wiki:GalaxyApacheShibbolethConfig
Last modified 6 years ago Last modified on 03/02/12 12:07:39

Introduction

The galaxy application can be configured to be behind Apache or nginx web servers using proxy. The galaxy supports external authentication mechanism as well which helps in hooking in galaxy site with external user database/authentication. Following are our configuration notes on setting up galaxy using Apache web server proxy and Shibboleth authentication. The entire site will require valid BlazerID login except certain URL patterns to allow users share their history, datasets and pages publicly.
Note: This configuration will exclude certain URL patterns from authentication requirements, but users will still need to make their individual history/datasets public through galaxy web interface (e.g. Make history available via link, make datasets public etc).

Required modules

You will need following apache modules to use such setup.

  • mod_headers (usually available and enabled by default)
  • mod_rewrite (usually available and enabled by default)
  • mod_proxy (usually available and enabled by default)
  • mod_xsendfile (available from epel repository)
  • mod_shib (not required for non-shibboleth auth methods)

Configuration file

NameVirtualHost *:80

<VirtualHost *:80>
    ServerAdmin email@example.com 
    ServerSignature Email
    DocumentRoot /var/www/galaxy
    ServerName galaxy.uabgrid.uab.edu

    # Log levels 
    LogLevel info
    ErrorLog logs/galaxy-error_log
    CustomLog logs/galaxy-access_log common

    # Enable rewrite engine 
    RewriteEngine on
    RewriteLog "/tmp/rewrite_log"
    RewriteLogLevel 1

    # Define proxy connection 
    <Proxy http://localhost:8080>
        Order deny,allow
        Allow from all
    </Proxy>
	
    # For entire site "/" - root level 
    <Location "/">
        # Define the authentication method
        # # Basic Authentication - Used initially for testing, not used anymore
        # AuthType Basic
        # AuthName Galaxy
        # AuthUserFile /path/to/galaxy-htpasswd
        # Require valid-user

        # # Shibboleth Authentication 
        AuthType shibboleth
        ShibRequestSetting requireSession 1
        ShibUseHeaders On
        # # Require valid-user will allow all authenticated users
        # Require valid-user
        # # Following line restricts users with uab.edu eppn
        Require user ~ ^.+@uab\.edu$

        # Enable XSendFile to send file directly using apache
        # # requires mod_xsendfile apache module 
        XSendFile on
        XSendFilePath /
    </Location>

    # Above configuration puts entire site behind Shibboleth authentication, however
    # typically galaxy users want to share history, pages and datasets publicly. Also, 
    # there are some external display applications like UCSC which will need to access 
    # galaxy without authentication requirements. 
    # We allow these features by excluding certain URL patterns from authentication
    # requirements. 
	
    # Allow /dataset and /history location to be accessed publicly 
    <Location ~ "/(datasets|history)/">
        AuthType shibboleth
        ShibRequireSession off
        Require shibboleth
    </Location>

    # Allow user's history and datasets to be accessed publicly 
    # # Pattern: /u/shantanu/d/1a2b3c4d5e6f789
    <Location ~ "/u/(.+)/[hd]/">
        AuthType shibboleth
        ShibRequireSession off
        Require shibboleth
    </Location>

    # Display at external sites 
    # We have excluded following URL patterns so far - 
    # /root/display_as, /display_application, /root/display_at, /static and /robots.txt 

    # Pattern: /root/display_as 
    <Location ~ "/root/display_as">
        AuthType shibboleth
        ShibRequireSession off
        Require shibboleth

        Order deny,allow
        Deny from all
        Allow from hgw1.cse.ucsc.edu
        Allow from hgw2.cse.ucsc.edu
        Allow from hgw3.cse.ucsc.edu
        Allow from hgw4.cse.ucsc.edu
        Allow from hgw5.cse.ucsc.edu
        Allow from hgw6.cse.ucsc.edu
        Allow from hgw7.cse.ucsc.edu
        Allow from hgw8.cse.ucsc.edu
    </Location>

    # Pattern: display_application
    <Location /display_application>
        AuthType shibboleth
        ShibRequireSession off
        Require shibboleth
    </Location>

    # Pattern: /root/display_at
    <Location ~ "/root/display_at">
        AuthType shibboleth
	ShibRequireSession off
	Require shibboleth
	Order deny,allow
	Deny from all
	Allow from hgw1.cse.ucsc.edu
	Allow from hgw2.cse.ucsc.edu
	Allow from hgw3.cse.ucsc.edu
	Allow from hgw4.cse.ucsc.edu
	Allow from hgw5.cse.ucsc.edu
	Allow from hgw6.cse.ucsc.edu
	Allow from hgw7.cse.ucsc.edu
	Allow from hgw8.cse.ucsc.edu
    </Location>

    # Pattern: /static 
    <Location /static/>
        AuthType shibboleth
	ShibRequireSession off
	Require shibboleth
    </Location>

    # Since history, datasets and pages are public now, the web crawlers will try index them. 
    # So we need a robots.txt file and it should be accessible publicly. 
    # Note that galaxy code includes the robots.txt file and we will have a RewriteRule in place
    # to use the same file. If you want to use the robots.txt file in the Apache DocumentRoot
    # then be sure to modify(remove) RewriteRule for it. 
    # Pattern: /robots.txt
    <Location /robots.txt>
	AuthType shibboleth
	ShibRequireSession off
	Require shibboleth
    </Location>
	
    # With external authentication enabled, galaxy will expect a non-empty REMOTE_USER env 
    # variable in request headers. 
    # We set it's value using RequestHeader based on RewriteCond and RewriteRule. 
    # We set REMOTE_USER for two cases/conditions: 
    # # 1. For shibboleth authenticated users we set correct user name in request headers 
    # #     using REMOTE_USER server variable value 
    # # 2. For anonymous public access (enabled for certain URLs like history and datasets) 
    # #     the server variable REMOTE_USER is empty and hence we set it to 'anonymoys'.
	
    # 1. REMOTE_USER for shib authenticated users
    RewriteCond %{IS_SUBREQ} ^false$
    # If REMOTE_USER is not empty 
    RewriteCond %{LA-U:REMOTE_USER} (.+)
    RewriteRule . - [E=RU:%1]

    # 2. REMOTE_USER for anonymous public requests
    RewriteCond %{IS_SUBREQ} ^false$
    RewriteCond %{LA-U:REMOTE_USER} =""
    RewriteRule . - [E=RU:"anonymous"]
        
    # Set REMOTE_USER in request headers 
    RequestHeader set REMOTE_USER %{RU}e

    # RewriteRule(s) for static content 
    RewriteRule ^/static/style/(.*) /path/to/galaxy/galaxy-latest/static/june_2007_style/blue/$1 [L]
    RewriteRule ^/static/scripts/(.*) /path/to/galaxy/galaxy-latest/static/scripts/packed/$1 [L]
    RewriteRule ^/static/(.*) /path/to/galaxy/galaxy-latest/static/$1 [L]
    RewriteRule ^/favicon.ico /path/to/galaxy/galaxy-latest/static/favicon.ico [L]
    RewriteRule ^/robots.txt /path/to/galaxy/galaxy-latest/static/robots.txt [L]
    # Proxy using RewriteRule
    RewriteRule ^(.*) http://localhost:8080$1 [P]

</VirtualHost>