Thanks nate,
I just would like to share others informations :
* I have added a VirtualHost, proxy and a DocumentRoot
* Consequently, RewriteRule have been modified :
Remplace
RewriteRule ^ galaxy/ (. *) http://ip:port $ 1 [P]
by
RewriteRule ^ / (. *) http://ip:port/ $ 1 [P]
It should be better for security.
Faithfully,
Sarah Maman
Nate Coraor a écrit :
On Feb 13, 2012, at 7:38 AM, Sarah Maman wrote:
Hello,
I managed to connect to Galaxy to LDAP ;-)
Three points were blocking for me:
* Being root of my virtual machine can carry out tests
* I confused login / password of two LDAP, so I thought that my authentication
method was not good while I was using the wrong password ...
* It is better not to go through a proxy
Hi Sarah,
Thanks very much for reporting back with your findings. This should be very
helpful for people who stumble on to similar problems in the future.
1 - Set configuration file of Galaxy: universe_wsgi.ini to delegate user
authentication to an upstream proxy Apache:
Users and Security
use_remote_user = True
remote_user_maildomain = toulouse.inra.fr
2 - Create a file type "htaccess" file named galaxy.conf (in / etc / httpd /
conf.d /):
For reasons of performance and safety, it is advisable not to use a. htaccess
but a galaxy.conf file in the main server configuration (Apache), because the
latter will be charged a once when the server starts. With an .htaccess file,
this file will be charged at each access.
RewriteEngine on
<Location "/galaxy">
# Define the authentication method
AuthType Basic
AuthName "Galaxy"
AuthBasicProvider ldap
AuthLDAPURL "ldap :/ / server URL: 389/..."
AuthzLDAPAuthoritative off
Require valid-user
RequestHeader set REMOTE_USER %{AUTHENTICATE_uid}e
</ Location>
RewriteRule ^ / $ galaxy / galaxy / [R]
RewriteRule ^ / galaxy / static / style / (. *) /
var/www/html/galaxy/static/june_2007_style/blue / $ 1 [L]
RewriteRule ^ / galaxy / static / scripts / (. *) /vVar / www / html / galaxy /
static / scripts / packed / $ 1 [L]
RewriteRule ^ / galaxy / static / (. *) / var / www / html / galaxy / static /
$ 1 [L]
RewriteRule ^ / galaxy / favicon.ico / var / www / html / galaxy / static /
favicon.ico [L]
RewriteRule ^ / galaxy / robots.txt / var / www / html / galaxy / static /
robots.txt [L]
RewriteRule ^ / galaxy (. *) http://ip:port $ 1 [P]
As Galaxy is not installed in root directory but in a galaxy directory (var /
www / html / galaxy /), so following changes are needed:
This is probably not a good idea. From the documentation:
Please note that Galaxy should never be located on disk inside Apache's
DocumentRoot. By default, this would expose all of Galaxy (including datasets)
to anyone on the web.
Galaxy is a proxied application and as such, only the static content like
javascript and images are served directly by Apache (and this is set up with
the RewriteRules), everything else is passed through to the Galaxy application
via a proxied http connection. Right now I could presumably use the URL
http://server/galaxy/galaxy-dist/database/files/000/dataset_1.dat to view a
dataset directly.
1 - Add a RewriteRule
2 - Do not go through a proxy
Can you clarify this? I'm a bit confused, since if you are connecting to
Apache to access Galaxy, you are going through a proxy.
3 - REMOTE_USER variable is AUTHENTICATE_uid ( AUTHENTICATE_ sAMAccountName for
Windows AD)
I've added this to the wiki page, thanks!
--nate
4 - To generate dynamic URLs, it is necessary to configure prefix in
universe_wsgi.ini :
[Filter: proxy-prefix]
use = egg: # prefix PasteDeploy
prefix = / galaxy
[App: main]
filter-with = proxy-prefix
cookie_path = / galaxy
If you are not root on the virtual machine, create a symlink from / etc / httpd
/ conf.d / to galaxy.conf
3 - Some useful checks
Verify Apache version and Apache modules because each directive must have an
associated module:
Directive → Related module (which mod_ldap)
AuthType → mod_auth_basic.so
AuthBasicProvider → mod_authnz_ldap and mod_authz_ldap
Rewrite (for proxy) → mod_rewrite.so
RequestHeader→ mod_headers
Check that the galaxy is installed on ldap using this command: ldapsearch-x-h LDAP URL :
port-b "dc"
When you make a modification in galaxy.conf, restart Apache (or graful).
In httpd.conf, so that access management is authorized by the file. #
# AccessFileName: The name of the file to look for in EACH directory
# For additional configuration directives. See also the AllowOverride
# Directive.
#
AccessFileName. Htaccess
Check: Chmod 777 galaxy.conf
4 - Finally, restart run.sh (sh run.sh &)
Thanks A LOT for your help,
Sarah
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
http://lists.bx.psu.edu/
