[Girder-users] Serving Girder over HTTPS from Docker

Brian E Chapman Brian.Chapman at utah.edu
Thu Oct 22 12:55:07 EDT 2015


Hi Zach,

I’m trying to increase the volume for your girder-users digest. I’ve got a couple of boneheaded questions, primarily related to my not being too familiar with nginx.

First, would you run the nginx server within the Girder docker container so that the container is serving up the web data over https or would you run the nginx server on the host machine and have the host redirect what the container is serving?

Second, I’m getting an error with nginx when I try to use the snippet you provided me last night. The error is related to the following line (47 in my configuration file):

root {{ girder_root }}/clients/web;


nginx: [emerg] directive "root" is not terminated by ";" in /etc/nginx/nginx.conf:47

I’m not familiar with the {{girder_root}} syntax in nginx and haven’t found examples of it with web searchers. I assume it is pulling out an environment variable (which is why I wonder if I should be running this on the machine/container running girder). Also I wonder if this is a version issue; I’m running nbinx 1.4.6 on Ubuntu 14.04; this seems far behind the 1.9.5 latest release.

Brian


From: Zach Mullen <zach.mullen at kitware.com<mailto:zach.mullen at kitware.com>>
Date: Wednesday, October 21, 2015 at 7:20 PM
To: Brian Chapman <brian.chapman at utah.edu<mailto:brian.chapman at utah.edu>>
Cc: "girder-users at public.kitware.com<mailto:girder-users at public.kitware.com>" <girder-users at public.kitware.com<mailto:girder-users at public.kitware.com>>
Subject: Re: [Girder-users] Serving Girder over HTTPS from Docker

Hi Brian,

We typically set this up using a proxy like Nginx or Apache. Here's an example Nginx config for an SSL-only deployment of girder:


server {
    listen 80 default_server;
    listen [::]:80 default_server ipv6only=on;
    # redirect to https
    return 307 https://$host$request_uri;
}

server {
    listen 443 ssl;
    ssl_certificate /etc/nginx/ssl/my_cert.pem;
    ssl_certificate_key /etc/nginx/ssl/my_cert.key;
    add_header Strict-Transport-Security "max-age=15552000";
    root {{ girder_root }}/clients/web;

    # Make site accessible from http://localhost/
    server_name localhost;

    location / {
        proxy_pass http://localhost:8080;
        proxy_set_header X-Forwarded-Host $http_host;
        proxy_set_header X-Forwarded-Server $host;
        include /etc/nginx/proxy_params;
        # The following settings should allow SSE to work
        proxy_buffering off;
        proxy_cache off;
        proxy_set_header Connection '';
        proxy_http_version 1.1;
        chunked_transfer_encoding off;
        proxy_read_timeout 600s;
        proxy_send_timeout 600s;
    }

    location /static {
        try_files $uri $uri/ /index.html;
    }
}


The only thing you'd need to modify in the above config is the locations of the cert and key files.

Hope this helps,


Zach Mullen
Kitware, Inc.
919-869-8858

On Wed, Oct 21, 2015 at 9:15 PM, Brian E Chapman <Brian.Chapman at utah.edu<mailto:Brian.Chapman at utah.edu>> wrote:
Hi everyone,

We’ve got an instance of Girder running user Docker containers for both MongoDB and Girder. This was nice and painless. However, it is running over http. Curious if there is any easy way with Girder directly to make this run over https or if the assumption is that this would be done with Apache Redirect (or equivalent).

Brian
—
Brian E. Chapman, Ph.D.
Associate Professor
Department of Radiology
University of Utah


_______________________________________________
Girder-users mailing list
Girder-users at public.kitware.com<mailto:Girder-users at public.kitware.com>
http://public.kitware.com/mailman/listinfo/girder-users


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://public.kitware.com/pipermail/girder-users/attachments/20151022/6cb57b3a/attachment.html>


More information about the Girder-users mailing list