IGV as a display application in Galaxy

Most of the heavy lifting has already been done to use IGV as a display application in Galaxy (by the wonderful folks on the Galaxy Team), but there is a bit of configuration that needs to be done to make it all work. The configuration depends on your specific setup, and in our case we have Galaxy running locally on a CentOS box, with Apache as a proxy server, and we're using our institution's CAS system as external authentication for Galaxy.

There are a few requirements that must be met for Galaxy and IGV to talk properly.

  1. Galaxy must be able to send partial requests for bam files. This means that you must be using a Proxy server and have that server setup to send the BAM files (and not Galaxy directly). See the section "Make the proxy handle uploads and downloads" on the Galaxy Wiki page on setting up a production server. They have specific instructions for Apache and nginx.
  2. Setup IGV as a Display Application in Galaxy. This involves two things, an XML configuration file for IGV and editing datatypes_conf.xml to instruct Galaxy to display IGV links for BAM files. The xml configuration already exists in ${GALAXY_HOME}/display_applications/igv/bam.xml. Adding the following to the bam datatype in datatypes_conf.xml file:
      1. <display file="igv/bam.xml" />
  3. Setup Apache to allow unauthenticated access to the bam files. This is a small security hole, but is necessary since IGV cannot authenticate to Galaxy. The bam files are only accessible via a secret hash value anyway, so the security issue is minimal. To do this I adding the following LoctionMatch section to the httpd.conf file.
      1. <LocationMatch ^/display_application/[a-zA-Z0-9]+/igv.*>
      2. RequestHeader set REMOTE_USER igv_display@example.org
      3. Satisfy Any
      4. Order deny,allow
      5. Allow from all
      6. </LocationMatch>
    • The LocationMatch matches incoming requests by IGV for the bam files. Only requests that match the regular expression will have the additional rules applied. Other requests are authenticated by CAS as usual.
    • RequestHeader is setting the header REMOTE_USER to igv_display@example.org so that Galaxy will think that user has been authenticated. This is similar to how the UCSC browser authenticates, except that lib/galaxy/web/framework/middleware/remoteuser.py includes some code to set REMOTE_USER when the incoming servers are one of the UCSC genome browsers.
    • Satisfy Any tells Apache to allow requests that statisfy either the CAS authentication specified earlier or the Allow rules in this LocationMatch directive.
    • Finally, Allow from all tells Apache to allow any IP address access.