[OOD-users] Apple Safari Basic Auth Warning

Nicklas, Jeremy jnicklas at osc.edu
Wed May 23 17:02:12 EDT 2018 

Thanks for bringing this up. We definitely need to add it to the documentation, but the bit to flip is by editing the file:

/etc/ood/config/apps/dashboard/env

and adding the following environment variable setting:

DISABLE_SAFARI_BASIC_AUTH_WARNING=1

This will take effect after a restart of either the Dashboard app running under your per-user NGINX instance, or a restart of the per-user NGINX instance itself. Performing the former is easiest, as you just need to do:

$ sudo touch /var/www/ood/apps/sys/dashboard/tmp/restart.txt

on the node that hosts your OnDemand portal and it will affect all users.

Hopefully in the future the Dashboard will be able to auto-detect in some way whether you are using BasicAuth or another authentication mechanism so that this manual step won't be needed. Until then I will create an issue to add this step to the documentation.

--
Jeremy Nicklas
Web and Interface App Engineer
Ohio Supercomputer Center (OSC)
A member of the Ohio Technology Consortium
1224 Kinnear Road, Columbus, Ohio 43212
Office: (614) 292-6739 • Mobile: (614) 316-6428 • Fax: (614) 292-7168
jnicklas at osc.edu

Learn more about OSC at https://osc.edu

________________________________________
From: OOD-users [ood-users-bounces+jnicklas=osc.edu at lists.osc.edu] on behalf of Ruffner, James Prescott (Scott) (jpr9c) [jpr9c at virginia.edu]
Sent: Wednesday, May 23, 2018 4:49 PM
To: ood-users at lists.osc.edu
Subject: [OOD-users] Apple Safari Basic Auth Warning

Hi All -

I'm digging around a bit, and I can't find the bit to flip; our OOD portal is set up with Shibboleth authentication, but I'm still getting the warning from the Desktop App about:

As currently configured, the Cluster and Interactive Apps of Open OnDemand do not work with Safari. This is due to a bug in Safari with using websockets through servers protected using "Basic" auth....<snip>

The relevant parts of ood-portal.conf has:

SetEnv OOD_PUN_URI "/pun"
  <Location "/pun">
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    RequestHeader edit* Cookie "(^_shibsession_[^;]*(;\s*)?|;\s*_shibsession_[^;]*)" ""
    RequestHeader unset Cookie "expr=-z %{req:Cookie}"
    Require valid-user

    ProxyPassReverse "http://localhost/pun"

    # ProxyPassReverseCookieDomain implementation (strip domain)
    Header edit* Set-Cookie ";\s*(?i)Domain[^;]*" ""

    # ProxyPassReverseCookiePath implementation (less restrictive)
    Header edit* Set-Cookie ";\s*(?i)Path\s*=(?-i)(?!\s*/pun)[^;]*" "; Path=/pun"

    SetEnv OOD_PUN_SOCKET_ROOT "/var/run/nginx"
    SetEnv OOD_PUN_MAX_RETRIES "5"
    LuaHookFixups pun_proxy.lua pun_proxy_handler

  </Location>

  # Control backend PUN for authenticated user:
  # NB: See mod_ood_proxy for more details.
  #
  #    https://rivanna-portal.hpc.virginia.edu:443/nginx/stop
  #    #=> stops the authenticated user's PUN
  #
  SetEnv OOD_NGINX_URI "/nginx"
  <Location "/nginx">
    AuthType shibboleth
    ShibRequestSetting requireSession 1
    RequestHeader edit* Cookie "(^_shibsession_[^;]*(;\s*)?|;\s*_shibsession_[^;]*)" ""
    RequestHeader unset Cookie "expr=-z %{req:Cookie}"
    Require valid-user

    LuaHookFixups nginx.lua nginx_handler
  </Location>

I'd love any tip, but I'm pretty sure something is erroneous about the error message.

Do I need to get shibboleth working for the PUNs themselves as well?

Thanks!

Scott

--
Scott Ruffner
Senior HPC Engineer
UVa Research Computing Infrastructure
(434)924-6778(o)
sruffner at virginia.edu


_______________________________________________
OOD-users mailing list
OOD-users at lists.osc.edu
https://lists.osu.edu/mailman/listinfo/ood-users

More information about the OOD-users mailing list