Secure XNAT with Docker
Pablo Yepes
Herrick, Rick
This is very dependent on your IT and network environment. For example, at WashU we have an enterprise proxy maintained by the university. Honestly, I don’t really know the details of how it works, but essentially we have domain names that get resolved to that front-end proxy, which has the SSL certificate(s) for our domains and routes requests to a particular domain to a server behind the proxy (and firewall).
Another case would be running your Docker service with nothing between it and the internet. You could configure the XNAT/Tomcat container in your Docker configuration to manage SSL termination, but that’s usually not considered a best practice. Here’s an article that describes how to configure SSL in Tomcat which notes:
“Before you go through the trouble of getting SSL up and running, it's a probably a good idea to determine if you actually should be using this configuration… [I]n most cases you should let [a] web server function as a proxy for all SSL requests… [b]ecause all that decryption, encryption, and handshaking isn't free - actually, it's not just ‘not free,’ it's quite CPU-intensive, and it significantly slows down the speed of transmission… [Free] up your Tomcat server to focus on its specialty - quickly generating dynamic content, and allow it to get that data to your web server as quickly as possible, in cleartext.”
You can also add a front-end HTTP proxy directly to your Docker configuration with docker-compose. If you check out the XNAT Docker Compose project, both the master and features/dependency-mgmt branches include proxies, nginx in the master branch and traefik in the features/dependency-mgmt branch. I’ve included a configuration for nginx that’s adapted from one I use on my own dev server with SSL certificates from Let’s Encrypt. That could be rolled into the nginx configuration in the master branch of the docker-compose configuration, but you’ll need to get a certificate to use. This post describes how to do that, but the process requires having your site accessible from the internet (this doesn’t mean XNAT necessarily, since you could get the certificate with just nginx and save it for use with your full configuration) and a DNS server configured so that your domain/server name points to your site.
Lastly, if you’re running XNAT in Docker on a server accessible from the internet, you can configure a front-end proxy on the server itself. This is how I configure my Ubuntu 20.04 dev server, which runs several services and test sites (including an XNAT test service) under various domain and server names. I have nginx installed there, with wildcard certs for each domain, and an nginx configuration for each service under a specific domain.
For example, if I owned the domain miskatonic.edu, I would have an SSL certificate for *.miskatonic.edu then nginx configurations for test.miskatonic.edu, xnat.miskatonic.edu, etc. Each of those configurations would use the *.miskatonic.edu wildcard certificate.
From:
xnat_di...@googlegroups.com <xnat_di...@googlegroups.com> on behalf of Pablo Yepes <pabloye...@gmail.com>
Date: Thursday, June 16, 2022 at 11:35 AM
To: xnat_discussion <xnat_di...@googlegroups.com>
Subject: [XNAT Discussion] Secure XNAT with Docker
|
* External Email - Caution * |
I installed XNAT using Docker and it was a piece of cake. However the web interface is not secure. I would like to use a secure (https) web interface. Does anyone have experience with that? I have been trying for a while to figure it out, but without success at the moment. Can anyone help?
--
You received this message because you are subscribed to the Google Groups "xnat_discussion" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
xnat_discussi...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/xnat_discussion/bef7f595-c85b-40fa-b996-71cf722e49bbn%40googlegroups.com.
The materials in this message are private and may contain Protected Healthcare Information or other information of a sensitive nature. If you are not the intended recipient, be advised that any unauthorized use, disclosure, copying or the taking of any action in reliance on the contents of this information is strictly prohibited. If you have received this email in error, please immediately notify the sender via telephone or return mail.
James Bowden
VIRTUAL_HOST: xnat.miskatonic.edu
LETSENCRYPT_HOST: xnat.miskatonic.edu
Herrick, Rick
Very cool, James! Thanks!
To view this discussion on the web visit https://groups.google.com/d/msgid/xnat_discussion/9684b910-e4bc-4a27-8e76-e413245845bfn%40googlegroups.com.