[ome-users] OMERO.web and SSL (Nginx)

Harri Jäälinoja harri.jaalinoja at helsinki.fi
Fri Jul 13 11:33:17 BST 2012 

Hi all,

after bit of googling, I found a fix: modify the main server in 
nginx.conf to be like this:

     server {
         listen         [::]:80;
         return 301 https://$host$request_uri;
     }

Now the webclient shows up with https in the URL.

Comments? Is it secure now :) ?

Harri



On 13/07/12 12:45, Harri Jäälinoja wrote:
>
> Hello,
>
> I have OMERO.web installed, accessible at port 80. What I am now
> wondering about is the security of the passwords when I submit the
> webclient form:
>
> <form class="standard_form inlined"
> action="/webclient/login/?url=%2Fwebclient%2F" method="post">
>
> Isn't the post operation going over HTTP? So there is no encryption
> between browser and Nginx? Then Nginx passes the request to webclient,
> and between webclient and OMERO server the password is passed encrypted,
> according to documentation.
>
> I assume to fix this I should configure Nginx to serve OMERO.web over
> HTTPS? Here is my first attempt, just added the SSL parameters from the
> Nginx ssl.conf example:
>
> /etc/nginx/conf.d/00_omero.conf
> ----
>
>      server {
>      listen       443;
>          server_name  lmu-omero2.biocenter.helsinki.fi;
>
>          ssl                  on;
>          ssl_certificate      /etc/nginx/server.crt;
>          ssl_certificate_key  /etc/nginx/server.key;
>
>          ssl_session_timeout  5m;
>
>          ssl_protocols  SSLv2 SSLv3 TLSv1;
>          ssl_ciphers
> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>          ssl_prefer_server_ciphers   on;
>
>
>          fastcgi_temp_path
> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/nginx_tmp;
>          proxy_temp_path
> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/nginx_tmp;
>
>           # weblitz django apps serve static content from here
>          location /static {
>              alias
> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/lib/python/omeroweb/static;
>          }
>
>      location / {
>              if (-f
> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/maintenance.html) {
>                 error_page 503 /maintenance.html;
>                 return 503;
>              }
>              fastcgi_pass 0.0.0.0:4080;
>
>      ...
>
> Now when I access https://lmu-omero2.biocenter.helsinki.fi, I get the
> usual complaints about dubious certificate, but I since I just made it,
> I trust it. But then, somehow the browser is directed to
> http://lmu-omero2.biocenter.helsinki.fi/webclient/ (not https), and that
> gives 404 error, because all the webclient stuff is now behind port 443.
> How to fix this?
>
> Thanks in advance for your comments,
> Harri
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users

More information about the ome-users mailing list