Hi Shantanu,
Thank you for your update, I've done my config a little differently and it appears to work just the same. The relevant part looks like this:
<Location />
## ActiveDirectory authentication and authorization
AuthType Basic
AuthBasicProvider ldap
AuthName "R&D Galaxy Testing/QA Server"
AuthLDAPURL "ldap://my.server.com:389/OU=Users & Workstations,DC=domain,DC=com?sAMAccountName?sub?(|(objectClass=person)(objectClass=group))"
# ...more AuthLDAP directives here...
RequestHeader set REMOTE_USER %{AUTHENTICATE_sAMAccountName}e
</Location>
<Location /datasets>
Order Allow,Deny
Allow from All
Satisfy Any
RequestHeader set REMOTE_USER "anonymous"
</Location>
## Static content and reverse proxy
RewriteEngine On
RewriteRule ^/static/style/(.*) /path/to/galaxy/galaxy_dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /path/to/galaxy/galaxy_dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /path/to/galaxy/galaxy_dist/static/$1 [L]
RewriteRule ^/favicon.ico /path/to/galaxy/galaxy_dist/static/favicon.ico [L]
RewriteRule ^/robots.txt /path/to/galaxy/galaxy_dist/static/robots.txt [L]
RewriteRule ^(.*) http://galaxy.server.hostname:8080 [P]
On Fri, Jul 1, 2011 at 12:13 AM, Shantanu Pavgi <pavgi@uab.edu> wrote:
>
> On Jun 30, 2011, at 6:34 AM, Leandro Hermida wrote:
>
>> Hi Nate and Shantanu,
>>
>> Thanks so much for the clear guidance, this works and sorry I didn't
>> read the Apache docs properly
>>
>> best,
>> Leandro
>>
>> On Thu, Jun 30, 2011 at 6:14 AM, Shantanu Pavgi <pavgi@uab.edu> wrote:
>>>
>>> On Jun 29, 2011, at 12:21 PM, Nate Coraor wrote:
>>>
>>> Leandro Hermida wrote:
>>>
>>> Hi Shantanu,
>>>
>>> In your Apache configuration exactly how did you set up an anonymous
>>>
>>> REMOTE_USER just for specific locations like the /datasets/ path? I'm just
>>>
>>> looking at the Apache docs and the RequestHeader directive has a context of
>>>
>>> the entire VirtualHost and cannot be put into a Location container so I'm
>>>
>>> not sure how to do it.
>>>
>>> Hi Leandro,
>>>
>>> See the optional 'env=' argument and docs on the same for ways to make
>>> RequestHeader conditional:
>>>
>>> http://httpd.apache.org/docs/current/mod/mod_headers.html#requestheader
>>>
>>> So, depending on the path accessed, you should be able to have
>>> mod_rewrite set an environment variable specifying which REMOTE_USER
>>> (real username or fake anonymouse user) should be set.
>>>
>>> You could also just set it as the anonymous user to start with and then
>>> use 'RequestHeader set' to overwrite it with the real username in the
>>> case that a real username is available.
>>>
>>> This is all just from glancing at the docs, though, I have not tried any
>>> of it out, and this sort of Apache trickery is always difficult to get
>>> right.
>>>
>>> --nate
>>>
>>>
>>>
>>> Leandro,
>>> The RequestHeader has a context of 'directory' as well, which includes
>>> <Directory>, <Location>, <Files>, and <Proxy> containers [1]. So you should
>>> be able to use it in Location directive.
>>> Following is a configuration snippet related to what Nate described in his
>>> earlier response. We are setting REMOTE_USER variable to anonymous when it's
>>> not set/empty.
>>> <Location ~ "/(datasets|history)/">
>>> AuthType shibboleth
>>> ShibRequireSession off
>>> Require shibboleth
>>> RewriteCond %{LA-U:REMOTE_USER} =""
>>> RequestHeader set REMOTE_USER "anonymous"
>>> </Location>
>>> Hope this helps.
>>>
>>> 1. http://httpd.apache.org/docs/current/mod/directive-dict.html#Context
>>> --
>>> Shantanu.
>>>
>
>
> Leandro,
>
> I realized that above mentioned configuration is wrong. It will set RequestHeader to 'anonymous' regardless of authentication status. I think following config should work (still testing). In our case it resides outside of Location directive now. You may need to adjust it according to your setup:
>
> {{{
> # Take the environment variable and set it as a header in the proxy request.
> RewriteCond %{IS_SUBREQ} ^false$
> RewriteCond %{LA-U:REMOTE_USER} (.+)
> RewriteRule . - [E=RU:%1]
> # Set RU to anonymous if No REMOTE_USER
> RewriteCond %{IS_SUBREQ} ^false$
> RewriteCond %{LA-U:REMOTE_USER} =""
> RewriteRule . - [E=RU:"anonymous"]
> # Set RequestHeader
> RequestHeader set REMOTE_USER %{RU}e
> }}}
>
>
> --
> Shantanu.
>
>