[ome-users] OMERO.web and SSL (Nginx)

Harri Jäälinoja harri.jaalinoja at helsinki.fi
Fri Jul 13 10:45:20 BST 2012 

Hello,

I have OMERO.web installed, accessible at port 80. What I am now 
wondering about is the security of the passwords when I submit the 
webclient form:

<form class="standard_form inlined" 
action="/webclient/login/?url=%2Fwebclient%2F" method="post">

Isn't the post operation going over HTTP? So there is no encryption 
between browser and Nginx? Then Nginx passes the request to webclient, 
and between webclient and OMERO server the password is passed encrypted, 
according to documentation.

I assume to fix this I should configure Nginx to serve OMERO.web over 
HTTPS? Here is my first attempt, just added the SSL parameters from the 
Nginx ssl.conf example:

/etc/nginx/conf.d/00_omero.conf
----

     server {
	listen       443;
         server_name  lmu-omero2.biocenter.helsinki.fi;

         ssl                  on;
         ssl_certificate      /etc/nginx/server.crt;
         ssl_certificate_key  /etc/nginx/server.key;

         ssl_session_timeout  5m;

         ssl_protocols  SSLv2 SSLv3 TLSv1;
         ssl_ciphers 
ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
         ssl_prefer_server_ciphers   on;


         fastcgi_temp_path 
/opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/nginx_tmp;
         proxy_temp_path 
/opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/nginx_tmp;

          # weblitz django apps serve static content from here
         location /static {
             alias 
/opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/lib/python/omeroweb/static;
         }

	location / {
             if (-f 
/opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/maintenance.html) {
                error_page 503 /maintenance.html;
                return 503;
             }
             fastcgi_pass 0.0.0.0:4080;
		
	...

Now when I access https://lmu-omero2.biocenter.helsinki.fi, I get the 
usual complaints about dubious certificate, but I since I just made it, 
I trust it. But then, somehow the browser is directed to 
http://lmu-omero2.biocenter.helsinki.fi/webclient/ (not https), and that 
gives 404 error, because all the webclient stuff is now behind port 443. 
How to fix this?

Thanks in advance for your comments,
Harri

More information about the ome-users mailing list