[ome-users] OMERO.web and SSL (Nginx)

Chris MacLeod ckm at glencoesoftware.com
Fri Jul 13 15:56:50 BST 2012 

On Jul 13, 2012, at 6:33 AM, Harri Jäälinoja wrote:
> Hi all,
> 
> after bit of googling, I found a fix: modify the main server in nginx.conf to be like this:
> 
>    server {
>        listen         [::]:80;
>        return 301 https://$host$request_uri;
>    }
> 
> Now the webclient shows up with https in the URL.
> 
> Comments? Is it secure now :) ?
> 
> Harri
> 

Securing the entire omero web installation with SSL is the proper way to ensure security of password transmittal.

You're nginx configure is fine as well.  you could also use:
rewrite ^ https://$server_name$uri permanent;

in place of the 'return ...' statement.  They both accomplish the same thing.


C


> 
> 
> On 13/07/12 12:45, Harri Jäälinoja wrote:
>> 
>> Hello,
>> 
>> I have OMERO.web installed, accessible at port 80. What I am now
>> wondering about is the security of the passwords when I submit the
>> webclient form:
>> 
>> <form class="standard_form inlined"
>> action="/webclient/login/?url=%2Fwebclient%2F" method="post">
>> 
>> Isn't the post operation going over HTTP? So there is no encryption
>> between browser and Nginx? Then Nginx passes the request to webclient,
>> and between webclient and OMERO server the password is passed encrypted,
>> according to documentation.
>> 
>> I assume to fix this I should configure Nginx to serve OMERO.web over
>> HTTPS? Here is my first attempt, just added the SSL parameters from the
>> Nginx ssl.conf example:
>> 
>> /etc/nginx/conf.d/00_omero.conf
>> ----
>> 
>>     server {
>>     listen       443;
>>         server_name  lmu-omero2.biocenter.helsinki.fi;
>> 
>>         ssl                  on;
>>         ssl_certificate      /etc/nginx/server.crt;
>>         ssl_certificate_key  /etc/nginx/server.key;
>> 
>>         ssl_session_timeout  5m;
>> 
>>         ssl_protocols  SSLv2 SSLv3 TLSv1;
>>         ssl_ciphers
>> ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
>>         ssl_prefer_server_ciphers   on;
>> 
>> 
>>         fastcgi_temp_path
>> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/nginx_tmp;
>>         proxy_temp_path
>> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/nginx_tmp;
>> 
>>          # weblitz django apps serve static content from here
>>         location /static {
>>             alias
>> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/lib/python/omeroweb/static;
>>         }
>> 
>>     location / {
>>             if (-f
>> /opt/OMERO/OMERO.server-4.4.0-RC2-ice33-b3016/var/maintenance.html) {
>>                error_page 503 /maintenance.html;
>>                return 503;
>>             }
>>             fastcgi_pass 0.0.0.0:4080;
>> 
>>     ...
>> 
>> Now when I access https://lmu-omero2.biocenter.helsinki.fi, I get the
>> usual complaints about dubious certificate, but I since I just made it,
>> I trust it. But then, somehow the browser is directed to
>> http://lmu-omero2.biocenter.helsinki.fi/webclient/ (not https), and that
>> gives 404 error, because all the webclient stuff is now behind port 443.
>> How to fix this?
>> 
>> Thanks in advance for your comments,
>> Harri
>> _______________________________________________
>> ome-users mailing list
>> ome-users at lists.openmicroscopy.org.uk
>> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users
> 
> 
> _______________________________________________
> ome-users mailing list
> ome-users at lists.openmicroscopy.org.uk
> http://lists.openmicroscopy.org.uk/mailman/listinfo/ome-users

More information about the ome-users mailing list