Howdy Ryan, On 10/13/2015 11:44 AM, Ryan G wrote:
Sorry, maybe I'm not being clear.
Galaxy is listening on http://galaxy.mycompany.com:8080
Users access Galaxy via http://mycompay.com/galaxy
Ah! This is much more clear, thanks :) If you're running under remote_user, you should NOT make it available outside of the apache proxy. Even with the remote_user_secret variable that was added, it's still an unnecessary security risk.
If users go to http://galaxy.mycompany.com:8080, they get the External Authentication message. From here I want them to be redirected to http://mycompay.com/galaxy which is where they will be authenticated.
I'm guessing you migrated at some point from the raw port to the /galaxy address and your users are moving slowly to the new URL. Here is my suggestion: - have galaxy listen on 127.0.0.1:8081 so only apache on the same machine can access it. - add an apache virtualhost listening on 0.0.0.0:8080 that automatically redirects any requests to that page to http://mycompany.com/galaxy/ to help migrate users. That should fix your problem without requiring modification to your codebase for this one scenario.
Users never see http://galaxy.mycompany.com:8080....they will always see http://mycompay.com/galaxy
On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>> wrote:
On 10/13/2015 11:34 AM, Ryan G wrote: > We have Apache set up to authenticate users off our LDAP. If they > authenticate correctly, they are then forwarded on through the proxy.
So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may not mean this.
> > What I want is to prevent users from hitting the galaxy URL directly. > If they, do I want to automatically redirect them to the proxy.
Under mod_auth_ldap this should be done for you.
(Worst case scenario you could write some mod_rewrite logic that checks for the remote_user header and returns a 301 if it's missing with the location of your login page)
> > > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu> > <mailto:esr@tamu.edu <mailto:esr@tamu.edu>>> wrote: > > Hi Ryan, > > On 10/13/2015 09:50 AM, Ryan G wrote: > > Hi all - In regards to external user authentication that I have working > > now (see thread below). When users try to go to the actual Galaxy page, > > they get the message: > > > > > > Access to Galaxy is denied > > That's expected for External User Auth if you don't have the REMOTE_USER > header set properly. > > > > > Galaxy is configured to authenticate users via an external method (such > > as HTTP authentication in Apache), but no shared secret key was provided > > by the upstream (proxy) server. > > > > Please contact your local Galaxy administrator. The variable > > |remote_user_secret| and |GX_SECRET| header must be set before you may > > access Galaxy. > > > > > > > > That's fine and all but I'd like to have them redirected to the real > > login page. Is there a way to do this? I didn't see anything obvious > > and was thinking of adding a parameter to galaxy.ini and have Galaxy > > automatically forward them after 5 seconds or so. > > What external auth mechanism are you using? > > > > > Ryan > > > > > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Hi all - In regards to external user authentication that I have > > working now (see thread below). When users try to go to the actual > > Galaxy page, they get the message: > > > > > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > I finally got around to this and all is working well. I > > submitted 2 patches to remoteuser.py to assist in debugging > > incorrect set ups. > > > > Last question - When a user logs out, they get the page ""Access > > to Galaxy user controls is disabled". I've set the > > remote_user_logout_href parameter to a different website, but > > they still get the "Access to Galaxy user controls is disabled". > > > > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I > > think at that point its too late. > > > > > > > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Yes, I have a test server I'm going to check this one. > > thanks for the link, that's perfect...I'll add some > > debugging code in here to see what's going on. > > > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker > > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>> wrote: > > > > Do you have a way to verify the "HTTP_MAIL" header is > > actually being passed through your proxy server? > > > > The problem is that Galaxy still doesn't think it's > > receiving the expected headers, so there isn't a good > > way that it can tell you more about what might be going > > on. If you're able to tweak Galaxy (using a test > > server) and add a few logging statements the code, this > > would be good places to check what's going on (print the > > `environ` dictionary associated with that request, along > > with self.remote_user_header to see what Galaxy is > > actually trying to use): > > > > https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi... > > > > -Dannon > > > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > It turns out our authentication system passes a > > header 'HTTP_MAIL' which contains the users email > > address. In galaxy.ini, I have > > > > use_remote_user = True > > remote_user_header = HTTP_MAIL > > > > After restarting,Galaxy still gives the same error. > > > > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker > > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>> wrote: > > > > Hi Ryan, > > > > It may be that Galaxy is looking for a different > > remote user header than your proxy is setting. > > I believe by default we look for > > HTTP_REMOTE_USER, but this is configurable in > > galaxy.ini (so, you could set yours to HTTP_USER > > there). Let me know if this doesn't sort it out > > for you and we can dig deeper! > > > > -Dannon > > > > On Mon, Aug 31, 2015 at 3:42 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> wrote: > > > > Hi all - I'm trying to use external user > > authentication with Galaxy. The external > > authentication passes to Galaxy the > username > > with the mail domain at HTTP_USER. > > > > In galaxy.ini, I enable: > > use_remote_user = True > > > > > > When I try to access Galaxy, I get the > message: > > Galaxy is configured to authenticate users > > via an external method (such as HTTP > > authentication in Apache), but a username > > was not provided by the upstream (proxy) > > server. This is generally due to a > > misconfiguration in the upstream server. > > > > But nothing in paster.log indicating what > > the error is. > > > > How do I track this down? > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by > using > > "reply all" > > in your mail client. To manage your > > subscriptions to this > > and other Galaxy lists, please use the > > interface at: > > https://lists.galaxyproject.org/ > > > > To search Galaxy mailing lists use the > > unified search at: > > > http://galaxyproject.org/search/mailinglists/ > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by using "reply all" > > in your mail client. To manage your subscriptions to this > > and other Galaxy lists, please use the interface at: > > https://lists.galaxyproject.org/ > > > > To search Galaxy mailing lists use the unified search at: > > http://galaxyproject.org/search/mailinglists/ > > > > -- > Eric Rasche > Programmer II > > Center for Phage Technology > Rm 312A, BioBio > Texas A&M University > College Station, TX 77843 > 404-692-2048 <tel:404-692-2048> <tel:404-692-2048 <tel:404-692-2048>> > esr@tamu.edu <mailto:esr@tamu.edu> <mailto:esr@tamu.edu <mailto:esr@tamu.edu>> > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ > >
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 <tel:404-692-2048> esr@tamu.edu <mailto:esr@tamu.edu>
-- Eric Rasche Programmer II Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu