Dear Lina,
We have built a similar set-up to what you describe here
https://groups.google.com/a/soe.ucsc.edu/forum/#!topic/genome/sBm43E2ZRB0.
We use this at the DKFZ Heidelberg for some of our internal data. I hope our experiences can be of use to you!
We decided against modifying the GBiB image to bolt/duct-tape authentication on to it.
Instead we isolated the GBiB image from the rest of our intranet with our firewall, and only allow traffic to the UCSC mysql server, the update server, and an internal authenticating proxy.
This means we have an unmodified GBiB image, which greatly simplifies the UCSC's auto-update procedure, and saves us the brittleness of a locally modified VM that could break at every update from the UCSC.
Our network admins also (understandibly) wouldn't allow an 'external' VM access to our central LDAP server with all our passwords.
The authenticating proxy is a simple, purpose-built VM that runs on the trusted base-image we use for all DKFZ services.
On top of that is a standard apache install with mod_proxy.
This apache instance is configured with a "proxypass" directive [1] set up to forward to the GBiB after you enter your DKFZ-password.
(template config below at [2])
To prevent everyone from the cleaner to the Director to access this protected data, we further limit access with a special user-group.
Only a few researchers are members of this group.
The proxy-vm also mounts a network drive with the trackhub.txt on it, and allows access from the GBiB.
We can then add this trackhub in the gbib-browser by adding "gbib-proxy.intranet.url/TrackHub/hub.txt" under "my hubs"
Again, our carefull network admins didn't want to give 'external' VMs direct NFS-access to our network drive hosts.
By having the trackhub on a network drive, we can host the hundreds of gigabytes of datafiles on our central disk-farm, and simultaneously allow the actual users to configure the trackhub to their liking.
(They have write-access to this trackhub-drive from their local PCs, the gbib-proxy has read-only access.)
If you have any further questions, don't hesitate to ask!
Kind regards,
Jules Kerssemakers,
eilslabs Data Support Group @ DKFZ Heidelberg
[1]
https://httpd.apache.org/docs/2.2/mod/mod_proxy.html#proxypass
[2] Apache config. This forwards all requests to "gbib-proxy.intranet.url" to "gbib-vm.intranet.url" after you enter your password.
"gbib-vm" is the unmodified GBiB image from the UCSC
"gbib-proxy" is our purpose-built proxy image, running linux + apache + mod_proxy + mod_ldap.
<VirtualHost *>
ProxyTimeout 3600
# allow gbib-vm access to the network drive with the trackhub
# /Trackhub is an NFS-mount on this machine, to our network-disk host
<Location /Trackhub> # settings specific gbib-proxy.intranet.url/TrackHub/
Options +FollowSymLinks # our network disk has the data in a different layout, the users build a "trackhub" subdir with the UCSC layout, containing symlinks to the actual data
ProxyPass !
Allow from <GBiB-ip> # allow access to this Trackhub from the UCSC vm ..
Deny from all # .. and from nowhere else ..
Satisfy any
</Location>
# configure the proxy, so that visiting gbib-proxy.intranet.url asks for password, then transparantly forwards to gbib-vm.
<Location /> # general settings
# settings to access central LDAP password authentication server
AuthLDAPBindDN "<YOUR LDAP SERVER>"
AUthLDAPBindPassword YOUR-LDAP-PASSWORD
AuthLDAPURL YOUR-LDAP-URL
AuthLDAPGroupAttributeIsDN on
AuthType Basic # Basic = unsecure (leaks passwords to spies) unless you use HTTPS or intranet only.
AuthBasicProvider ldap
AuthName "your LDAP account (member of GBiB-group)"
# don't allow all employees access, but only those with special gbib-permissions
Require ldap-group <CN=...DN=... name for GBiB group>
# proxy settings. Users won't realise that "gbib-vm.intranet.url" exists, they only see "gbib-proxy.intranet.url"
ProxyPass
http://gbib-vm.intranet.url/
ProxyPassReverse
http://gbib-vm.intranet.url/
Substitute 's!gbib-vm!gbib-proxy!n'
Substitute 's!gbib%2Dvm!gbib%2Dproxy!n'
# speed: allow compression for some of the textfiles sent by the browser to save bandwith
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/html
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE text/css
AddOutputFilterByType INFLATE;SUBSTITUTE;DEFLATE application/x-javascript
</Location>
</VirtualHost>