[OOD-users] Apple Safari Basic Auth Warning
Nicklas, Jeremy
jnicklas at osc.edu
Wed May 23 17:02:12 EDT 2018
Thanks for bringing this up. We definitely need to add it to the documentation, but the bit to flip is by editing the file:
/etc/ood/config/apps/dashboard/env
and adding the following environment variable setting:
DISABLE_SAFARI_BASIC_AUTH_WARNING=1
This will take effect after a restart of either the Dashboard app running under your per-user NGINX instance, or a restart of the per-user NGINX instance itself. Performing the former is easiest, as you just need to do:
$ sudo touch /var/www/ood/apps/sys/dashboard/tmp/restart.txt
on the node that hosts your OnDemand portal and it will affect all users.
Hopefully in the future the Dashboard will be able to auto-detect in some way whether you are using BasicAuth or another authentication mechanism so that this manual step won't be needed. Until then I will create an issue to add this step to the documentation.
--
Jeremy Nicklas
Web and Interface App Engineer
Ohio Supercomputer Center (OSC)
A member of the Ohio Technology Consortium
1224 Kinnear Road, Columbus, Ohio 43212
Office: (614) 292-6739 • Mobile: (614) 316-6428 • Fax: (614) 292-7168
jnicklas at osc.edu
Learn more about OSC at https://osc.edu
________________________________________
From: OOD-users [ood-users-bounces+jnicklas=osc.edu at lists.osc.edu] on behalf of Ruffner, James Prescott (Scott) (jpr9c) [jpr9c at virginia.edu]
Sent: Wednesday, May 23, 2018 4:49 PM
To: ood-users at lists.osc.edu
Subject: [OOD-users] Apple Safari Basic Auth Warning
Hi All -
I'm digging around a bit, and I can't find the bit to flip; our OOD portal is set up with Shibboleth authentication, but I'm still getting the warning from the Desktop App about:
As currently configured, the Cluster and Interactive Apps of Open OnDemand do not work with Safari. This is due to a bug in Safari with using websockets through servers protected using "Basic" auth....<snip>
The relevant parts of ood-portal.conf has:
SetEnv OOD_PUN_URI "/pun"
<Location "/pun">
AuthType shibboleth
ShibRequestSetting requireSession 1
RequestHeader edit* Cookie "(^_shibsession_[^;]*(;\s*)?|;\s*_shibsession_[^;]*)" ""
RequestHeader unset Cookie "expr=-z %{req:Cookie}"
Require valid-user
ProxyPassReverse "http://localhost/pun"
# ProxyPassReverseCookieDomain implementation (strip domain)
Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""
# ProxyPassReverseCookiePath implementation (less restrictive)
Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"
SetEnv OOD_PUN_SOCKET_ROOT "/var/run/nginx"
SetEnv OOD_PUN_MAX_RETRIES "5"
LuaHookFixups pun_proxy.lua pun_proxy_handler
</Location>
# Control backend PUN for authenticated user:
# NB: See mod_ood_proxy for more details.
#
# https://rivanna-portal.hpc.virginia.edu:443/nginx/stop
# #=> stops the authenticated user's PUN
#
SetEnv OOD_NGINX_URI "/nginx"
<Location "/nginx">
AuthType shibboleth
ShibRequestSetting requireSession 1
RequestHeader edit* Cookie "(^_shibsession_[^;]*(;\s*)?|;\s*_shibsession_[^;]*)" ""
RequestHeader unset Cookie "expr=-z %{req:Cookie}"
Require valid-user
LuaHookFixups nginx.lua nginx_handler
</Location>
I'd love any tip, but I'm pretty sure something is erroneous about the error message.
Do I need to get shibboleth working for the PUNs themselves as well?
Thanks!
Scott
--
Scott Ruffner
Senior HPC Engineer
UVa Research Computing Infrastructure
(434)924-6778(o)
sruffner at virginia.edu
_______________________________________________
OOD-users mailing list
OOD-users at lists.osc.edu
https://lists.osu.edu/mailman/listinfo/ood-users
More information about the OOD-users
mailing list