[Girder-users] Running girder natively with https

Zach Mullen zach.mullen at kitware.com
Fri Feb 3 18:21:28 EST 2017 

Hi John,

Added girder-users in case this question is useful for posterity for others
in the Girder community :) Responses are inline


On Fri, Feb 3, 2017 at 5:53 PM, John Roberts <John.Roberts at hsc.utah.edu>
wrote:

> Zach,
>
>     I'm working with Brian Chapman here at the Utah lab.  I believe he may
> have asked at some point about running Girder under https.  I was looking
> for documentation for how to get this working.
>
>     Right now, we use the Apache to reverse proxy and provide https "to
> the doorstep" before Apache hands off to the http address of our actual
> Docker Girder.  I'd like to encrypt that last step as well so that nothing
> was ever in the clear, even on the host machine running Apache and the
> Docker containers.
>

You can control these cherrypy settings via girder.local.cfg, as in my
example below, you'd just have to point it to your own cert and private key.

[global]
server.socket_host = "0.0.0.0"
server.socket_port = 4430
server.thread_pool = 100
server.ssl_module = 'builtin'
server.ssl_certificate = "/Users/zach/dev/girder/cert.pem"
server.ssl_private_key = "/Users/zach/dev/girder/privkey.pem"


More docs about these settings are here[1], including instructions for
other SSL implementations besides cherrypy's builtin one. Full disclosure,
I've never deployed it in such a way myself, I always just rely on the
proxy to handle the SSL and keep the Girder server behind the firewall, so
you might run into issues we have not encountered before.

    I don't see instructions per se in the manual for making sure things
> run under https.  Is that because the server set up is assumed to be a
> separate issue?  That is, if you're going to run Girder, you should already
> have your server ready to go https regardless.
>

It would probably be useful to add some cookbook deployment examples,
though we've avoided them until now since we don't want to be too
prescriptive about how this is deployed since there are lots of various
proxy servers, deployment architectures, security requirements, etc.


>     I guess I need to figure out how to make that happen for the Docker
> version which appears to be running, what, nginx internally?
>

The girder docker image (at least the one I know about that is built from
the Girder repository) just serves directly out of cherrypy, with no proxy
server in front of it.


> Thanks,
> John.
>
>
[1] http://docs.cherrypy.org/en/latest/deploy.html#ssl-support

Thanks,

-Zach
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/girder-users/attachments/20170203/09eb929d/attachment.html>

More information about the Girder-users mailing list