8:36 a.m.
Hi Shantanu,
Thank you for your update, I've done my config a little differently and it
appears to work just the same. The relevant part looks like this:
<Location />
## ActiveDirectory authentication and authorization
AuthType Basic
AuthBasicProvider ldap
AuthName "R&D Galaxy Testing/QA Server"
AuthLDAPURL "ldap://my.server.com:389/OU=Users &
Workstations,DC=domain,DC=com?sAMAccountName?sub?(|(objectClass=person)(objectClass=group))"
# ...more AuthLDAP directives here...
RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
</Location>
<Location /datasets>
Order Allow,Deny
Allow from All
Satisfy Any
RequestHeader set REMOTE_USER "anonymous"
</Location>
## Static content and reverse proxy
RewriteEngine On
RewriteRule ^/static/style/(.*)
/path/to/galaxy/galaxy_dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*)
/path/to/galaxy/galaxy_dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /path/to/galaxy/galaxy_dist/static/$1 [L]
RewriteRule ^/favicon.ico /path/to/galaxy/galaxy_dist/static/favicon.ico
[L]
RewriteRule ^/robots.txt /path/to/galaxy/galaxy_dist/static/robots.txt
[L]
RewriteRule ^(.*) http://galaxy.server.hostname:8080 [P]
On Fri, Jul 1, 2011 at 12:13 AM, Shantanu Pavgi <pavgi(a)uab.edu> wrote:
On Jun 30, 2011, at 6:34 AM, Leandro Hermida wrote:
> Hi Nate and Shantanu,
>
> Thanks so much for the clear guidance, this works and sorry I didn't
> read the Apache docs properly
>
> best,
> Leandro
>
> On Thu, Jun 30, 2011 at 6:14 AM, Shantanu Pavgi <pavgi(a)uab.edu> wrote:
>>
>> On Jun 29, 2011, at 12:21 PM, Nate Coraor wrote:
>>
>> Leandro Hermida wrote:
>>
>> Hi Shantanu,
>>
>> In your Apache configuration exactly how did you set up an anonymous
>>
>> REMOTE_USER just for specific locations like the /datasets/ path? I'm
just
>>
>> looking at the Apache docs and the RequestHeader directive has a context
of
>>
>> the entire VirtualHost and cannot be put into a Location container so
I'm
>>
>> not sure how to do it.
>>
>> Hi Leandro,
>>
>> See the optional 'env=' argument and docs on the same for ways to make
>> RequestHeader conditional:
>>
>>
http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
>>
>> So, depending on the path accessed, you should be able to have
>> mod_rewrite set an environment variable specifying which REMOTE_USER
>> (real username or fake anonymouse user) should be set.
>>
>> You could also just set it as the anonymous user to start with and then
>> use 'RequestHeader set' to overwrite it with the real username in the
>> case that a real username is available.
>>
>> This is all just from glancing at the docs, though, I have not tried any
>> of it out, and this sort of Apache trickery is always difficult to get
>> right.
>>
>> --nate
>>
>>
>>
>> Leandro,
>> The RequestHeader has a context of 'directory' as well, which includes
>> <Directory>, <Location>, <Files>, and <Proxy> containers
[1]. So you
should
>> be able to use it in Location directive.
>> Following is a configuration snippet related to what Nate described in
his
>> earlier response. We are setting REMOTE_USER variable to
anonymous when
it's
>> not set/empty.
>> <Location ~ "/(datasets|history)/">
>> AuthType shibboleth
>> ShibRequireSession off
>> Require shibboleth
>> RewriteCond %{LA-U:REMOTE_USER} =""
>> RequestHeader set REMOTE_USER "anonymous"
>> </Location>
>> Hope this helps.
>>
>> 1. http://httpd.apache.org/docs/current/mod/directive-dict.html#Context
>> --
>> Shantanu.
>>
Leandro,
I realized that above mentioned configuration is wrong. It will set
RequestHeader
to 'anonymous' regardless of authentication status. I think
following config should work (still testing). In our case it resides outside
of Location directive now. You may need to adjust it according to your
setup:
{{{
# Take the environment variable and set it as a header in the
proxy
request.
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} (.+)
RewriteRule . - [E=RU:%1]
# Set RU to anonymous if No REMOTE_USER
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} =""
RewriteRule . - [E=RU:"anonymous"]
# Set RequestHeader
RequestHeader set REMOTE_USER %{RU}e
}}}
--
Shantanu.