Re: [galaxy-dev] Setting up a proxy with authentication while waiving this for API calls

Thu, 14 Feb 2013 18:28:29 -0800

There was a small, but important error in the proxy configuration...
I had to pass the /api/ part to a proxy again with a [P] directive, not just the [L].

So the correct proxy definition is:

<Directory /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static>
  Options FollowSymLinks
  Order Allow,Deny
  Allow from all
</Directory>

<Proxy http://localhost:8080>
        AuthType Basic
        AuthName "GALAXY@GHI. Please log in with your Windows account"
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://__YOUR_LDAP_SERVER/ou=Users - Employees,dc=genomichealth,dc=com?sAMAccountName?sub?(objectClass=*)"
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN __USERNAME__
        AuthLDAPBindPassword __PASSWORD
        Require valid-user
        RequestHeader set REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e
</Proxy>

#Extended the timeout since some GALAXY actions can take a long time
TimeOut 60000
RewriteEngine on
ReWriteRule ^(/api/.*) http://localhost:8081$1 [P,L]
RewriteRule ^/static/style/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/favicon.ico /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/robots.txt /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/robots.txt [L]
RewriteRule ^/admin/jobs(.*) http://localhost:8079/admin/jobs$1 [P]
RewriteRule ^(.*) http://localhost:8080$1 [P]


On Feb 14, 2013, at 02:41 PM, Anthonius deBoer <thondeb...@me.com> wrote:


Hi,

I have been struggling with setting up my galaxy system to allow it to use the LDAP authentication for users that come in through the frontend, while not wanting to have to use authentication when user want to access through the API....I found some solution and I thought I'd share it with the world so that people may learn from this and maybe also tell me if I am doing something wrong, or worse, insecure!

I setup two web servers in the universe file at localhost:8080 and localhost:8081.
For the one at 8080 i require authentication, for the one at 8081 I do not in the settings for apache proxy server shown below....
The I setup a ReWriteRule for anything addressed to /api/ and route that to the one at 8081, that does not require authentication, while everything else goes through 8080 which does...

It seems to work nicely, although I have a nagging feeling this leaves open some backdoors somewhere, but please tell me if I do...

<code>
<Directory /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static>
  Options FollowSymLinks
  Order Allow,Deny
  Allow from all
</Directory>

<Proxy http://localhost:8080>
        AuthType Basic
        AuthName "GALAXY@GHI. Please log in with your Windows account"
        AuthBasicProvider ldap
        AuthLDAPURL "ldap://__YOUR_LDAP_SERVER/ou=Users - Employees,dc=genomichealth,dc=com?sAMAccountName?sub?(objectClass=*)"
        AuthzLDAPAuthoritative off
        AuthLDAPBindDN __USERNAME__
        AuthLDAPBindPassword __PASSWORD
        Require valid-user
        RequestHeader set REMOTE_USER %{AUTHENTICATE_SAMACCOUNTNAME}e
</Proxy>

#Extended the timeout since some GALAXY actions can take a long time
TimeOut 60000
RewriteEngine on
ReWriteRule ^(/api/.*) http://localhost:8081$1 [L]
RewriteRule ^/static/style/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/$1 [L]
RewriteRule ^/favicon.ico /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/robots.txt /mnt/ngs/analysis/svcgalaxy/galaxy-dist/static/robots.txt [L]
RewriteRule ^/admin/jobs(.*) http://localhost:8079/admin/jobs$1 [P]
RewriteRule ^(.*) http://localhost:8080$1 [P]
</code>

Thon
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client. To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

http://lists.bx.psu.edu/
___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:

  http://lists.bx.psu.edu/

Reply via email to