Using REMOTE_USER with nginx
Hey there The instructions on using REMOTE_USER with nginx are still a bit vague in the wiki, so let me share how I got this working with nginx's http_auth_pam module and our local Kerberos setup. Really simple actually: First, I created a pam.d entry for nginx, as follows: auth [success=1 default=ignore] pam_krb5.so minimum_uid=1000 ignore_k5login auth requisite pam_deny.so auth required pam_permit.so That can of course be adapted for your authentication scheme of choice. The, after recompiling nginx to add the module (I actually used the source from the Ubuntu .deb and installed from this customised .deb), I added: auth_pam "SANBI Galaxy (dev)"; auth_pam_service_name "nginx"; proxy_set_header REMOTE_USER $remote_user; That auth_pam_service_name must be the name of the file you add in /etc/pam.d. So the complete location clause is now: location / { auth_pam "SANBI Galaxy (dev)"; auth_pam_service_name "nginx"; proxy_set_header REMOTE_USER $remote_user; proxy_pass http://galaxy_app; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-URL-SCHEME https; } Finally, set: use_remote_user = True remote_user_maildomain = <YOUR DOMAIN NAME> And restart nginx and galaxy, and you're done. Of course, since you're using Basic authentication, you should make sure that you are using ssl too. If this all looks ok, maybe someone can update the wiki? Peter
On Apr 29, 2012, at 1:50 AM, Peter van Heusden wrote:
Hey there
The instructions on using REMOTE_USER with nginx are still a bit vague in the wiki, so let me share how I got this working with nginx's http_auth_pam module and our local Kerberos setup. Really simple actually:
First, I created a pam.d entry for nginx, as follows:
auth [success=1 default=ignore] pam_krb5.so minimum_uid=1000 ignore_k5login auth requisite pam_deny.so auth required pam_permit.so
That can of course be adapted for your authentication scheme of choice.
The, after recompiling nginx to add the module (I actually used the source from the Ubuntu .deb and installed from this customised .deb), I added:
auth_pam "SANBI Galaxy (dev)"; auth_pam_service_name "nginx"; proxy_set_header REMOTE_USER $remote_user;
That auth_pam_service_name must be the name of the file you add in /etc/pam.d. So the complete location clause is now:
location / { auth_pam "SANBI Galaxy (dev)"; auth_pam_service_name "nginx"; proxy_set_header REMOTE_USER $remote_user; proxy_pass http://galaxy_app; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-URL-SCHEME https; }
Finally, set:
use_remote_user = True remote_user_maildomain = <YOUR DOMAIN NAME>
And restart nginx and galaxy, and you're done. Of course, since you're using Basic authentication, you should make sure that you are using ssl too.
If this all looks ok, maybe someone can update the wiki?
Hi Peter, I've updated the wiki with your findings. Thanks! --nate
Peter ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at:
participants (2)
-
Nate Coraor -
Peter van Heusden