From Brian.Chapman at utah.edu Wed Oct 21 21:15:18 2015 From: Brian.Chapman at utah.edu (Brian E Chapman) Date: Thu, 22 Oct 2015 01:15:18 +0000 Subject: [Girder-users] Serving Girder over HTTPS from Docker Message-ID: Hi everyone, We?ve got an instance of Girder running user Docker containers for both MongoDB and Girder. This was nice and painless. However, it is running over http. Curious if there is any easy way with Girder directly to make this run over https or if the assumption is that this would be done with Apache Redirect (or equivalent). Brian ? Brian E. Chapman, Ph.D. Associate Professor Department of Radiology University of Utah -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.mullen at kitware.com Wed Oct 21 21:20:27 2015 From: zach.mullen at kitware.com (Zach Mullen) Date: Wed, 21 Oct 2015 21:20:27 -0400 Subject: [Girder-users] Serving Girder over HTTPS from Docker In-Reply-To: References: Message-ID: Hi Brian, We typically set this up using a proxy like Nginx or Apache. Here's an example Nginx config for an SSL-only deployment of girder: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; # redirect to https return 307 https://$host$request_uri; } server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/my_cert.pem; ssl_certificate_key /etc/nginx/ssl/my_cert.key; add_header Strict-Transport-Security "max-age=15552000"; root {{ girder_root }}/clients/web; # Make site accessible from http://localhost/ server_name localhost; location / { proxy_pass http://localhost:8080; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; include /etc/nginx/proxy_params; # The following settings should allow SSE to work proxy_buffering off; proxy_cache off; proxy_set_header Connection ''; proxy_http_version 1.1; chunked_transfer_encoding off; proxy_read_timeout 600s; proxy_send_timeout 600s; } location /static { try_files $uri $uri/ /index.html; } } The only thing you'd need to modify in the above config is the locations of the cert and key files. Hope this helps, Zach Mullen Kitware, Inc. 919-869-8858 On Wed, Oct 21, 2015 at 9:15 PM, Brian E Chapman wrote: > Hi everyone, > > We?ve got an instance of Girder running user Docker containers for both > MongoDB and Girder. This was nice and painless. However, it is running over > http. Curious if there is any easy way with Girder directly to make this > run over https or if the assumption is that this would be done with Apache > Redirect (or equivalent). > > Brian > ? > Brian E. Chapman, Ph.D. > Associate Professor > Department of Radiology > University of Utah > > > _______________________________________________ > Girder-users mailing list > Girder-users at public.kitware.com > http://public.kitware.com/mailman/listinfo/girder-users > > -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Chapman at utah.edu Wed Oct 21 21:26:51 2015 From: Brian.Chapman at utah.edu (Brian E Chapman) Date: Thu, 22 Oct 2015 01:26:51 +0000 Subject: [Girder-users] Serving Girder over HTTPS from Docker In-Reply-To: References: Message-ID: Thanks. From: Zach Mullen > Date: Wednesday, October 21, 2015 at 7:20 PM To: Brian Chapman > Cc: "girder-users at public.kitware.com" > Subject: Re: [Girder-users] Serving Girder over HTTPS from Docker Hi Brian, We typically set this up using a proxy like Nginx or Apache. Here's an example Nginx config for an SSL-only deployment of girder: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; # redirect to https return 307 https://$host$request_uri; } server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/my_cert.pem; ssl_certificate_key /etc/nginx/ssl/my_cert.key; add_header Strict-Transport-Security "max-age=15552000"; root {{ girder_root }}/clients/web; # Make site accessible from http://localhost/ server_name localhost; location / { proxy_pass http://localhost:8080; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; include /etc/nginx/proxy_params; # The following settings should allow SSE to work proxy_buffering off; proxy_cache off; proxy_set_header Connection ''; proxy_http_version 1.1; chunked_transfer_encoding off; proxy_read_timeout 600s; proxy_send_timeout 600s; } location /static { try_files $uri $uri/ /index.html; } } The only thing you'd need to modify in the above config is the locations of the cert and key files. Hope this helps, Zach Mullen Kitware, Inc. 919-869-8858 On Wed, Oct 21, 2015 at 9:15 PM, Brian E Chapman > wrote: Hi everyone, We?ve got an instance of Girder running user Docker containers for both MongoDB and Girder. This was nice and painless. However, it is running over http. Curious if there is any easy way with Girder directly to make this run over https or if the assumption is that this would be done with Apache Redirect (or equivalent). Brian ? Brian E. Chapman, Ph.D. Associate Professor Department of Radiology University of Utah _______________________________________________ Girder-users mailing list Girder-users at public.kitware.com http://public.kitware.com/mailman/listinfo/girder-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From Brian.Chapman at utah.edu Thu Oct 22 12:55:07 2015 From: Brian.Chapman at utah.edu (Brian E Chapman) Date: Thu, 22 Oct 2015 16:55:07 +0000 Subject: [Girder-users] Serving Girder over HTTPS from Docker In-Reply-To: References: Message-ID: Hi Zach, I?m trying to increase the volume for your girder-users digest. I?ve got a couple of boneheaded questions, primarily related to my not being too familiar with nginx. First, would you run the nginx server within the Girder docker container so that the container is serving up the web data over https or would you run the nginx server on the host machine and have the host redirect what the container is serving? Second, I?m getting an error with nginx when I try to use the snippet you provided me last night. The error is related to the following line (47 in my configuration file): root {{ girder_root }}/clients/web; nginx: [emerg] directive "root" is not terminated by ";" in /etc/nginx/nginx.conf:47 I?m not familiar with the {{girder_root}} syntax in nginx and haven?t found examples of it with web searchers. I assume it is pulling out an environment variable (which is why I wonder if I should be running this on the machine/container running girder). Also I wonder if this is a version issue; I?m running nbinx 1.4.6 on Ubuntu 14.04; this seems far behind the 1.9.5 latest release. Brian From: Zach Mullen > Date: Wednesday, October 21, 2015 at 7:20 PM To: Brian Chapman > Cc: "girder-users at public.kitware.com" > Subject: Re: [Girder-users] Serving Girder over HTTPS from Docker Hi Brian, We typically set this up using a proxy like Nginx or Apache. Here's an example Nginx config for an SSL-only deployment of girder: server { listen 80 default_server; listen [::]:80 default_server ipv6only=on; # redirect to https return 307 https://$host$request_uri; } server { listen 443 ssl; ssl_certificate /etc/nginx/ssl/my_cert.pem; ssl_certificate_key /etc/nginx/ssl/my_cert.key; add_header Strict-Transport-Security "max-age=15552000"; root {{ girder_root }}/clients/web; # Make site accessible from http://localhost/ server_name localhost; location / { proxy_pass http://localhost:8080; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Forwarded-Server $host; include /etc/nginx/proxy_params; # The following settings should allow SSE to work proxy_buffering off; proxy_cache off; proxy_set_header Connection ''; proxy_http_version 1.1; chunked_transfer_encoding off; proxy_read_timeout 600s; proxy_send_timeout 600s; } location /static { try_files $uri $uri/ /index.html; } } The only thing you'd need to modify in the above config is the locations of the cert and key files. Hope this helps, Zach Mullen Kitware, Inc. 919-869-8858 On Wed, Oct 21, 2015 at 9:15 PM, Brian E Chapman > wrote: Hi everyone, We?ve got an instance of Girder running user Docker containers for both MongoDB and Girder. This was nice and painless. However, it is running over http. Curious if there is any easy way with Girder directly to make this run over https or if the assumption is that this would be done with Apache Redirect (or equivalent). Brian ? Brian E. Chapman, Ph.D. Associate Professor Department of Radiology University of Utah _______________________________________________ Girder-users mailing list Girder-users at public.kitware.com http://public.kitware.com/mailman/listinfo/girder-users -------------- next part -------------- An HTML attachment was scrubbed... URL: From zach.mullen at kitware.com Thu Oct 22 13:01:05 2015 From: zach.mullen at kitware.com (Zach Mullen) Date: Thu, 22 Oct 2015 13:01:05 -0400 Subject: [Girder-users] Serving Girder over HTTPS from Docker In-Reply-To: References: Message-ID: On Thu, Oct 22, 2015 at 12:55 PM, Brian E Chapman wrote: > Hi Zach, > > I?m trying to increase the volume for your girder-users digest. I?ve got a > couple of boneheaded questions, primarily related to my not being too > familiar with nginx. > > First, would you run the nginx server within the Girder docker container > so that the container is serving up the web data over https or would you > run the nginx server on the host machine and have the host redirect what > the container is serving? > Hm, I suppose either would work, but I would probably have nginx inside the container if this is a fixed deployment rather than something meant to be reusable. > > Second, I?m getting an error with nginx when I try to use the snippet you > provided me last night. The error is related to the following line (47 in > my configuration file): > > root {{ girder_root }}/clients/web; > > nginx: [emerg] directive "root" is not terminated by ";" in > /etc/nginx/nginx.conf:47 > > I?m not familiar with the {{girder_root}} syntax in nginx and haven?t > found examples of it with web searchers. I assume it is pulling out an > environment variable (which is why I wonder if I should be running this on > the machine/container running girder). Also I wonder if this is a version > issue; I?m running nbinx 1.4.6 on Ubuntu 14.04; this seems far behind the > 1.9.5 latest release. > Sorry about that confusion, this isn't valid syntax for the nginx config -- what I pasted is actually from a template file that we use to configure the nginx file, and girder_root is a variable in that template. You should change {{girder_root}} to whatever the actual path to girer is inside your container. -Zach > > Brian > > > From: Zach Mullen > Date: Wednesday, October 21, 2015 at 7:20 PM > To: Brian Chapman > Cc: "girder-users at public.kitware.com" > Subject: Re: [Girder-users] Serving Girder over HTTPS from Docker > > Hi Brian, > > We typically set this up using a proxy like Nginx or Apache. Here's an > example Nginx config for an SSL-only deployment of girder: > > server { > listen 80 default_server; > listen [::]:80 default_server ipv6only=on; > # redirect to https > return 307 https://$host$request_uri; > } > > server { > listen 443 ssl; > ssl_certificate /etc/nginx/ssl/my_cert.pem; > ssl_certificate_key /etc/nginx/ssl/my_cert.key; > add_header Strict-Transport-Security "max-age=15552000"; > root {{ girder_root }}/clients/web; > > # Make site accessible from http://localhost/ > server_name localhost; > > location / { > proxy_pass http://localhost:8080; > proxy_set_header X-Forwarded-Host $http_host; > proxy_set_header X-Forwarded-Server $host; > include /etc/nginx/proxy_params; > # The following settings should allow SSE to work > proxy_buffering off; > proxy_cache off; > proxy_set_header Connection ''; > proxy_http_version 1.1; > chunked_transfer_encoding off; > proxy_read_timeout 600s; > proxy_send_timeout 600s; > } > > location /static { > try_files $uri $uri/ /index.html; > } > } > > > The only thing you'd need to modify in the above config is the locations of the cert and key files. > > Hope this helps, > > > > Zach Mullen > Kitware, Inc. > 919-869-8858 > > On Wed, Oct 21, 2015 at 9:15 PM, Brian E Chapman > wrote: > >> Hi everyone, >> >> We?ve got an instance of Girder running user Docker containers for both >> MongoDB and Girder. This was nice and painless. However, it is running over >> http. Curious if there is any easy way with Girder directly to make this >> run over https or if the assumption is that this would be done with Apache >> Redirect (or equivalent). >> >> Brian >> ? >> Brian E. Chapman, Ph.D. >> Associate Professor >> Department of Radiology >> University of Utah >> >> >> _______________________________________________ >> Girder-users mailing list >> Girder-users at public.kitware.com >> http://public.kitware.com/mailman/listinfo/girder-users >> >> > -------------- next part -------------- An HTML attachment was scrubbed... URL: