UtrechtUniversity · dometto · Apr 9, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/docs/roles/nginx_location.md b/docs/roles/nginx_location.md
@@ -67,6 +67,7 @@ Please see the examples below to understand the syntax for location block config
   location: /test_sramauth
   auth: sram
   auth_sram_header: REMOTE_USER # Special key. Optionally specify which header should be filled with the name of the externally authenticated user. Default: REMOTE_USER
+  auth_sram_roles_header: REMOTE_ROLES # Special key. Optionally specify which header should be filled with the SRAM roles (semicollon-separated, e.g. `src_co_admin;src_ws_admin`) of the externally authenticated user. Default: REMOTE_ROLES
 - name: api # fourth location, without auth
   location: /test_sramauth/api
   auth: noauth # explicitly disables auth for the location -- useful to make exceptions for sublocations of otherwise protected locations

diff --git a/playbooks/roles/nginx_location/molecule/default/files/galaxy.conf b/playbooks/roles/nginx_location/molecule/default/files/galaxy.conf
@@ -11,9 +11,9 @@ location / {
     error_page 401 = @custom_401;
     auth_request /validate;
     auth_request_set $username $upstream_http_username;
+    auth_request_set $src_roles $upstream_http_src_co_roles;
     proxy_set_header REMOTE_USER $username;
-
-
+    proxy_set_header REMOTE_ROLE $src_roles;
 
     # ensure that proxy_pass is placed before the proxy defaults below.
 

diff --git a/playbooks/roles/nginx_location/molecule/default/molecule.yml b/playbooks/roles/nginx_location/molecule/default/molecule.yml
@@ -12,8 +12,8 @@ provisioner:
       remote_tmp: /tmp
 role_name_check: 1
 platforms:
-  - name: workspace-src-ubuntu_jammy
-    image: ghcr.io/utrechtuniversity/src-test-workspace:ubuntu_jammy-nginx
+  - name: workspace-src-ubuntu-nginx
+    image: ghcr.io/utrechtuniversity/src-test-workspace:ubuntu_noble-nginx
     command: /sbin/init
     pre_build_image: true
     registry:

diff --git a/playbooks/roles/nginx_location/templates/reverseproxy.conf.j2 b/playbooks/roles/nginx_location/templates/reverseproxy.conf.j2
@@ -24,7 +24,7 @@ set default_proxy_headers = {
 %}
 
 # keys that should not be mapped directly to nginx directives
-{%- set special_keys = ['name', 'auth', 'location', 'htpasswd', 'include_reverse_proxy_defaults', 'auth_sram_header'] %}
+{%- set special_keys = ['name', 'auth', 'location', 'htpasswd', 'include_reverse_proxy_defaults', 'auth_sram_header', 'auth_sram_roles_header'] %}
 
 {%- if item.include_reverse_proxy_defaults | default(false) %}
 {%- set vhost_properties = dict(defaults, **item) %}
@@ -49,7 +49,9 @@ location {{ vhost_properties.location }} {
     error_page 401 = @custom_401;
     auth_request /validate;
     auth_request_set $username $upstream_http_username;
+    auth_request_set $src_roles $upstream_http_src_co_roles;
     proxy_set_header {{ vhost_properties.auth_sram_header | default('REMOTE_USER', true) }} $username;
+    proxy_set_header {{ vhost_properties.auth_sram_roles_header | default('REMOTE_ROLES', true) }} $src_roles;
     {% elif vhost_properties.auth  == 'basic' %}
     auth_basic "{{ auth.message | default('Secure') }}";
     auth_basic_user_file {{ nginx_location_htpasswd_path }}/{{ vhost_properties.htpasswd | default(vhost_properties.name, true) }};