Re: [galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth
Dear all,
I have found a solution but I can unfortunately not explain why your solution
on the Admin pages is not working. The following entries in httpd.conf solved
the problem in our environment. Maybe this is useful for other CAS users.
Best,
Sandra
RewriteEngine on
Location /
# Define the authentication method
AuthType CAS
AuthName Galaxy
Require valid-user
/Location
# Proxy Configurations
ProxyVia On
ProxyPassInterpolateEnv On
Proxy *
Order allow,deny
Allow from all
/Proxy
ProxyPass / http://galaxy.crc.nd.edu:8080/
ProxyPassReverse / http://galaxy.crc.nd.edu:8080/
RequestHeader set REMOTE_USER %{REMOTE_USER}s
SSLProxyEngine On
AllowCONNECT 8080
RewriteRule ^(.*) http://galaxy.crc.nd.edu:8080$1 [P]
From: galaxy-dev-boun...@lists.bx.psu.edu [galaxy-dev-boun...@lists.bx.psu.edu]
On Behalf Of Sandra Gesing [sandra.ges...@nd.edu]
Sent: Tuesday, November 05, 2013 5:46 PM
To: galaxy-dev@lists.bx.psu.edu
Subject: [galaxy-dev] Installing Galaxy behind an Apache proxy using
mod_auth_cas for user auth
Dear all,
I would like to set up a local Galaxy instance behind an Apache server with our
local CAS for authentication.
It would be great if you could give me a hint for the httpd.conf. I have the
problem that after authenticating against CAS in the browser, I get following
error message and REMOTE_USER doesn't seem to be in the HTTP header for Galaxy
(I can see the REMOTE_USER in the access_log of Apache but not any more in
paster.log of Galaxy).
Access to Galaxy is denied
Galaxy is configured to authenticate users via an external method (such as HTTP
authentication in Apache), but a username was not provided by the upstream
(proxy) server. This is generally due to a misconfiguration in the upstream
server.
I know that the same question was already asked in the following post but I
haven't seen an option to extend the post and I haven't found an answer.
http://dev.list.galaxyproject.org/Installing-Galaxy-behind-an-Apache-proxy-using-mod-auth-cas-for-user-auth-tt4660837.html#none
Any help is much appreciated.
Many thanks,
Sandra
___
Please keep all replies on the list by using reply all
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
___
Please keep all replies on the list by using reply all
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
[galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth
Dear all, I would like to set up a local Galaxy instance behind an Apache server with our local CAS for authentication. It would be great if you could give me a hint for the httpd.conf. I have the problem that after authenticating against CAS in the browser, I get following error message and REMOTE_USER doesn't seem to be in the HTTP header for Galaxy (I can see the REMOTE_USER in the access_log of Apache but not any more in paster.log of Galaxy). Access to Galaxy is denied Galaxy is configured to authenticate users via an external method (such as HTTP authentication in Apache), but a username was not provided by the upstream (proxy) server. This is generally due to a misconfiguration in the upstream server. I know that the same question was already asked in the following post but I haven't seen an option to extend the post and I haven't found an answer. http://dev.list.galaxyproject.org/Installing-Galaxy-behind-an-Apache-proxy-using-mod-auth-cas-for-user-auth-tt4660837.html#none Any help is much appreciated. Many thanks, Sandra ___ Please keep all replies on the list by using reply all in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
[galaxy-dev] Installing Galaxy behind an Apache proxy using mod_auth_cas for user auth
I'm trying to install Galaxy behind an Apache proxy using mod_auth_cas
for user authentication. I've got a ways in but am now stuck with
galaxy not getting the REMOTE_USER. Has anyone deployed with this module?
I have use_remote_user = true on in my universe_wsgi.ini along with a
valid maildomain.
Here's my apache config:
NameVirtualHost galaxy.utah.edu:80
NameVirtualHost galaxy.utah.edu:443
CASLoginURL https://go.utah.edu/cas/login
CASValidateURL https://go.utah.edu/cas/serviceValidate
CASValidateServer Off
CASAllowWildcardCert On
CASCertificatePath /etc/pki/tls/certs/ca-bundle.trust.crt
CASCookiePath /var/run/mod_auth_cas/
CASTimeout 3600
CASIdleTimeout 1800
CASDebug On
VirtualHost 155.101.xx.40:80
RedirectPermanent / https://galaxy.utah.edu/
/VirtualHost
VirtualHost galaxy.utah.edu:443
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite HIGH:-aNULL:-eNULL
# Export the SSL environment variables to scripts
Files ~ \.(cgi|pl|shtml|phtml|php3?)$
SSLOptions +StdEnvVars
/Files
# Protocol adjustments for broken clients
SetEnvIf User-Agent .*MSIE.* \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
SSLCertificateFile /etc/pki/tls/certs/wildcard.utah.edu.crt
SSLCertificateKeyFile /etc/pki/tls/certs/wildcard.utah.edu.key
SSLCertificateChainFile /etc/pki/tls/certs/gd_bundle.crt
Proxy http://localhost:8080
Order deny,allow
Allow from all
/Proxy
RewriteEngine on
Location /
AuthType CAS
AuthName Galaxy
Require valid-user
#CASAuthNHeader REMOTE_SHMUSER
# Take the $REMOTE_USER environment variable and set it as a header
in the proxy request.
RewriteCond %{IS_SUBREQ} ^false$
RewriteCond %{LA-U:REMOTE_USER} (.+)
#RewriteCond %{LA-U:REMOTE_SHMUSER} (.+)
RewriteRule . - [E=RU:%1]
RequestHeader set REMOTE_USER %{RU}e
XSendFile on
XSendFilePath /
# Compress all uncompressed content.
SetOutputFilter DEFLATE
SetEnvIfNoCase Request_URI \.(?:gif|jpe?g|png)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI \.(?:t?gz|zip|bz2)$ no-gzip dont-vary
SetEnvIfNoCase Request_URI /history/export_archive no-gzip dont-vary
RequestHeader set X-URL-SCHEME https
/Location
Location /static
# Allow browsers to cache everything from /static for 6 hours
ExpiresActive On
ExpiresDefault access plus 6 hours
/Location
ServerName galaxy.utah.edu
RewriteRule ^/static/style/(.*)
/uufs/utah.edu/sys/pkg/galaxy/std/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*)
/uufs/utah.edu/sys/pkg/galaxy/std/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /uufs/utah.edu/sys/pkg/galaxy/std/static/$1 [L]
RewriteRule ^/favicon.ico
/uufs/utah.edu/sys/pkg/galaxy/std/static/favicon.ico [L]
RewriteRule ^/robots.txt
/uufs/utah.edu/sys/pkg/galaxy/std/static/robots.txt [L]
RewriteRule ^(.*) http://localhost:8080$1 [P]
/VirtualHost
Any help is appreciated.
Steve Harper
Systems Administrator
Center for High Performance Computing
University of Utah
___
Please keep all replies on the list by using reply all
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at:
http://galaxyproject.org/search/mailinglists/
