Re: [galaxy-dev] secure Galaxy with SSL
Hi Peter, Thanks so much for your help! It is like you said a browser issue. I also noticed that the Galaxy main server (https://usegalaxy.org/) doesn't have this problem. And their USCS main table browser uses "https" instead of "http". Does anyone know why this isn't included in the current Galaxy release? And how can I change my current "http USCS main" to "https USCS main"? Thanks, Jim Message: 8 Date: Tue, 19 Nov 2013 08:51:03 +0000 From: Peter Briggs <peter.briggs@manchester.ac.uk> To: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] secure Galaxy with SSL Message-ID: <528B2677.9050706@manchester.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello Jim Re your problem #1 (UCSC browser appears to be blocked), I've seen something similar with our local Galaxy instance, which is also served via https. In our case I believe this is actually a browser issue: the latest version of Firefox silently blocks mixed secure and insecure content: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-... (I think Chrome and IE do something similar, although IE at least gives a warning.) The workaround is either to disable mixed content blocking (not trivial in Firefox, and probably not a good idea in general), or to do something like e.g. right-click "Open link in new tab" on the "Get data"/"UCSC main table browser" link in Galaxy. Once UCSC has loaded in the new tab it can be used to send data back to Galaxy without any problems. HTH Best wishes, Peter On 18/11/13 23:03, Jingchao Zhang wrote:
Dear all,
Today I installed the SSL module for our local Galaxy instance and the "https://" link is working fine. I added this "<Location"/">
RequestHeader set X-URL-SCHEME https
</Location>" in our Apache configuration file as instructed in this webpage: http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
Here are my problems with SSL: 1. Some build in links like "UCSC Main <http://genome.ucsc.edu/cgi-bin/hgTables?GALAXY_URL=https%3A//hcc-galaxy.unl.edu/tool_runner&tool_id=ucsc_table_direct1&hgta_compressType=none&sendToGalaxy=1&hgta_outputType=bed> table browser" and "UCSC Test <http://genome-test.cse.ucsc.edu/cgi-bin/hgTables?GALAXY_URL=https%3A//hcc-galaxy.unl.edu/tool_runner&tool_id=ucsc_table_direct_test1&hgta_compressType=none&sendToGalaxy=1&hgta_outputType=bed> table browser" become invalid. If I click on them, nothing will happen, as if they are blocked. 2. The old "http" link still works, which I think shouldn't because I added the "RequestHeader ... https" line in Apache configuration. I really want to disable the http link because the new users could be easily led to the old one.
Both httpd and Galaxy have been restarted after the changes are made. Since I didn't find any similar threads in the mailist, I hope someone here can help me out with this.
Thanks, Jim
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Peter Briggs peter.briggs@manchester.ac.uk Bioinformatics Core Facility University of Manchester B.1083 Michael Smith Bldg Tel: (0161) 2751482
On Tue, Nov 19, 2013 at 12:32 PM, Jingchao Zhang <zhang@unl.edu> wrote:
Hi Peter,
Thanks so much for your help! It is like you said a browser issue.
I also noticed that the Galaxy main server (https://usegalaxy.org/) doesn't have this problem. And their USCS main table browser uses "https" instead of "http". Does anyone know why this isn't included in the current Galaxy release? And how can I change my current "http USCS main" to "https USCS main"?
Hi Jim, We did this for usegalaxy.org simply by locally changing the URL in the tool's config from http to https. A proper fix for this tool (and other external sites which open in the center iframe) is in the works and will be released to the stable branch once it's done. --nate
Thanks, Jim
Message: 8 Date: Tue, 19 Nov 2013 08:51:03 +0000 From: Peter Briggs <peter.briggs@manchester.ac.uk> To: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] secure Galaxy with SSL Message-ID: <528B2677.9050706@manchester.ac.uk> Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Hello Jim
Re your problem #1 (UCSC browser appears to be blocked), I've seen something similar with our local Galaxy instance, which is also served via https.
In our case I believe this is actually a browser issue: the latest version of Firefox silently blocks mixed secure and insecure content:
https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-...
(I think Chrome and IE do something similar, although IE at least gives a warning.)
The workaround is either to disable mixed content blocking (not trivial in Firefox, and probably not a good idea in general), or to do something like e.g. right-click "Open link in new tab" on the "Get data"/"UCSC main table browser" link in Galaxy. Once UCSC has loaded in the new tab it can be used to send data back to Galaxy without any problems.
HTH
Best wishes, Peter
Dear all,
Today I installed the SSL module for our local Galaxy instance and the "https://" link is working fine. I added this "<Location"/">
RequestHeader set X-URL-SCHEME https
</Location>" in our Apache configuration file as instructed in this webpage: http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
Here are my problems with SSL: 1. Some build in links like "UCSC Main < http://genome.ucsc.edu/cgi-bin/hgTables?GALAXY_URL=https%3A//hcc-galaxy.unl.edu/tool_runner&tool_id=ucsc_table_direct1&hgta_compressType=none&sendToGalaxy=1&hgta_outputType=bed>
browser" and "UCSC Test < http://genome-test.cse.ucsc.edu/cgi-bin/hgTables?GALAXY_URL=https%3A//hcc-galaxy.unl.edu/tool_runner&tool_id=ucsc_table_direct_test1&hgta_compressType=none&sendToGalaxy=1&hgta_outputType=bed>
On 18/11/13 23:03, Jingchao Zhang wrote: table table
browser" become invalid. If I click on them, nothing will happen, as if they are blocked. 2. The old "http" link still works, which I think shouldn't because I added the "RequestHeader ... https" line in Apache configuration. I really want to disable the http link because the new users could be easily led to the old one.
Both httpd and Galaxy have been restarted after the changes are made. Since I didn't find any similar threads in the mailist, I hope someone here can help me out with this.
Thanks, Jim
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Peter Briggs peter.briggs@manchester.ac.uk Bioinformatics Core Facility University of Manchester B.1083 Michael Smith Bldg Tel: (0161) 2751482 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
Hi Nate, Thanks so much for the help. Aslo, I solved my second issue. Here are the the changes I made to the Apache conf file. RewriteCond %{HTTPS} off #RewriteRule ^(.*) http://localhost:8080$1 [P] RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L] Now http will be redirected to https. Just put it here for future reference in case anyone needs to know. Best, Jim ________________________________ From: Nate Coraor <nate@bx.psu.edu> Sent: Tuesday, November 19, 2013 1:14 PM To: Jingchao Zhang Cc: galaxy-dev@lists.bx.psu.edu Subject: Re: [galaxy-dev] secure Galaxy with SSL On Tue, Nov 19, 2013 at 12:32 PM, Jingchao Zhang <zhang@unl.edu<mailto:zhang@unl.edu>> wrote: Hi Peter, Thanks so much for your help! It is like you said a browser issue. I also noticed that the Galaxy main server (https://usegalaxy.org/) doesn't have this problem. And their USCS main table browser uses "https" instead of "http". Does anyone know why this isn't included in the current Galaxy release? And how can I change my current "http USCS main" to "https USCS main"? Hi Jim, We did this for usegalaxy.org<http://usegalaxy.org> simply by locally changing the URL in the tool's config from http to https. A proper fix for this tool (and other external sites which open in the center iframe) is in the works and will be released to the stable branch once it's done. --nate Thanks, Jim Message: 8 Date: Tue, 19 Nov 2013 08:51:03 +0000 From: Peter Briggs <peter.briggs@manchester.ac.uk<mailto:peter.briggs@manchester.ac.uk>> To: galaxy-dev@lists.bx.psu.edu<mailto:galaxy-dev@lists.bx.psu.edu> Subject: Re: [galaxy-dev] secure Galaxy with SSL Message-ID: <528B2677.9050706@manchester.ac.uk<mailto:528B2677.9050706@manchester.ac.uk>> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Hello Jim Re your problem #1 (UCSC browser appears to be blocked), I've seen something similar with our local Galaxy instance, which is also served via https. In our case I believe this is actually a browser issue: the latest version of Firefox silently blocks mixed secure and insecure content: https://blog.mozilla.org/tanvi/2013/04/10/mixed-content-blocking-enabled-in-... (I think Chrome and IE do something similar, although IE at least gives a warning.) The workaround is either to disable mixed content blocking (not trivial in Firefox, and probably not a good idea in general), or to do something like e.g. right-click "Open link in new tab" on the "Get data"/"UCSC main table browser" link in Galaxy. Once UCSC has loaded in the new tab it can be used to send data back to Galaxy without any problems. HTH Best wishes, Peter On 18/11/13 23:03, Jingchao Zhang wrote:
Dear all,
Today I installed the SSL module for our local Galaxy instance and the "https://" link is working fine. I added this "<Location"/">
RequestHeader set X-URL-SCHEME https
</Location>" in our Apache configuration file as instructed in this webpage: http://wiki.galaxyproject.org/Admin/Config/Apache%20Proxy
Here are my problems with SSL: 1. Some build in links like "UCSC Main <http://genome.ucsc.edu/cgi-bin/hgTables?GALAXY_URL=https%3A//hcc-galaxy.unl.edu/tool_runner&tool_id=ucsc_table_direct1&hgta_compressType=none&sendToGalaxy=1&hgta_outputType=bed> table browser" and "UCSC Test <http://genome-test.cse.ucsc.edu/cgi-bin/hgTables?GALAXY_URL=https%3A//hcc-galaxy.unl.edu/tool_runner&tool_id=ucsc_table_direct_test1&hgta_compressType=none&sendToGalaxy=1&hgta_outputType=bed> table browser" become invalid. If I click on them, nothing will happen, as if they are blocked. 2. The old "http" link still works, which I think shouldn't because I added the "RequestHeader ... https" line in Apache configuration. I really want to disable the http link because the new users could be easily led to the old one.
Both httpd and Galaxy have been restarted after the changes are made. Since I didn't find any similar threads in the mailist, I hope someone here can help me out with this.
Thanks, Jim
___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/
To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
-- Peter Briggs peter.briggs@manchester.ac.uk<mailto:peter.briggs@manchester.ac.uk> Bioinformatics Core Facility University of Manchester B.1083 Michael Smith Bldg Tel: (0161) 2751482 ___________________________________________________________ Please keep all replies on the list by using "reply all" in your mail client. To manage your subscriptions to this and other Galaxy lists, please use the interface at: http://lists.bx.psu.edu/ To search Galaxy mailing lists use the unified search at: http://galaxyproject.org/search/mailinglists/
participants (2)
-
Jingchao Zhang -
Nate Coraor