Minimal safety requirements/configuration for accessing OMERO-server

Dear OME team/community,

I was wondering if there are any minimal safety requirements/configuration for accessing OMERO-server from internet. And how other OMERO instances are set up regarding this issue (e.g. IDR, OME demo server).

As you know most Universities IT departments are not keen on opening ports to servers from outside world. Here in Leiden, we are looking/testing the possibilities to allow users get access from internet outside the University premises and for users not affiliated with Leiden Universities.

We had a look at how IDR was set up for granting access to users, which is quite complex and too advance for our needs at the moment. I could not find information on how for example OME demo server was set up, which would be more suitable for our purpose (I think). Is there a difference between demo server and IDR security wise?

We were wondering if you could share some advice/ideas on how to secure a writable OMERO-server over internet connection. Or where we could find more appropriate information on this subject.

Your help will be enormously appreciated.

Rohola

3 Likes

Hi @rohola,

A general strategy, as I’m sure you know, would include:

  • encrypting as much communication as possible
  • keeping as many ports firewalled off as possible

For OMERO.web, it’s fairly straight-forward to have all communication go over HTTPS. If you also want to redirect the communication that typically goes over ports the standard Ice ports, 4063 and 4064, you could use a combination of websockets and omero-certificates.

Regarding the IDR and demo, all of our production servers do still allow connections over the standard Ice ports. Websockets were introduced for dealing with client firewalls, but their support is expanding and we’d be interested in hearing your feedback.

I don’t think there’s a significant difference. The demo server is deployed using https://github.com/ome/prod-playbooks/blob/f029a1a374022e08c376addd81095d7869eb0c53/ome-demoserver.yml

Cheers,
~Josh

Hi Josh,

Thanks for your reply. We will go ahead with your recommendations, thanks for the github link. I think that will help.

Best,
Rohola