HTTPS for Omero Web?

I hate to ask this, however I am not able to activate HTTPS on Omero Web. I did not change any omero config property; I just followed this example: prod-playbooks/learning-omero-web.conf at 3b3d2e0f2f1f048b2219c9094d7bef8cb43ae6fc · ome/prod-playbooks · GitHub and then restarted, but the server is still answering on port 80 only, even if there is a rewrite to https. I tried to remove the 80 section, but then the server is not answering at all. I also tested locally with cURL: https is not available.
I tried to let and also to delete the upstream section I found in the /etc/nginx/conf.d/omeroweb.conf file.
On http the web is okay, I have also activated gallery and signup.
I am sure I am missing something obvious, but I am not a sysadmin, although I have some experience with Apache (not with nginx).

If you’re using the example you’ve linked, in theory the Omero Instance should not answer via http at all, since it will be rewritten to https automatically. So that leaves me a bit puzzled. What kind of error are you getting when you’re visiting the page?

@JulianHn , it puzzles me too :frowning: . Via https, no connection. Via http, everything is okay but it is identified as not safe.

What are you’re nginx logs showing when you’re trying to access on 443?
Are you sure nginx is listening on 443?

netstat does not show 443 among the ports. Nothing appears on the log.

Okay. So this definitely looks like an nginx issue then. We probably need your nginx confs to help you further.

//
Julian

#upstream omeroweb {
#    server 127.0.0.1:4080 fail_timeout=0;
#}

server {
    listen 80;
    server_name xxx.xxx.xxx;
    return	301 https://$server_name$request_uri;
}

server {
    listen	443 ssl;
    server_name xxx.xxx.xxx.xxx;

    ssl_certificate     /etc/pki/tls/certs/xxx.pem;
    ssl_certificate_key /etc/pki/tls/private/xxx.pem;
    ssl_protocols	TLSv1.2;

    add_header Strict-Transport-Security "max-age=31536000" always;
    sendfile on;
    client_max_body_size 0;


    # maintenance page serve from here
    location @maintenance {
        root /opt/omero/web/omero-web//etc/templates/error;
        try_files $uri /maintainance.html =502;
    }

    # weblitz django apps serve media from here
    location /static {
        alias /opt/omero/web/omero-web/var/static;
    }

    location @proxy_to_app {
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Host $http_host;
        proxy_redirect off;
        proxy_buffering off;

        proxy_pass http://127.0.0.1:4080;
    }

    location / {

        error_page 502 @maintenance;
        # checks for static file, if not found proxy to app
        try_files $uri @proxy_to_app;
    }

}

Hi @VDM Looks like you’ve set up all the SSL stuff so maybe one quick check to make sure your firewall config isn’t getting in the way. On Ubuntu 18.04 I use:
sudo ufw app list
and Nginx HTTPS shows up in my list. If you use a different Linux distro with a different firewall, change accordingly.
Cheers,
Damir

to add to @Dsudar: If you’re running a systemd distro journalctl -b -u nginx.service might give more hints.

But in general: If the configuration you’ve posted up there is actually used by nginx, you should not get any response on port 80 as well. So something really weird has to be going on here. Did you run nginx -t and it did show no errors? Are the configurations reloaded (by restarting nginx)?

//
Julian

this may be the missing step - I only restarted omero web .
I installed everything on Centos 7, although it’s not my preferred distro. nginx -t return success, as well as the journalctl log, systemd status etc. Regarding the firewall, ports are open.

Maybe I found a trace. I stopped nginx and then I was unable to restart due to an authentication failure (registered in the nginx log).
Among the things I tried, I temporarily disabled SELinux following the advice found here. With this, nginx started.
I remember to have done, initially, some magic with semanage because the web server seemed not to start. However, I did it like an Eddington monkey, so I do not know exactly what I have done…

@VDM: I’m unfortunately not very familiar with SELinux so I can’t really help you with that further. Do you need SELinux on the machine? If your preferred distro is not CentOS anyway, I suspect you usually run your servers without a SELinux anyway. So maybe think about just removing the SELinux enforcing?

//
Julian

Me too. It was there, I just did what needed to run Omero, but now I will dismiss it.

Coming late to the party:

  • nginx -t definitely needs to be following by a restart or at least a reload.
  • Happy to help with selinux if anyone needs, but yes, it can be annoying.
  • Otherwise, things are now working? :crossed_fingers:

~Josh

@joshmoore : yes, setenforce 0 helped, and then I totally disabled SELinux. I am sure having it is better, but as @JulianHn told, I am used to other distros (Ubuntu in particular), thus I do not use SELinux. Plus, the system is not for clinical use, “just” teaching and training.
Eventually, not for me but for others, some more documentation on setting up a https server could be of help, since now it is almost needed.

I am almost done with my transition. Last thing to decide, whether to distribute on two servers or let on one. Not the last, it’s just a hope :slight_smile:

1 Like