<div dir="ltr">Hi John,<div><br></div><div>Added girder-users in case this question is useful for posterity for others in the Girder community :) Responses are inline</div><div class="gmail_extra"><div><div class="gmail_signature"><div dir="ltr"><div dir="ltr"><br></div></div></div></div>
<br><div class="gmail_quote">On Fri, Feb 3, 2017 at 5:53 PM, John Roberts <span dir="ltr"><<a href="mailto:John.Roberts@hsc.utah.edu" target="_blank">John.Roberts@hsc.utah.edu</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Zach,<br>
<br>
I'm working with Brian Chapman here at the Utah lab. I believe he may have asked at some point about running Girder under https. I was looking for documentation for how to get this working.<br>
<br>
Right now, we use the Apache to reverse proxy and provide https "to the doorstep" before Apache hands off to the http address of our actual Docker Girder. I'd like to encrypt that last step as well so that nothing was ever in the clear, even on the host machine running Apache and the Docker containers.<br></blockquote><div><br></div><div>You can control these cherrypy settings via girder.local.cfg, as in my example below, you'd just have to point it to your own cert and private key.</div><div><br></div><div><pre style="background-color:rgb(39,40,34);color:rgb(248,248,242);font-family:menlo;font-size:9pt">[global]<br>server.socket_host = "0.0.0.0"<br>server.socket_port = 4430<br>server.thread_pool = 100<br>server.ssl_module = 'builtin'<br>server.ssl_certificate = "/Users/zach/dev/girder/cert.pem"<br>server.ssl_private_key = "/Users/zach/dev/girder/privkey.pem"</pre></div><div><br></div><div>More docs about these settings are here[1], including instructions for other SSL implementations besides cherrypy's builtin one. Full disclosure, I've never deployed it in such a way myself, I always just rely on the proxy to handle the SSL and keep the Girder server behind the firewall, so you might run into issues we have not encountered before.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
I don't see instructions per se in the manual for making sure things run under https. Is that because the server set up is assumed to be a separate issue? That is, if you're going to run Girder, you should already have your server ready to go https regardless.<br></blockquote><div><br></div><div>It would probably be useful to add some cookbook deployment examples, though we've avoided them until now since we don't want to be too prescriptive about how this is deployed since there are lots of various proxy servers, deployment architectures, security requirements, etc.<br></div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
I guess I need to figure out how to make that happen for the Docker version which appears to be running, what, nginx internally?<br></blockquote><div><br></div><div>The girder docker image (at least the one I know about that is built from the Girder repository) just serves directly out of cherrypy, with no proxy server in front of it.</div><div><br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
<br>
Thanks,<br>
John.<br>
<br>
</blockquote></div><br></div><div class="gmail_extra">[1] <a href="http://docs.cherrypy.org/en/latest/deploy.html#ssl-support">http://docs.cherrypy.org/en/latest/deploy.html#ssl-support</a></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div>Thanks,</div><div><br></div><div>-Zach</div></div></div>