Page 1 of 1

OMERO server listening two VLAN ?

PostPosted: Tue Sep 02, 2014 3:12 pm
by phm
Hi,

I would like to have omero server listening two network interfaces one for the port 443 (VLAN1) and this other on port 4064 and 443 (VLAN2). I defined two conf files for nginx :
omero.conf (VLAN1)
server {
listen 443;
server_name omero.college-de-france.fr;

ssl on;
ssl_certificate /etc/nginx/omero.college-de-france.fr.crt;
ssl_certificate_key /etc/nginx/omero.college-de-france.fr.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

# weblitz django apps serve media from here
location /static {
alias /opt/OMERO.server/lib/python/omeroweb/static;
}

location /omero {
if (-f /opt/OMERO.server/var/maintenance.html) {
error_page 503 /maintenance.html;
return 503;
}

fastcgi_pass 0.0.0.0:4080;

fastcgi_split_path_info ^(/omero)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_INFO $fastcgi_script_name;


fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_PORT $server_port;
fastcgi_pass_header Authorization;
fastcgi_intercept_errors on;
fastcgi_read_timeout 60;
# Uncomment if nginx SSL module is enabled or you are using nginx 1.1.11 or later
# -- See: #10273, http://nginx.org/en/CHANGES
fastcgi_param HTTPS $https;
}

location /maintenance.html {
root /opt/OMERO.server/var;
}

}

omero-web (VLAN2)
server {
listen 443;
server_name omero-web.college-de-france.fr;

ssl on;
ssl_certificate /etc/nginx/omero.college-de-france.fr.crt;
ssl_certificate_key /etc/nginx/omero.college-de-france.fr.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;


#fastcgi_temp_path /opt/OMERO.server/var/nginx_tmp;
#proxy_temp_path /opt/OMERO.server/var/nginx_tmp;

# weblitz django apps serve static content from here
location /static {
alias /opt/OMERO.server/lib/python/omeroweb/static;
}

location / {
if (-f /opt/OMERO.server/var/maintenance.html) {
error_page 503 /maintenance.html;
return 503;
}
fastcgi_pass 0.0.0.0:4080;
fastcgi_param PATH_INFO $fastcgi_script_name;
fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_PORT $server_port;
fastcgi_pass_header Authorization;
fastcgi_intercept_errors on;
fastcgi_read_timeout 300;
}

location /maintenance.html {
root /opt/OMERO.server/var;
}

}

However I can define only one web name server with :
omero config set omero.web.application_host "https://omero.college-de-france.fr"

Connexion to omero.college-de-france.fr is working but no to omero-web.college-de-france.fr

Thanks

Re: OMERO server listening two VLAN ?

PostPosted: Wed Sep 03, 2014 12:05 pm
by atarkowska
Hi,

From what you are asking I understand that you wish to have a two hosts:
- VLAN1 just omero web accessible on 443
- VLAN2 which will run omero server on port 4064 + 4063 and omero web on 443

I would keep the config you have defined for VLAN2 as it is and use proxy_pass. You cannot define 2 the same configs for the one application as well as omero.web.application_host

Ola

Re: OMERO server listening two VLAN ?

PostPosted: Thu Sep 04, 2014 4:58 am
by phm
atarkowska wrote:Hi,

From what you are asking I understand that you wish to have a two hosts:
- VLAN1 just omero web accessible on 443
- VLAN2 which will run omero server on port 4064 + 4063 and omero web on 443

I would keep the config you have defined for VLAN2 as it is and use proxy_pass. You cannot define 2 the same configs for the one application as well as omero.web.application_host

Ola

Hi Ola,
Do you mean keep only the config file for VLAN2? And could you please explain how to implement the proxy_pass in nginx.
Thanks
Philippe

Re: OMERO server listening two VLAN ?

PostPosted: Thu Sep 04, 2014 9:16 am
by atarkowska
Hi Philippe,

Nginx has quit nice beginners guide http://nginx.org/en/docs/beginners_guide.html

From the config you sent I understand that you installed one OMERO.server with OMERO.web and wish to have them available as follow:

- OMERO.server (ports 4064 & 4063) on host omero.college-de-france.fr (vlan1)
- OMERO.server (ports 4064 & 4063) and OMERO.web (HTTPS 443) on host omero-web.college-de-france.fr (vlan2)

Are you sure it is not other way around? are you not trying just to set up one domain for the server one for omeroweb?

Could you please clarify what you intend to do exactly?

Ola

Re: OMERO server listening two VLAN ?

PostPosted: Thu Sep 04, 2014 11:19 am
by phm
atarkowska wrote:Hi Philippe,

Nginx has quit nice beginners guide http://nginx.org/en/docs/beginners_guide.html

From the config you sent I understand that you installed one OMERO.server with OMERO.web and wish to have them available as follow:

- OMERO.server (ports 4064 & 4063) on host omero.college-de-france.fr (vlan1)
- OMERO.server (ports 4064 & 4063) and OMERO.web (HTTPS 443) on host omero-web.college-de-france.fr (vlan2)

Are you sure it is not other way around? are you not trying just to set up one domain for the server one for omeroweb?

Could you please clarify what you intend to do exactly?

Ola


Hi Ola,

I would like to optimize data transfers on the server. We have all acquisition stations (microscopes) and analyze stations on the VLAN1 (omero) and we want give access to the server by https connection only on VLAN2 (omero-web) to all stations situated in our institute. The connections between machines in the institute and the server (VLAN2) go through different switches and firewalls. The connections from acquisition stations are on a fast network and direct.
The idea is to have one NIC1 listen on VLAN1 with opened ports 80, 443 (for administration), 4063, 4064 (for images transfers) and 8000 (for maintenance) and an other NIC2 listen on VLAN2 for "slower" connections only with 443 port opened.
In this way I can avoid a to big traffic on the VLAN2, indeed other servers are on this VLAN and the collapse ASA (Cisco Adaptive Security Appliance) which filter all traffics.

I configured the NIC1 on VLAN1 and all machines on VLAN1 can connect the server (omero). However, for the NIC2 I can't connect to omero-web. Now if I use proxy_pass I can reach the omero-web server, but only from machines in the VLAN2 ???

I put proxy_pass http://127.0.0.1/omero;
and not proxy_pass http://omero.college-de-france.fr/omero;
to avoid that packets go back to the DNS and so in the network core through all firewalls.


Here the omero-web conf nginx file :
server {
listen 80;
server_name omero-web.college-de-france.fr;
rewrite ^https://$server_name$request_uri? permanent;
}
server {
listen 443;
ssl on;
ssl_certificate /etc/nginx/omero.college-de-france.fr.crt;
ssl_certificate_key /etc/nginx/omero.college-de-france.fr.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;


#fastcgi_temp_path /opt/OMERO.server/var/nginx_tmp;
#proxy_temp_path /opt/OMERO.server/var/nginx_tmp;

# prox_pass redirect to omero
location /omero {
proxy_pass http://127.0.0.1/omero;
}
}

And the omero conf nginx file

server {
listen 80 default;
server_name omero.college-de-france.fr;
rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 default ssl;
server_name omero.college-de-france.fr;

ssl on;
ssl_certificate /etc/nginx/omero.college-de-france.fr.crt;
ssl_certificate_key /etc/nginx/omero.college-de-france.fr.key;

ssl_session_timeout 5m;

ssl_protocols SSLv2 SSLv3 TLSv1;
ssl_ciphers ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP;
ssl_prefer_server_ciphers on;

# weblitz django apps serve media from here
location /static {
alias /opt/OMERO.server/lib/python/omeroweb/static;
}

location /omero {
if (-f /opt/OMERO.server/var/maintenance.html) {
error_page 503 /maintenance.html;
return 503;
}

fastcgi_pass 0.0.0.0:4080;

fastcgi_split_path_info ^(/omero)(.*)$;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_INFO $fastcgi_script_name;


fastcgi_param REQUEST_METHOD $request_method;
fastcgi_param QUERY_STRING $query_string;
fastcgi_param CONTENT_TYPE $content_type;
fastcgi_param CONTENT_LENGTH $content_length;
fastcgi_param SERVER_NAME $server_name;
fastcgi_param SERVER_PROTOCOL $server_protocol;
fastcgi_param SERVER_PORT $server_port;
fastcgi_pass_header Authorization;
fastcgi_intercept_errors on;
fastcgi_read_timeout 60;
# Uncomment if nginx SSL module is enabled or you are using nginx 1.1.11 or later
# -- See: #10273, http://nginx.org/en/CHANGES
fastcgi_param HTTPS $https;
}

location /maintenance.html {
root /opt/OMERO.server/var;
}

}


Thanks

Philippe

Re: OMERO server listening two VLAN ?

PostPosted: Fri Sep 05, 2014 2:46 pm
by atarkowska
Hi Philippe,

I think I understand what you are trying to do.

First lets modify your omero.college-de-france.fr on VLAN1

I would recommend to open only ports 4063 & 4064 on the IP assigned to omero.college-de-france.fr
Don't open 80 and 443 for this IP to make sure people access OMERO.server and only only localhost can access OMERO.web

You may set Ice default host, see below:
By default OMERO will bind to all available interfaces. On a laptop this has the undesirable effect of requiring an OMERO restart when changing network connections, e.g. from a home to a work network connection. To avoid this, it is possible to bind only on the localhost interface which will never change IP address.

Code: Select all
$ omero config set Ice.Default.Host 127.0.0.1
# Restart to activate the new setting
$ omero admin restart



Then your nginx config should also block it.

Code: Select all
server {
listen 80 default;
server_name omero.college-de-france.fr;

allow  127.0.0.1;
deny   all;

rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 default ssl;
server_name omero.college-de-france.fr;

allow  127.0.0.1;
deny   all;
...


Then config for omero-web.college-de-france.fr looks right. You may block port 4064 & 4063 on IP assigned to omero-web.college-de-france.fr to make sure no one will access OMERO.server.
I think the problem with accessing omero-web.college-de-france.fr from vlan1 depends on routing in your network. Unfortunately this is not related to the OMERO platform and beyond my knowledge.

I hope it will help.

Ola

Re: OMERO server listening two VLAN ?

PostPosted: Sat Sep 06, 2014 8:43 pm
by phm
atarkowska wrote:Hi Philippe,

I think I understand what you are trying to do.

First lets modify your omero.college-de-france.fr on VLAN1

I would recommend to open only ports 4063 & 4064 on the IP assigned to omero.college-de-france.fr
Don't open 80 and 443 for this IP to make sure people access OMERO.server and only only localhost can access OMERO.web

You may set Ice default host, see below:
By default OMERO will bind to all available interfaces. On a laptop this has the undesirable effect of requiring an OMERO restart when changing network connections, e.g. from a home to a work network connection. To avoid this, it is possible to bind only on the localhost interface which will never change IP address.

Code: Select all
$ omero config set Ice.Default.Host 127.0.0.1
# Restart to activate the new setting
$ omero admin restart



Then your nginx config should also block it.

Code: Select all
server {
listen 80 default;
server_name omero.college-de-france.fr;

allow  127.0.0.1;
deny   all;

rewrite ^ https://$server_name$request_uri? permanent;
}
server {
listen 443 default ssl;
server_name omero.college-de-france.fr;

allow  127.0.0.1;
deny   all;
...


Then config for omero-web.college-de-france.fr looks right. You may block port 4064 & 4063 on IP assigned to omero-web.college-de-france.fr to make sure no one will access OMERO.server.
I think the problem with accessing omero-web.college-de-france.fr from vlan1 depends on routing in your network. Unfortunately this is not related to the OMERO platform and beyond my knowledge.

I hope it will help.

Ola


Thanks a lot for theses advises. Finally I did something similar by configuring the route tables and the firewall on the server.

Philippe