Thanks. I'll try that. On Tue, Oct 13, 2015 at 12:52 PM, Eric Rasche <esr@tamu.edu> wrote:
Howdy Ryan,
On 10/13/2015 11:44 AM, Ryan G wrote:
Sorry, maybe I'm not being clear.
Galaxy is listening on http://galaxy.mycompany.com:8080
Users access Galaxy via http://mycompay.com/galaxy
Ah! This is much more clear, thanks :)
If you're running under remote_user, you should NOT make it available outside of the apache proxy. Even with the remote_user_secret variable that was added, it's still an unnecessary security risk.
If users go to http://galaxy.mycompany.com:8080, they get the External Authentication message. From here I want them to be redirected to http://mycompay.com/galaxy which is where they will be authenticated.
I'm guessing you migrated at some point from the raw port to the /galaxy address and your users are moving slowly to the new URL.
Here is my suggestion:
- have galaxy listen on 127.0.0.1:8081 so only apache on the same machine can access it. - add an apache virtualhost listening on 0.0.0.0:8080 that automatically redirects any requests to that page to http://mycompany.com/galaxy/ to help migrate users.
That should fix your problem without requiring modification to your codebase for this one scenario.
Users never see http://galaxy.mycompany.com:8080....they will always see http://mycompay.com/galaxy
On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>> wrote:
On 10/13/2015 11:34 AM, Ryan G wrote: > We have Apache set up to authenticate users off our LDAP. If they > authenticate correctly, they are then forwarded on through the
proxy.
So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you
may
not mean this.
> > What I want is to prevent users from hitting the galaxy URL
directly.
> If they, do I want to automatically redirect them to the proxy.
Under mod_auth_ldap this should be done for you.
(Worst case scenario you could write some mod_rewrite logic that
checks
for the remote_user header and returns a 301 if it's missing with the location of your login page)
> > > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu
<mailto:esr@tamu.edu>
> <mailto:esr@tamu.edu <mailto:esr@tamu.edu>>> wrote: > > Hi Ryan, > > On 10/13/2015 09:50 AM, Ryan G wrote: > > Hi all - In regards to external user authentication that I
have working
> > now (see thread below). When users try to go to the actual
Galaxy page,
> > they get the message: > > > > > > Access to Galaxy is denied > > That's expected for External User Auth if you don't have the
REMOTE_USER
> header set properly. > > > > > Galaxy is configured to authenticate users via an external
method (such
> > as HTTP authentication in Apache), but no shared secret key
was provided
> > by the upstream (proxy) server. > > > > Please contact your local Galaxy administrator. The variable > > |remote_user_secret| and |GX_SECRET| header must be set
before you may
> > access Galaxy. > > > > > > > > That's fine and all but I'd like to have them redirected to
the real
> > login page. Is there a way to do this? I didn't see
anything obvious
> > and was thinking of adding a parameter to galaxy.ini and
have Galaxy
> > automatically forward them after 5 seconds or so. > > What external auth mechanism are you using? > > > > > Ryan > > > > > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <
ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Hi all - In regards to external user authentication that
I have
> > working now (see thread below). When users try to go to
the actual
> > Galaxy page, they get the message: > > > > > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <
ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > I finally got around to this and all is working
well. I
> > submitted 2 patches to remoteuser.py to assist in
debugging
> > incorrect set ups. > > > > Last question - When a user logs out, they get the
page ""Access
> > to Galaxy user controls is disabled". I've set the > > remote_user_logout_href parameter to a different
website, but
> > they still get the "Access to Galaxy user controls
is disabled".
> > > > I see it in
lib/galaxy/webapps/galaxy/controllers/user.py, but I
> > think at that point its too late. > > > > > > > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > Yes, I have a test server I'm going to check
this one.
> > thanks for the link, that's perfect...I'll add
some
> > debugging code in here to see what's going on. > > > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker > > <dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>>
wrote:
> > > > Do you have a way to verify the "HTTP_MAIL"
header is
> > actually being passed through your proxy
server?
> > > > The problem is that Galaxy still doesn't
think it's
> > receiving the expected headers, so there
isn't a good
> > way that it can tell you more about what
might be going
> > on. If you're able to tweak Galaxy (using a
test
> > server) and add a few logging statements the
code, this
> > would be good places to check what's going
on (print the
> > `environ` dictionary associated with that
request, along
> > with self.remote_user_header to see what
Galaxy is
> > actually trying to use): > > > >
https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/mi...
> > > > -Dannon > > > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G > > <ngsbioinformatics@gmail.com <mailto:
ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> > wrote: > > > > It turns out our authentication system
passes a
> > header 'HTTP_MAIL' which contains the
users email
> > address. In galaxy.ini, I have > > > > use_remote_user = True > > remote_user_header = HTTP_MAIL > > > > After restarting,Galaxy still gives the
same error.
> > > > On Mon, Aug 31, 2015 at 3:44 PM, Dannon
Baker
> > <dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>> > > <mailto:dannon.baker@gmail.com <mailto:
dannon.baker@gmail.com>
<mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>>
wrote:
> > > > Hi Ryan, > > > > It may be that Galaxy is looking for
a different
> > remote user header than your proxy
is setting.
> > I believe by default we look for > > HTTP_REMOTE_USER, but this is
configurable in
> > galaxy.ini (so, you could set yours
to HTTP_USER
> > there). Let me know if this doesn't
sort it out
> > for you and we can dig deeper! > > > > -Dannon > > > > On Mon, Aug 31, 2015 at 3:42 PM,
Ryan G
> > <ngsbioinformatics@gmail.com
<mailto:ngsbioinformatics@gmail.com>
<mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>> > > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com> > <mailto:ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>>>> wrote: > > > > Hi all - I'm trying to use external user > > authentication with Galaxy. The external > > authentication passes to Galaxy
the
> username > > with the mail domain at
HTTP_USER.
> > > > In galaxy.ini, I enable: > > use_remote_user = True > > > > > > When I try to access Galaxy, I get the > message: > > Galaxy is configured to authenticate users > > via an external method (such as
HTTP
> > authentication in Apache), but a username > > was not provided by the upstream (proxy) > > server. This is generally due to
a
> > misconfiguration in the upstream server. > > > > But nothing in paster.log indicating what > > the error is. > > > > How do I track this down? > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by > using > > "reply all" > > in your mail client. To manage
your
> > subscriptions to this > > and other Galaxy lists, please use the > > interface at: > >
https://lists.galaxyproject.org/
> > > > To search Galaxy mailing lists use the > > unified search at: > > > http://galaxyproject.org/search/mailinglists/ > > > > > > > > > > > > > > > > > > > > > > ___________________________________________________________ > > Please keep all replies on the list by using "reply all" > > in your mail client. To manage your subscriptions to this > > and other Galaxy lists, please use the interface at: > > https://lists.galaxyproject.org/ > > > > To search Galaxy mailing lists use the unified search at: > > http://galaxyproject.org/search/mailinglists/ > > > > -- > Eric Rasche > Programmer II > > Center for Phage Technology > Rm 312A, BioBio > Texas A&M University > College Station, TX 77843 > 404-692-2048 <tel:404-692-2048> <tel:404-692-2048 <tel:404-692-2048>> > esr@tamu.edu <mailto:esr@tamu.edu> <mailto:esr@tamu.edu <mailto:esr@tamu.edu>> > ___________________________________________________________ > Please keep all replies on the list by using "reply all" > in your mail client. To manage your subscriptions to this > and other Galaxy lists, please use the interface at: > https://lists.galaxyproject.org/ > > To search Galaxy mailing lists use the unified search at: > http://galaxyproject.org/search/mailinglists/ > >
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 <tel:404-692-2048> esr@tamu.edu <mailto:esr@tamu.edu>
-- Eric Rasche Programmer II
Center for Phage Technology Rm 312A, BioBio Texas A&M University College Station, TX 77843 404-692-2048 esr@tamu.edu