Howdy Ryan,
On 10/13/2015 11:44 AM, Ryan G wrote:
> Sorry, maybe I'm not being clear.
>
> Galaxy is listening on http://galaxy.mycompany.com:8080
>
> Users access Galaxy via http://mycompay.com/galaxy
Ah! This is much more clear, thanks :)
If you're running under remote_user, you should NOT make it available
outside of the apache proxy. Even with the remote_user_secret variable
that was added, it's still an unnecessary security risk.
> If users go to http://galaxy.mycompany.com:8080, they get the External
> Authentication message. From here I want them to be redirected to
> http://mycompay.com/galaxy which is where they will be authenticated.
I'm guessing you migrated at some point from the raw port to the /galaxy
address and your users are moving slowly to the new URL.
Here is my suggestion:
- have galaxy listen on 127.0.0.1:8081 so only apache on the same
machine can access it.
- add an apache virtualhost listening on 0.0.0.0:8080 that automatically
redirects any requests to that page to http://mycompany.com/galaxy/ to
help migrate users.
That should fix your problem without requiring modification to your
codebase for this one scenario.
>
> Users never see http://galaxy.mycompany.com:8080....they will always see
> http://mycompay.com/galaxy
>
>
>
> On Tue, Oct 13, 2015 at 12:36 PM, Eric Rasche <esr@tamu.edu
> <mailto:esr@tamu.edu>> wrote:
>
>
>
> On 10/13/2015 11:34 AM, Ryan G wrote:
> > We have Apache set up to authenticate users off our LDAP. If they
> > authenticate correctly, they are then forwarded on through the proxy.
>
> So, mod_auth_ldap? Or not? You say "forwarded" so I'm thinking you may
> not mean this.
>
> >
> > What I want is to prevent users from hitting the galaxy URL directly.
> > If they, do I want to automatically redirect them to the proxy.
>
> Under mod_auth_ldap this should be done for you.
>
> (Worst case scenario you could write some mod_rewrite logic that checks
> for the remote_user header and returns a 301 if it's missing with the
> location of your login page)
>
> >
> >
> > On Tue, Oct 13, 2015 at 11:10 AM, Eric Rasche <esr@tamu.edu <mailto:esr@tamu.edu>
> > 404-692-2048 <tel:404-692-2048> <tel:404-692-2048> > <mailto:esr@tamu.edu <mailto:esr@tamu.edu>>> wrote:
> >
> > Hi Ryan,
> >
> > On 10/13/2015 09:50 AM, Ryan G wrote:
> > > Hi all - In regards to external user authentication that I have working
> > > now (see thread below). When users try to go to the actual Galaxy page,
> > > they get the message:
> > >
> > >
> > > Access to Galaxy is denied
> >
> > That's expected for External User Auth if you don't have the REMOTE_USER
> > header set properly.
> >
> > >
> > > Galaxy is configured to authenticate users via an external method (such
> > > as HTTP authentication in Apache), but no shared secret key was provided
> > > by the upstream (proxy) server.
> > >
> > > Please contact your local Galaxy administrator. The variable
> > > |remote_user_secret| and |GX_SECRET| header must be set before you may
> > > access Galaxy.
> > >
> > >
> > >
> > > That's fine and all but I'd like to have them redirected to the real
> > > login page. Is there a way to do this? I didn't see anything obvious
> > > and was thinking of adding a parameter to galaxy.ini and have Galaxy
> > > automatically forward them after 5 seconds or so.
> >
> > What external auth mechanism are you using?
> >
> > >
> > > Ryan
> > >
> > >
> > > On Tue, Oct 13, 2015 at 10:49 AM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>
> > > <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>>>
> > wrote:
> > >
> > > Hi all - In regards to external user authentication that I have
> > > working now (see thread below). When users try to go to the actual
> > > Galaxy page, they get the message:
> > >
> > >
> > > On Thu, Oct 1, 2015 at 4:10 PM, Ryan G <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>
> > > <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>>>
> > wrote:
> > >
> > > I finally got around to this and all is working well. I
> > > submitted 2 patches to remoteuser.py to assist in debugging
> > > incorrect set ups.
> > >
> > > Last question - When a user logs out, they get the page ""Access
> > > to Galaxy user controls is disabled". I've set the
> > > remote_user_logout_href parameter to a different website, but
> > > they still get the "Access to Galaxy user controls is disabled".
> > >
> > > I see it in lib/galaxy/webapps/galaxy/controllers/user.py, but I
> > > think at that point its too late.
> > >
> > >
> > >
> > > On Tue, Sep 8, 2015 at 4:05 PM, Ryan G
> > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>
> > > <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>>>
> > wrote:
> > >
> > > Yes, I have a test server I'm going to check this one.
> > > thanks for the link, that's perfect...I'll add some
> > > debugging code in here to see what's going on.
> > >
> > > On Tue, Sep 8, 2015 at 1:46 PM, Dannon Baker
> > > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>
> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>
> > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>
> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>> wrote:
> > >
> > > Do you have a way to verify the "HTTP_MAIL" header is
> > > actually being passed through your proxy server?
> > >
> > > The problem is that Galaxy still doesn't think it's
> > > receiving the expected headers, so there isn't a good
> > > way that it can tell you more about what might be going
> > > on. If you're able to tweak Galaxy (using a test
> > > server) and add a few logging statements the code, this
> > > would be good places to check what's going on (print the
> > > `environ` dictionary associated with that request, along
> > > with self.remote_user_header to see what Galaxy is
> > > actually trying to use):
> > >
> > > https://github.com/galaxyproject/galaxy/blob/dev/lib/galaxy/web/framework/middleware/remoteuser.py#L49
> > >
> > > -Dannon
> > >
> > > On Thu, Sep 3, 2015 at 1:51 PM, Ryan G
> > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>
> > > <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>>>
> > wrote:
> > >
> > > It turns out our authentication system passes a
> > > header 'HTTP_MAIL' which contains the users email
> > > address. In galaxy.ini, I have
> > >
> > > use_remote_user = True
> > > remote_user_header = HTTP_MAIL
> > >
> > > After restarting,Galaxy still gives the same error.
> > >
> > > On Mon, Aug 31, 2015 at 3:44 PM, Dannon Baker
> > > <dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>
> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>
> > > <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>
> <mailto:dannon.baker@gmail.com <mailto:dannon.baker@gmail.com>>>> wrote:
> > >
> > > Hi Ryan,
> > >
> > > It may be that Galaxy is looking for a different
> > > remote user header than your proxy is setting.
> > > I believe by default we look for
> > > HTTP_REMOTE_USER, but this is configurable in
> > > galaxy.ini (so, you could set yours to HTTP_USER
> > > there). Let me know if this doesn't sort it out
> > > for you and we can dig deeper!
> > >
> > > -Dannon
> > >
> > > On Mon, Aug 31, 2015 at 3:42 PM, Ryan G
> > > <ngsbioinformatics@gmail.com <mailto:ngsbioinformatics@gmail.com>
> <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>
> > > <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>
> > <mailto:ngsbioinformatics@gmail.com
> <mailto:ngsbioinformatics@gmail.com>>>> wrote:
> > >
> > > Hi all - I'm trying to use
> external user
> > > authentication with Galaxy. The
> external
> > > authentication passes to Galaxy the
> > username
> > > with the mail domain at HTTP_USER.
> > >
> > > In galaxy.ini, I enable:
> > > use_remote_user = True
> > >
> > >
> > > When I try to access Galaxy, I
> get the
> > message:
> > > Galaxy is configured to
> authenticate users
> > > via an external method (such as HTTP
> > > authentication in Apache), but a
> username
> > > was not provided by the upstream
> (proxy)
> > > server. This is generally due to a
> > > misconfiguration in the upstream
> server.
> > >
> > > But nothing in paster.log
> indicating what
> > > the error is.
> > >
> > > How do I track this down?
> > >
> > >
> > >
> > >
> > ___________________________________________________________
> > > Please keep all replies on the
> list by
> > using
> > > "reply all"
> > > in your mail client. To manage your
> > > subscriptions to this
> > > and other Galaxy lists, please
> use the
> > > interface at:
> > > https://lists.galaxyproject.org/
> > >
> > > To search Galaxy mailing lists
> use the
> > > unified search at:
> > >
> > http://galaxyproject.org/search/mailinglists/
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > ___________________________________________________________
> > > Please keep all replies on the list by using "reply all"
> > > in your mail client. To manage your subscriptions to this
> > > and other Galaxy lists, please use the interface at:
> > > https://lists.galaxyproject.org/
> > >
> > > To search Galaxy mailing lists use the unified search at:
> > > http://galaxyproject.org/search/mailinglists/
> > >
> >
> > --
> > Eric Rasche
> > Programmer II
> >
> > Center for Phage Technology
> > Rm 312A, BioBio
> > Texas A&M University
> > College Station, TX 77843
> <tel:404-692-2048>>
> > esr@tamu.edu <mailto:esr@tamu.edu> <mailto:esr@tamu.edu
> <mailto:esr@tamu.edu>>
> > ___________________________________________________________
> > Please keep all replies on the list by using "reply all"
> > in your mail client. To manage your subscriptions to this
> > and other Galaxy lists, please use the interface at:
> > https://lists.galaxyproject.org/
> >
> > To search Galaxy mailing lists use the unified search at:
> > http://galaxyproject.org/search/mailinglists/
> >
> >
>
> --
> Eric Rasche
> Programmer II
>
> Center for Phage Technology
> Rm 312A, BioBio
> Texas A&M University
> College Station, TX 77843
> 404-692-2048 <tel:404-692-2048>
> esr@tamu.edu <mailto:esr@tamu.edu>
>
>
--
Eric Rasche
Programmer II
Center for Phage Technology
Rm 312A, BioBio
Texas A&M University
College Station, TX 77843
404-692-2048
esr@tamu.edu