Re: [galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth
Dear all, I have found a solution but I can unfortunately not explain why your solution on the Admin pages is not working. The following entries in httpd.conf solved the problem in our environment. Maybe this is useful for other CAS users. Best, Sandra RewriteEngine on Location / # Define the authentication method AuthType CAS AuthName Galaxy Require valid-user /Location # Proxy Configurations ProxyVia On ProxyPassInterpolateEnv On Proxy * Order allow,deny Allow from all /Proxy ProxyPass / http://galaxy.crc.nd.edu:8080/ ProxyPassReverse / http://galaxy.crc.nd.edu:8080/ RequestHeader set REMOTE_USER %{REMOTE_USER}s SSLProxyEngine On AllowCONNECT 8080 RewriteRule ^(.*) http://galaxy.crc.nd.edu:8080$1 [P] From: galaxy-dev-boun...@lists.bx.psu.edu [galaxy-dev-boun...@lists.bx.psu.edu] On Behalf Of Sandra Gesing [sandra.ges...@nd.edu] Sent: Tuesday, November 05, 2013 5:46 PM To: galaxy-dev@lists.bx.psu.edu Subject: [galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth Dear all, I would like to set up a local Galaxy instance behind an Apache server with our local CAS for authentication. It would be great if you could give me a hint for the httpd.conf. I have the problem that after authenticating against CAS in the browser, I get following error message and REMOTE_USER doesn't seem to be in the HTTP header for Galaxy (I can see the REMOTE_USER in the access_log of Apache but not any more in paster.log of Galaxy). Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. I know that the same question was already asked in the following post but I haven't seen an option to extend the post and I haven't found an answer. http://dev.list.galaxyproject.org/Installing-Galaxy-behind-an-Apache-proxy-using-mod-auth-cas-for-user-auth-tt4660837.html#none Any help is much appreciated. Many thanks, Sandra ___ Please keep all replies on the list by using reply all in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/ ___ Please keep all replies on the list by using reply all in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
[galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth
Dear all, I would like to set up a local Galaxy instance behind an Apache server with our local CAS for authentication. It would be great if you could give me a hint for the httpd.conf. I have the problem that after authenticating against CAS in the browser, I get following error message and REMOTE_USER doesn't seem to be in the HTTP header for Galaxy (I can see the REMOTE_USER in the access_log of Apache but not any more in paster.log of Galaxy). Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. I know that the same question was already asked in the following post but I haven't seen an option to extend the post and I haven't found an answer. http://dev.list.galaxyproject.org/Installing-Galaxy-behind-an-Apache-proxy-using-mod-auth-cas-for-user-auth-tt4660837.html#none Any help is much appreciated. Many thanks, Sandra ___ Please keep all replies on the list by using reply all in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
[galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth
I'm trying to install Galaxy behind an Apache proxy using mod_auth_cas for user authentication. I've got a ways in but am now stuck with galaxy not getting the REMOTE_USER. Has anyone deployed with this module? I have use_remote_user = true on in my universe_wsgi.ini along with a valid maildomain. Here's my apache config: NameVirtualHost galaxy.utah.edu:80 NameVirtualHost galaxy.utah.edu:443 CASLoginURL https://go.utah.edu/cas/login CASValidateURL https://go.utah.edu/cas/serviceValidate CASValidateServer Off CASAllowWildcardCert On CASCertificatePath /etc/pki/tls/certs/ca-bundle.trust.crt CASCookiePath /var/run/mod_auth_cas/ CASTimeout 3600 CASIdleTimeout 1800 CASDebug On VirtualHost 155.101.xx.40:80 RedirectPermanent / https://galaxy.utah.edu/ /VirtualHost VirtualHost galaxy.utah.edu:443 SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite HIGH:-aNULL:-eNULL # Export the SSL environment variables to scripts Files ~ \.(cgi|pl|shtml|phtml|php3?)$ SSLOptions +StdEnvVars /Files # Protocol adjustments for broken clients SetEnvIf User-Agent .*MSIE.* \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 SSLCertificateFile /etc/pki/tls/certs/wildcard.utah.edu.crt SSLCertificateKeyFile /etc/pki/tls/certs/wildcard.utah.edu.key SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt Proxy http://localhost:8080 Order deny,allow Allow from all /Proxy RewriteEngine on Location / AuthType CAS AuthName Galaxy Require valid-user #CASAuthNHeader REMOTE_SHMUSER # Take the $REMOTE_USER environment variable and set it as a header in the proxy request. RewriteCond %{IS_SUBREQ} ^false$ RewriteCond %{LA-U:REMOTE_USER} (.+) #RewriteCond %{LA-U:REMOTE_SHMUSER} (.+) RewriteRule . - [E=RU:%1] RequestHeader set REMOTE_USER %{RU}e XSendFile on XSendFilePath / # Compress all uncompressed content. SetOutputFilter DEFLATE SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary SetEnvIfNoCase Request_URI \.(?:t?gz|zip|bz2)$ no-gzip dont-vary SetEnvIfNoCase Request_URI /history/export_archive no-gzip dont-vary RequestHeader set X-URL-SCHEME https /Location Location /static # Allow browsers to cache everything from /static for 6 hours ExpiresActive On ExpiresDefault access plus 6 hours /Location ServerName galaxy.utah.edu RewriteRule ^/static/style/(.*) /uufs/utah.edu/sys/pkg/galaxy/std/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /uufs/utah.edu/sys/pkg/galaxy/std/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /uufs/utah.edu/sys/pkg/galaxy/std/static/$1 [L] RewriteRule ^/favicon.ico /uufs/utah.edu/sys/pkg/galaxy/std/static/favicon.ico [L] RewriteRule ^/robots.txt /uufs/utah.edu/sys/pkg/galaxy/std/static/robots.txt [L] RewriteRule ^(.*) http://localhost:8080$1 [P] /VirtualHost Any help is appreciated. Steve Harper Systems Administrator Center for High Performance Computing University of Utah ___ Please keep all replies on the list by using reply all in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/