Sophos UTM Local Galaxy installation: When is error 403001 (API authentication required for this request) triggered?

Hi all,
I have a quite stable running local Galaxy installation running on Centos 8.1
For user authentication I run an apache proxy on the same machine connecting to LDAP to an domain server. Galaxy and Apache have been configured as decribed in the Galaxy Tutorials and I use Basic Authentication on Apache.
This setup works fine.

More recently I wanted to put a Sophos UTM as Web Application Firewall (reverse proxy) in front of the Galaxy-Server.
I did this to have a more shiny form-based login to the Galaxy Server. The Sophos UTM then passes the form login data to the Galaxy-Server using Basic authentication.

This setup works in most of the times also nice - however, from time to time (especially after deleting browser cookies or when first-time users log in) the Galaxy server throws a error 403001 (API authentication required for this request) on the web fronted (see below).

I looked in the logs of Apache and Galaxy and could not find anything strange. For troubleshooting: can someone explain me why and when Galaxy triggers this error? There seems to be something happening when deleting cookies or new users are logging in that pushed Galaxy on the “api” track.

Happy for any ideas/suggestions.
Thanks a lot and have a nice and healthy weekend!

1 Like

Alright, took me some hours, but I found the solution.
The error was triggered because Galaxy did not find its session cookie in the RequestHeader that the apache proxy (proxy 2, installed on the Galaxy machine) forwarded to the Galaxy instance when GET for any HTML page was send from a client to Galaxy.

The reason why Galaxy got confused was that the client passed both cookies in the header: the one for the Sophos UTM WAF session (reverse proxy 1) and the one for the Galaxy session. The Sophos UTM WAF then remove its session cookie from the RequestHeader BUT, at least in some situations, left behind a "; " (so the end of the cookie prior to the next cookie). This leading "; " confused the Galaxy script that searches for the “galaxysession” cookie in the header (i.e. the script did not see the cookie-string even though it was there). Therefore a 403 was triggered.

I now remove the leading "; " by a command in the httpd.conf on the apache RP (proxy 2):

RequestHeader edit Cookie “^(?:; *)” “”

This solves the issue.
Just in case there are other Sophos UTM users out there…

@Mods: Maybe you want to add this (Sophos UTM WAF in front of Galaxy) to the titel of my post…

1 Like