Adding load balancer https to omero.web

Hi all,

I am a cell biologist trying to get OMERO setup in our university. We have OMERO 5.4.10 installed on an RHEL7 server with a separate OMERO.server and Omero.web server installed. It’s all working beautifully, thank you.

I asked our University IT to switch the server to an https protocol so we could access the OMERO.web from outside the universities internet domain. So staff not on campus or collaborators can access it.

We tried to create a “Publicly accessible NSX LOAD BALANCER in SSL OFFLOAD, with OMERPW as a member, with an alias”

We hit the following problem (from IT):
1./ The omero server address is a load balancer serving traffic using the HTTPS protocol (https://…, OMERO.web)
2./ When a request comes in, it then forwards traffic to http://…. (OMERO.web)
3./ That server has a NGIX reverse proxy listening on port 80 that forwards traffic to the omero web python application running on port 4080.
4./ Then the application does several redirects using the http protocol to append the /webclient/ to the path it receives.
5./ The original request than becomes http://omero…/webclient/ which will not work. As per university policy, we can not expose publicly any application using plain http protocol.

At this point, the easiest path forward is to configure the omero application to use https which may require a bit of application customization and the use of a certificate in the server itself.

I would suggest for you to involve your omero support person to help you through that process.

Any advice or direction to the appropriate docs would be appreciated.

KR
J

Hi @Jwil,

this often happens with the

Glad to hear it! :+1:

5./ The original request than becomes http://omero…/webclient/

I’ve certainly seen similar, e.g. the port being dropped for a server, when the proxy_set_header Host setting does not match the external expectations. Can you attach your nginx configuration files from the various servers here?

At this point, the easiest path forward is to configure the omero application to use https which may require a bit of application customization and the use of a certificate in the server itself.

If I understand correctly, you currently have:

  • external nginx/https
    • internal nginx/http 1
      • OMERO.web 1
    • internal nginx/http 2
      • OMERO.web 2

And you are thinking about adding https to the two internal nginx instances? Have you also thought about removing the two internal nginx instances?

~Josh

You can set the omero.web.secure_proxy_ssl_header OMERO.web property, and configure your load-balancer to set the corresponding header. See this Django doc for more information, and take note of the security warning: https://docs.djangoproject.com/en/1.8/ref/settings/#secure-proxy-ssl-header

2 Likes