ssl proxy

classic Classic list List threaded Threaded
8 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl proxy

Shrum, Donald C
Hi all,

I have a galaxy install with an apache proxy and ldap authentication.

<Location />
   RequestHeader set X-URL-SCHEME https
   AuthBasicProvider ldap
  Other stuff....
</Location>      

RewriteEngine on
RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L]
RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]
RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L]
RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]    

What is the best way to manage the redirect from http to https for the authentication?

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Eric Rasche
We use:

<VirtualHost *:80>
  ServerName <our.server.fqdn>
  DocumentRoot "/var/www/"
  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>
  Redirect permanent / https://<our.server.fqdn>/
</VirtualHost>

Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.

Cheers,
Eric

On 08/25/2014 03:03 PM, Shrum, Donald C wrote:
> Hi all,
>
> I have a galaxy install with an apache proxy and ldap authentication.
>
> <Location />
>    RequestHeader set X-URL-SCHEME https
>    AuthBasicProvider ldap
>   Other stuff....
> </Location>     
>
> RewriteEngine on
> RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L]
> RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L]
> RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]
> RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L]
> RewriteRule ^(.*) http://144.174.51.187:8080$1 [P]   
>
> What is the best way to manage the redirect from http to https for the authentication?
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/




Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048 <tel:4046922048>
[hidden email] [hidden email]
--
Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 [hidden email] [hidden email]

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Kandalaft, Iyad
Hi Eric

I'm not sure that he is using a virtual host on 443.  I suppose that a  "redirect permanent" would work in either case, but I was thinking along the lines of:


RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) <a href="https://%">https://%{SERVER_NAME}/$1 [R,L]

RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L]
RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L]
RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]

RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L]
RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]


What do you think?



Iyad Kandalaft
Bioinformatics Programmer
Microbial Biodiversity Bioinformatics
Science & Technology Branch
Agriculture & Agri-Food Canada
[hidden email] | (613) 759-1228
________________________________
From: [hidden email] [[hidden email]] on behalf of Eric Rasche [[hidden email]]
Sent: August 25, 2014 4:21 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [galaxy-dev] ssl proxy

We use:

<VirtualHost *:80>
  ServerName <our.server.fqdn>
  DocumentRoot "/var/www/"
  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>
  Redirect permanent / https://<UrlBlockedError.aspx><our.server.fqdn>/
</VirtualHost>

Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.

Cheers,
Eric

On 08/25/2014 03:03 PM, Shrum, Donald C wrote:

> Hi all,
>
> I have a galaxy install with an apache proxy and ldap authentication.
>
> <Location />
>    RequestHeader set X-URL-SCHEME https
>    AuthBasicProvider ldap
>   Other stuff....
> </Location>
>
> RewriteEngine on
> RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L]
> RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L]
> RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]
> RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L]
> RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>
> What is the best way to manage the redirect from http to https for the authentication?
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this
> and other Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/



Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048 <tel:4046922048>
[hidden email]<mailto:[hidden email]> <mailto:[hidden email]><mailto:[hidden email]>
--
Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 [hidden email]<mailto:[hidden email]> [hidden email]<mailto:[hidden email]>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Shrum, Donald C
I'm not using a virtual host.  Apache is just there as a proxy.  I tried the rewrite rules below...

I get a redirect from 80 to 443 as expected for the ldap authentication.  After authenticating I do not get redirected to 8080 for galaxy.  I've tried a few different ways and always get that.  I'll dig in tomorrow morning and after some coffee to see if I can figure it out.  

It's probably worth posting the solution in the docs.

-----Original Message-----
From: Kandalaft, Iyad [mailto:[hidden email]]
Sent: Monday, August 25, 2014 8:42 PM
To: Eric Rasche; Shrum, Donald C
Cc: [hidden email]
Subject: RE: [galaxy-dev] ssl proxy

Hi Eric

I'm not sure that he is using a virtual host on 443.  I suppose that a  "redirect permanent" would work in either case, but I was thinking along the lines of:


RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) <a href="https://%">https://%{SERVER_NAME}/$1 [R,L]

RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]

RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]


What do you think?



Iyad Kandalaft
Bioinformatics Programmer
Microbial Biodiversity Bioinformatics
Science & Technology Branch
Agriculture & Agri-Food Canada
[hidden email] | (613) 759-1228 ________________________________
From: [hidden email] [[hidden email]] on behalf of Eric Rasche [[hidden email]]
Sent: August 25, 2014 4:21 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [galaxy-dev] ssl proxy

We use:

<VirtualHost *:80>
  ServerName <our.server.fqdn>
  DocumentRoot "/var/www/"
  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>
  Redirect permanent / https://<UrlBlockedError.aspx><our.server.fqdn>/
</VirtualHost>

Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.

Cheers,
Eric

On 08/25/2014 03:03 PM, Shrum, Donald C wrote:

> Hi all,
>
> I have a galaxy install with an apache proxy and ldap authentication.
>
> <Location />
>    RequestHeader set X-URL-SCHEME https
>    AuthBasicProvider ldap
>   Other stuff....
> </Location>
>
> RewriteEngine on
> RewriteRule ^/static/style/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1
> [L] RewriteRule ^/static/scripts/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/static/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule
> ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico
> [L] RewriteRule ^/robots.txt
> /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule
> ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>
> What is the best way to manage the redirect from http to https for the authentication?
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this and other
> Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/



Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048 <tel:4046922048>
[hidden email]<mailto:[hidden email]> <mailto:[hidden email]><mailto:[hidden email]>
--
Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 [hidden email]<mailto:[hidden email]> [hidden email]<mailto:[hidden email]>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Kandalaft, Iyad
Sorry Don, I forgot the http"s" in the proxy line:
RewriteRule ^(.*) <a href="https://144.174.51.187:8080$1">https://144.174.51.187:8080$1 [P]

That should do it :)



Iyad Kandalaft


-----Original Message-----
From: Shrum, Donald C [mailto:[hidden email]]
Sent: Monday, August 25, 2014 9:27 PM
To: Kandalaft, Iyad; Eric Rasche
Cc: [hidden email]
Subject: RE: [galaxy-dev] ssl proxy

I'm not using a virtual host.  Apache is just there as a proxy.  I tried the rewrite rules below...

I get a redirect from 80 to 443 as expected for the ldap authentication.  After authenticating I do not get redirected to 8080 for galaxy.  I've tried a few different ways and always get that.  I'll dig in tomorrow morning and after some coffee to see if I can figure it out.  

It's probably worth posting the solution in the docs.

-----Original Message-----
From: Kandalaft, Iyad [mailto:[hidden email]]
Sent: Monday, August 25, 2014 8:42 PM
To: Eric Rasche; Shrum, Donald C
Cc: [hidden email]
Subject: RE: [galaxy-dev] ssl proxy

Hi Eric

I'm not sure that he is using a virtual host on 443.  I suppose that a  "redirect permanent" would work in either case, but I was thinking along the lines of:


RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) <a href="https://%">https://%{SERVER_NAME}/$1 [R,L]

RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]

RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]


What do you think?



Iyad Kandalaft
Bioinformatics Programmer
Microbial Biodiversity Bioinformatics
Science & Technology Branch
Agriculture & Agri-Food Canada
[hidden email] | (613) 759-1228 ________________________________
From: [hidden email] [[hidden email]] on behalf of Eric Rasche [[hidden email]]
Sent: August 25, 2014 4:21 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [galaxy-dev] ssl proxy

We use:

<VirtualHost *:80>
  ServerName <our.server.fqdn>
  DocumentRoot "/var/www/"
  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>
  Redirect permanent / https://<UrlBlockedError.aspx><our.server.fqdn>/
</VirtualHost>

Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.

Cheers,
Eric

On 08/25/2014 03:03 PM, Shrum, Donald C wrote:

> Hi all,
>
> I have a galaxy install with an apache proxy and ldap authentication.
>
> <Location />
>    RequestHeader set X-URL-SCHEME https
>    AuthBasicProvider ldap
>   Other stuff....
> </Location>
>
> RewriteEngine on
> RewriteRule ^/static/style/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1
> [L] RewriteRule ^/static/scripts/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/static/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule
> ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico
> [L] RewriteRule ^/robots.txt
> /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule
> ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>
> What is the best way to manage the redirect from http to https for the authentication?
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this and other
> Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/



Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048 <tel:4046922048>
[hidden email]<mailto:[hidden email]> <mailto:[hidden email]><mailto:[hidden email]>
--
Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 [hidden email]<mailto:[hidden email]> [hidden email]<mailto:[hidden email]>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Shrum, Donald C
I think I'd also need to change the proxy config to include the https

  <Proxy *>  
    AddDefaultCharset off
    Order Deny,Allow
    Allow from all
  </Proxy>    

  <Proxy https://144.174.51.187:8080>
            Order deny,allow
            Allow from all            
  </Proxy>


Even with that and your change... no luck.  I'll keep tinkering.

-----Original Message-----
From: Kandalaft, Iyad [mailto:[hidden email]]
Sent: Tuesday, August 26, 2014 8:44 AM
To: Shrum, Donald C; Eric Rasche
Cc: [hidden email]
Subject: RE: [galaxy-dev] ssl proxy

Sorry Don, I forgot the http"s" in the proxy line:
RewriteRule ^(.*) <a href="https://144.174.51.187:8080$1">https://144.174.51.187:8080$1 [P]

That should do it :)



Iyad Kandalaft


-----Original Message-----
From: Shrum, Donald C [mailto:[hidden email]]
Sent: Monday, August 25, 2014 9:27 PM
To: Kandalaft, Iyad; Eric Rasche
Cc: [hidden email]
Subject: RE: [galaxy-dev] ssl proxy

I'm not using a virtual host.  Apache is just there as a proxy.  I tried the rewrite rules below...

I get a redirect from 80 to 443 as expected for the ldap authentication.  After authenticating I do not get redirected to 8080 for galaxy.  I've tried a few different ways and always get that.  I'll dig in tomorrow morning and after some coffee to see if I can figure it out.  

It's probably worth posting the solution in the docs.

-----Original Message-----
From: Kandalaft, Iyad [mailto:[hidden email]]
Sent: Monday, August 25, 2014 8:42 PM
To: Eric Rasche; Shrum, Donald C
Cc: [hidden email]
Subject: RE: [galaxy-dev] ssl proxy

Hi Eric

I'm not sure that he is using a virtual host on 443.  I suppose that a  "redirect permanent" would work in either case, but I was thinking along the lines of:


RewriteEngine On

RewriteCond %{HTTPS} !=on

RewriteRule ^/?(.*) <a href="https://%">https://%{SERVER_NAME}/$1 [R,L]

RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]

RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]


What do you think?



Iyad Kandalaft
Bioinformatics Programmer
Microbial Biodiversity Bioinformatics
Science & Technology Branch
Agriculture & Agri-Food Canada
[hidden email] | (613) 759-1228 ________________________________
From: [hidden email] [[hidden email]] on behalf of Eric Rasche [[hidden email]]
Sent: August 25, 2014 4:21 PM
To: [hidden email]
Cc: [hidden email]
Subject: Re: [galaxy-dev] ssl proxy

We use:

<VirtualHost *:80>
  ServerName <our.server.fqdn>
  DocumentRoot "/var/www/"
  <Directory "/var/www/">
    Options Indexes FollowSymLinks MultiViews
    AllowOverride None
    Require all granted
  </Directory>
  Redirect permanent / https://<UrlBlockedError.aspx><our.server.fqdn>/
</VirtualHost>

Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.

Cheers,
Eric

On 08/25/2014 03:03 PM, Shrum, Donald C wrote:

> Hi all,
>
> I have a galaxy install with an apache proxy and ldap authentication.
>
> <Location />
>    RequestHeader set X-URL-SCHEME https
>    AuthBasicProvider ldap
>   Other stuff....
> </Location>
>
> RewriteEngine on
> RewriteRule ^/static/style/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1
> [L] RewriteRule ^/static/scripts/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
> RewriteRule ^/static/(.*)
> /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule
> ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico
> [L] RewriteRule ^/robots.txt
> /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule
> ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>
> What is the best way to manage the redirect from http to https for the authentication?
>
> ___________________________________________________________
> Please keep all replies on the list by using "reply all"
> in your mail client.  To manage your subscriptions to this and other
> Galaxy lists, please use the interface at:
>   http://lists.bx.psu.edu/
>
> To search Galaxy mailing lists use the unified search at:
>   http://galaxyproject.org/search/mailinglists/



Eric Rasche
Programmer II
Center for Phage Technology
Texas A&M University
College Station, TX 77843
404-692-2048 <tel:4046922048>
[hidden email]<mailto:[hidden email]> <mailto:[hidden email]><mailto:[hidden email]>
--
Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 [hidden email]<mailto:[hidden email]> [hidden email]<mailto:[hidden email]>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Eric Rasche
What issues are you still seeing? How is it non-functional?


On 08/26/2014 08:32 AM, Shrum, Donald C wrote:

> I think I'd also need to change the proxy config to include the https
>
>   <Proxy *>  
>     AddDefaultCharset off
>     Order Deny,Allow
>     Allow from all
>   </Proxy>    
>
>   <Proxy https://144.174.51.187:8080>
>             Order deny,allow
>             Allow from all            
>   </Proxy>
>
>
> Even with that and your change... no luck.  I'll keep tinkering.
>
> -----Original Message-----
> From: Kandalaft, Iyad [mailto:[hidden email]]
> Sent: Tuesday, August 26, 2014 8:44 AM
> To: Shrum, Donald C; Eric Rasche
> Cc: [hidden email]
> Subject: RE: [galaxy-dev] ssl proxy
>
> Sorry Don, I forgot the http"s" in the proxy line:
> RewriteRule ^(.*) <a href="https://144.174.51.187:8080$1">https://144.174.51.187:8080$1 [P]
>
> That should do it :)
>
>
>
> Iyad Kandalaft
>
>
> -----Original Message-----
> From: Shrum, Donald C [mailto:[hidden email]]
> Sent: Monday, August 25, 2014 9:27 PM
> To: Kandalaft, Iyad; Eric Rasche
> Cc: [hidden email]
> Subject: RE: [galaxy-dev] ssl proxy
>
> I'm not using a virtual host.  Apache is just there as a proxy.  I tried the rewrite rules below...
>
> I get a redirect from 80 to 443 as expected for the ldap authentication.  After authenticating I do not get redirected to 8080 for galaxy.  I've tried a few different ways and always get that.  I'll dig in tomorrow morning and after some coffee to see if I can figure it out.  
>
> It's probably worth posting the solution in the docs.
>
> -----Original Message-----
> From: Kandalaft, Iyad [mailto:[hidden email]]
> Sent: Monday, August 25, 2014 8:42 PM
> To: Eric Rasche; Shrum, Donald C
> Cc: [hidden email]
> Subject: RE: [galaxy-dev] ssl proxy
>
> Hi Eric
>
> I'm not sure that he is using a virtual host on 443.  I suppose that a  "redirect permanent" would work in either case, but I was thinking along the lines of:
>
>
> RewriteEngine On
>
> RewriteCond %{HTTPS} !=on
>
> RewriteRule ^/?(.*) <a href="https://%">https://%{SERVER_NAME}/$1 [R,L]
>
> RewriteRule ^/static/style/(.*) /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1 [L] RewriteRule ^/static/scripts/(.*) /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L] RewriteRule ^/static/(.*) /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico [L]
>
> RewriteRule ^/robots.txt /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>
>
> What do you think?
>
>
>
> Iyad Kandalaft
> Bioinformatics Programmer
> Microbial Biodiversity Bioinformatics
> Science & Technology Branch
> Agriculture & Agri-Food Canada
> [hidden email] | (613) 759-1228 ________________________________
> From: [hidden email] [[hidden email]] on behalf of Eric Rasche [[hidden email]]
> Sent: August 25, 2014 4:21 PM
> To: [hidden email]
> Cc: [hidden email]
> Subject: Re: [galaxy-dev] ssl proxy
>
> We use:
>
> <VirtualHost *:80>
>   ServerName <our.server.fqdn>
>   DocumentRoot "/var/www/"
>   <Directory "/var/www/">
>     Options Indexes FollowSymLinks MultiViews
>     AllowOverride None
>     Require all granted
>   </Directory>
>   Redirect permanent / https://<UrlBlockedError.aspx><our.server.fqdn>/
> </VirtualHost>
>
> Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.
>
> Cheers,
> Eric
>
> On 08/25/2014 03:03 PM, Shrum, Donald C wrote:
>> Hi all,
>>
>> I have a galaxy install with an apache proxy and ldap authentication.
>>
>> <Location />
>>    RequestHeader set X-URL-SCHEME https
>>    AuthBasicProvider ldap
>>   Other stuff....
>> </Location>
>>
>> RewriteEngine on
>> RewriteRule ^/static/style/(.*)
>> /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1
>> [L] RewriteRule ^/static/scripts/(.*)
>> /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
>> RewriteRule ^/static/(.*)
>> /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule
>> ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico
>> [L] RewriteRule ^/robots.txt
>> /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L] RewriteRule
>> ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>>
>> What is the best way to manage the redirect from http to https for the authentication?
>>
>> ___________________________________________________________
>> Please keep all replies on the list by using "reply all"
>> in your mail client.  To manage your subscriptions to this and other
>> Galaxy lists, please use the interface at:
>>   http://lists.bx.psu.edu/
>>
>> To search Galaxy mailing lists use the unified search at:
>>   http://galaxyproject.org/search/mailinglists/
>
>
>
> Eric Rasche
> Programmer II
> Center for Phage Technology
> Texas A&M University
> College Station, TX 77843
> 404-692-2048 <tel:4046922048>
> [hidden email]<mailto:[hidden email]> <mailto:[hidden email]><mailto:[hidden email]>
> --
> Eric Rasche Programmer II Center for Phage Technology Texas A&M University College Station, TX 77843 404-692-2048 [hidden email]<mailto:[hidden email]> [hidden email]<mailto:[hidden email]>
>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

signature.asc (853 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: ssl proxy

Eric Rasche
> is just an apache page

Is it an error page/the default index.html/other?

Next: Are you doing the proxying with mod_proxy or with mod_rewrite?

mod_rewrite looks like
RewriteRule ^(.*) <a href="https://144.174.51.187:8080$1">https://144.174.51.187:8080$1 [P]

while mod_proxy looks like
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/


Cheers,
Eric

On 08/26/2014 09:39 AM, Shrum, Donald C wrote:

> If I go directly to https://galaxy.rcc.fsu.edu what I get is just an apache page.  It's not doing the proxy to galaxy.
>
> The debug shows...
> [Tue Aug 26 10:36:45 2014] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
> [Tue Aug 26 10:36:45 2014] [debug] proxy_util.c(1934): proxy: initialized single connection worker 0 in child 21513 for (*)
> [Tue Aug 26 10:36:46 2014] [debug] proxy_util.c(1818): proxy: grabbed scoreboard slot 0 in child 21514 for worker proxy:reverse
> [Tue Aug 26 10:36:46 2014] [debug] proxy_util.c(1837): proxy: worker proxy:reverse already initialized
>
> -----Original Message-----
> From: Eric Rasche [mailto:[hidden email]]
> Sent: Tuesday, August 26, 2014 10:34 AM
> To: Shrum, Donald C
> Subject: Re: [galaxy-dev] ssl proxy
>
>> not forwarded to the galaxy server
>
> hmm. (technically it shouldn't be forwarding, once you hit https, it should display galaxy directly). Is it just a blank white screen or a proper error code?
>
> Why don't you increase the log level and see if anything shows up in the logs? Add
>
>> LogLevel debug
>
> and then tail all of your apache logs. What do those look like when you request https://your-domain/ ?
>
> Cheers,
> Eric
>
> On 08/26/2014 09:25 AM, Shrum, Donald C wrote:
>> I get a redirect from http to https but then I'm not forwarded to the galaxy server.  
>>
>> If you have a suggestion I'll take it and thanks for the help with this.
>>
>> -----Original Message-----
>> From: Eric Rasche [mailto:[hidden email]]
>> Sent: Tuesday, August 26, 2014 10:19 AM
>> To: Shrum, Donald C; Kandalaft, Iyad
>> Cc: [hidden email]
>> Subject: Re: [galaxy-dev] ssl proxy
>>
>> What issues are you still seeing? How is it non-functional?
>>
>>
>> On 08/26/2014 08:32 AM, Shrum, Donald C wrote:
>>> I think I'd also need to change the proxy config to include the https
>>>
>>>   <Proxy *>  
>>>     AddDefaultCharset off
>>>     Order Deny,Allow
>>>     Allow from all
>>>   </Proxy>    
>>>
>>>   <Proxy https://144.174.51.187:8080>
>>>             Order deny,allow
>>>             Allow from all            
>>>   </Proxy>
>>>
>>>
>>> Even with that and your change... no luck.  I'll keep tinkering.
>>>
>>> -----Original Message-----
>>> From: Kandalaft, Iyad [mailto:[hidden email]]
>>> Sent: Tuesday, August 26, 2014 8:44 AM
>>> To: Shrum, Donald C; Eric Rasche
>>> Cc: [hidden email]
>>> Subject: RE: [galaxy-dev] ssl proxy
>>>
>>> Sorry Don, I forgot the http"s" in the proxy line:
>>> RewriteRule ^(.*) <a href="https://144.174.51.187:8080$1">https://144.174.51.187:8080$1 [P]
>>>
>>> That should do it :)
>>>
>>>
>>>
>>> Iyad Kandalaft
>>>
>>>
>>> -----Original Message-----
>>> From: Shrum, Donald C [mailto:[hidden email]]
>>> Sent: Monday, August 25, 2014 9:27 PM
>>> To: Kandalaft, Iyad; Eric Rasche
>>> Cc: [hidden email]
>>> Subject: RE: [galaxy-dev] ssl proxy
>>>
>>> I'm not using a virtual host.  Apache is just there as a proxy.  I tried the rewrite rules below...
>>>
>>> I get a redirect from 80 to 443 as expected for the ldap authentication.  After authenticating I do not get redirected to 8080 for galaxy.  I've tried a few different ways and always get that.  I'll dig in tomorrow morning and after some coffee to see if I can figure it out.  
>>>
>>> It's probably worth posting the solution in the docs.
>>>
>>> -----Original Message-----
>>> From: Kandalaft, Iyad [mailto:[hidden email]]
>>> Sent: Monday, August 25, 2014 8:42 PM
>>> To: Eric Rasche; Shrum, Donald C
>>> Cc: [hidden email]
>>> Subject: RE: [galaxy-dev] ssl proxy
>>>
>>> Hi Eric
>>>
>>> I'm not sure that he is using a virtual host on 443.  I suppose that a  "redirect permanent" would work in either case, but I was thinking along the lines of:
>>>
>>>
>>> RewriteEngine On
>>>
>>> RewriteCond %{HTTPS} !=on
>>>
>>> RewriteRule ^/?(.*) <a href="https://%">https://%{SERVER_NAME}/$1 [R,L]
>>>
>>> RewriteRule ^/static/style/(.*)
>>> /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1
>>> [L] RewriteRule ^/static/scripts/(.*)
>>> /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
>>> RewriteRule ^/static/(.*)
>>> /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule
>>> ^/favicon.ico /panfs/storage.local/opt/galaxy-dist/static/favicon.ico
>>> [L]
>>>
>>> RewriteRule ^/robots.txt
>>> /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L]
>>> RewriteRule
>>> ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>>>
>>>
>>> What do you think?
>>>
>>>
>>>
>>> Iyad Kandalaft
>>> Bioinformatics Programmer
>>> Microbial Biodiversity Bioinformatics Science & Technology Branch
>>> Agriculture & Agri-Food Canada [hidden email] | (613)
>>> 759-1228 ________________________________
>>> From: [hidden email]
>>> [[hidden email]] on behalf of Eric Rasche
>>> [[hidden email]]
>>> Sent: August 25, 2014 4:21 PM
>>> To: [hidden email]
>>> Cc: [hidden email]
>>> Subject: Re: [galaxy-dev] ssl proxy
>>>
>>> We use:
>>>
>>> <VirtualHost *:80>
>>>   ServerName <our.server.fqdn>
>>>   DocumentRoot "/var/www/"
>>>   <Directory "/var/www/">
>>>     Options Indexes FollowSymLinks MultiViews
>>>     AllowOverride None
>>>     Require all granted
>>>   </Directory>
>>>   Redirect permanent /
>>> https://<UrlBlockedError.aspx><our.server.fqdn>/
>>> </VirtualHost>
>>>
>>> Ours is managed with puppet so I've tried to redact the non-relevant blocks, but that should work for you.
>>>
>>> Cheers,
>>> Eric
>>>
>>> On 08/25/2014 03:03 PM, Shrum, Donald C wrote:
>>>> Hi all,
>>>>
>>>> I have a galaxy install with an apache proxy and ldap authentication.
>>>>
>>>> <Location />
>>>>    RequestHeader set X-URL-SCHEME https
>>>>    AuthBasicProvider ldap
>>>>   Other stuff....
>>>> </Location>
>>>>
>>>> RewriteEngine on
>>>> RewriteRule ^/static/style/(.*)
>>>> /panfs/storage.local/opt/galaxy-dist/static/june_2007_style/blue/$1
>>>> [L] RewriteRule ^/static/scripts/(.*)
>>>> /panfs/storage.local/opt/galaxy-dist/static/scripts/packed/$1 [L]
>>>> RewriteRule ^/static/(.*)
>>>> /panfs/storage.local/opt/galaxy-dist/static/$1 [L] RewriteRule
>>>> ^/favicon.ico
>>>> /panfs/storage.local/opt/galaxy-dist/static/favicon.ico
>>>> [L] RewriteRule ^/robots.txt
>>>> /panfs/storage.local/opt/galaxy-dist/static/robots.txt [L]
>>>> RewriteRule
>>>> ^(.*) <a href="http://144.174.51.187:8080$1">http://144.174.51.187:8080$1 [P]
>>>>
>>>> What is the best way to manage the redirect from http to https for the authentication?
>>>>
>>>> ___________________________________________________________
>>>> Please keep all replies on the list by using "reply all"
>>>> in your mail client.  To manage your subscriptions to this and other
>>>> Galaxy lists, please use the interface at:
>>>>   http://lists.bx.psu.edu/
>>>>
>>>> To search Galaxy mailing lists use the unified search at:
>>>>   http://galaxyproject.org/search/mailinglists/
>>>
>>>
>>>
>>> Eric Rasche
>>> Programmer II
>>> Center for Phage Technology
>>> Texas A&M University
>>> College Station, TX 77843
>>> 404-692-2048 <tel:4046922048>
>>> [hidden email]<mailto:[hidden email]>
>>> <mailto:[hidden email]><mailto:[hidden email]>
>>> --
>>> Eric Rasche Programmer II Center for Phage Technology Texas A&M
>>> University College Station, TX 77843 404-692-2048
>>> [hidden email]<mailto:[hidden email]>
>>> [hidden email]<mailto:[hidden email]>
>>>
>>
> --
> Eric Rasche
> Programmer II
> Center for Phage Technology
> Texas A&M University
> College Station, TX 77843
> 404-692-2048
> [hidden email]
> [hidden email]
>

___________________________________________________________
Please keep all replies on the list by using "reply all"
in your mail client.  To manage your subscriptions to this
and other Galaxy lists, please use the interface at:
  http://lists.bx.psu.edu/

To search Galaxy mailing lists use the unified search at:
  http://galaxyproject.org/search/mailinglists/

signature.asc (853 bytes) Download Attachment