental variables and I have:
REMOTE_USER = davide.cittaro@ifom-ieo-campus.it
That given, galaxy should simply read the variable, shouldn't it? Unfortunately what happens is that I'm asked to login (by apache) but after that I get the Galaxy error
Unfortunately, that's insufficient. Your CGI is a UNIX process launched by apache itself, so it inherits the environment variables from apache, and thus gets that REMOTE_USER variable. However, If I'm understanding your setup correctly, you're using Apache to proxy that content to galaxy, which is a local network connection, not a process invocation, and the environment doesn't make it across. That Rewrite stuff takes the (eventual) value of the REMOTE_USER environment variable, and stashes it in a HTTP header on the request to galaxy, which (unlike environment variables) are send to the downstream application (in this case galaxy). Galaxy insists on a username and you really want to allow unauthenticated access to it you can do something like I did: # put REMOTE_USER into a header for Galaxy <Proxy http://localhost:8080> Order deny,allow Allow from all RequestHeader set REMOTE_USER "displayonly" </Proxy> There I'm stuffing 'displayonly' into the REMOTE_USER header, which galaxy will turn into displayonly@msi.umn.edu. Please note that I was very careful about what URLs are available to that no-user proxy path as I don't want someone called displayonly@msi.umn.edu kicking off jobs and building histories. Another way to go about that is something like this: RewriteRule ^(/root/display_as.*) http://localhost:8080$1 [E=REMOTE_USER:viewonly,P,L] That (in pseudocode) says: if (the URL starts with /root/display_as) { Set the REMOTE_USER environment variable equal to "viewonly" And Proxy it to http://localhost:8080 And don't consider any further RewriteRules } By putting that in my Galaxy config I'm able to take a specific URL path and make sure that that requests for that path can continue un-authenticated, whereas anything that doesn't match hits this rule further on: RewriteRule ^/(.*) https://galaxy.msi.umn.edu/$1 [R] which sends everything that didn't match the exception above on to the authenticated https: site where our LDAP barrier is. Now's about the time I should mention that none of this is endorsed by the galaxy people as a sane setup; it's just what I happened to do locally.
Here's the apache config file for the galaxy virtualhost:
I see one oddity below. RewriteRules are processed in order, and you have the catch-all rule at the top. This one: RewriteRule ^(.*) http://localhost:8081$1 [P] Says anything (.*) should be proxied to localhost:8081. Try moving that after all the more specific RewriteRules (which themselves have a [L] for Last, which prevents further rule processing).
NameVirtualHost *:8080 <VirtualHost *:8080> ServerAdmin davide.cittaro@ifom-ieo-campus.it
# DocumentRoot /data/galaxy_dist/static
RewriteEngine on RewriteRule ^(.*) http://localhost:8081$1 [P] RewriteRule ^/static/style/(.*) /data/galaxy_dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/(.*) /data/galaxy_dist/static/$1 [L] RewriteRule ^/images/(.*) /data/galaxy_dist/static/images/$1 [L] RewriteRule ^/favicon.ico /data/galaxy_dist/static/favicon.ico [L] RewriteRule ^/robots.txt /data/galaxy_dist/static/robots.txt [L]
# RewriteCond %{IS_SUBREQ} ^false$ # RewriteCond %{LA-U:REMOTE_USER} (.+) # RewriteRule . - [E=RU:%1] # RequestHeader set REMOTE_USER %{RU}e # RequestHeader unset Authorization
<Location /> # Options +Indexes # IndexOptions FancyIndexing # AllowOverride None AuthType Basic AuthName Galaxy Order deny,allow AuthBasicProvider ldap AuthLDAPURL "ldap://XXX/dc=ifom-ieo-campus,dc=it?cn,mail?sub?(cn=*)" AuthLDAPRemoteUserAttribute mail Require ldap-filter objectClass=posixAccount </Location> # Alias / /data/galaxy_dist/static/
ErrorLog /var/log/apache2/galaxy-error.log
# Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel debug
CustomLog /var/log/apache2/galaxy-access.log combined ServerSignature On
<Location /root/display_as> Satisfy Any Order deny,allow Deny from all Allow from genome.ifom-ieo-campus.it </Location>
# ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/ # <Directory "/usr/lib/cgi-bin"> # AllowOverride None # Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch # Order allow,deny # Allow from all # </Directory>
</VirtualHost>
d /* Davide Cittaro
Cogentech - Consortium for Genomic Technologies via adamello, 16 20139 Milano Italy
tel.: +39(02)574303007 e-mail: davide.cittaro@ifom-ieo-campus.it */
-- Ry4an Brase 612-626-6575 University of Minnesota Supercomputing Institute for Advanced Computational Research http://www.msi.umn.edu