How to Run Cryosparc on an https URL using an SSL certificate

Is there a documented way to get the web app to run an SSL connection to protect the user passwords and data as it traverses the network?

Hi @karcaw,

CryoSPARC is typically installed in a private network so we recommend connecting securely through an SSH tunnel or VPN, both of which transmit data through an encrypted channel.

In the case where you are accessing cryoSPARC from the public internet directly, we recommend setting up a reverse proxy server such as NGINX where you can serve the site via HTTPS by generating the required SSL certificates. Simply proxy the endpoint to the port that cryoSPARC’s web application is running (39000 by default). The steps are similar to those outlined here.

- Suhail

While nginx will provide SSL to outside hosts, I think this is still a shortsighted view of the real danger of having users authenticate over an insecure WebSocket. Since users like to use the same password or similar passwords on multiple websites, a nefarious actor could still capture network traffic on the host between the nginx proxy and port 39000 and glean passwords from the data stream. These passwords can possibly be used for other attacks against other local systems. Its concerning, since it seems the web_app framework you are using has the ability to set up a proper SSL stream.

Anyhow, Here is a basic nginx config for a reverse proxy if anyone else comes across this question later:
server {
listen 443 ssl http2;
server_name cryosparc.;
location / {
proxy_pass http://localhost:39000/;
}
ssl_certificate /<path_to_ssl>.cert;
ssl_certificate_key /<path_to_ssl>.key;
}

Hi @karcaw,

Are you referring to self signing certificates for use locally?

- Suhail

I’m saying there really should be an option to hand the web process a set of certificates for communication. these can be self signed, from letsencrypt or proper certificates from a signing authority. self signed is easy to always do during install for local use.

Hello,
I have a the same/problem question. But my knowledge is too limited to find how to fix it. The server running cryosparc should have all requests directed http to https for few ports (https://certbot.eff.org/lets-encrypt/ubuntubionic-apache). But somehow it does not work for cryosparc.
Being able to use the web interface without vpn or ssh tunnel is brilliant but it should be https indeed.
Not sure/convinced the nginx is the answer and I don’t know how to configure it.

Hi @abasle,

Here’s an example NGINX .conf configuration file that works alongside Certbot, which uses Let’s Encrypt to generate SSL certificates (Certbot should automatically manage the private keys):

server {
  listen                80;
  server_name           <YOUR_URL>;

  access_log            /var/log/nginx/<YOUR_URL>.http.access.log;
  error_log             /var/log/nginx/<YOUR_URL>.http.error.log;

  location / {
    return 301 https://$server_name$request_uri;
  }
}


server {
  listen                443 ssl;

  server_name           <YOUR_URL>;

  access_log            /var/log/nginx/<YOUR_URL>.access.log;
  error_log             /var/log/nginx/<YOUR_URL>.error.log;

  location / {
    proxy_pass http://127.0.0.1:39000;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection 'upgrade';
    proxy_set_header X-Forwarded-For $remote_addr;

    proxy_request_buffering  off;
    proxy_buffering          off;
    client_max_body_size     0;
  }
    ssl_certificate /etc/letsencrypt/live/<YOUR_URL>/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/<YOUR_URL>/privkey.pem; # managed by Certbot

}
1 Like

Hello,

Thanks but I made a mistake. I did not know what was nginx. Being a webserver it does interfere with apache2 I have installed already. So it would not be a solution for me.
I still don’t understand why 39000 is not https but I will keep trying. If you have an appache2 conf that redirect http://XXXXXXXxx:39000 to https I’d be happy to try. I have tried some settings but so far I failed.
Cheers,
Arnaud