Hello Howie, Please see this previously answered mailing list question for the list of IP addresses behind our site:
https://lists.soe.ucsc.edu/pipermail/genome/2010-September/023596.html Unfortunately we cannot provide much comment on your apache settings. One of our engineers did note that HEAD would be required in addition to GET. Hopefully your sysadmins can provide some guidance about your apache settings as well as the rest of your concerns. Hopefully this information was helpful and answers your question. If you have further questions or require clarification feel free to contact the mailing list at [email protected]. Regards, Pauline Fujita UCSC Genome Bioinformatics Group http://genome.ucsc.edu On 1/4/12 11:08 AM, Howie Goodell wrote: > Hi -- > > My group at a major hospital wants to visualize ca. 1 TB of BAM files from > an internal server as UCSC Genome Browser custom tracks, without needing to > copy them all to an external webserver. I'm trying to think of > sufficiently draconian security measures that admins will > allow reverse-proxy access to these files through the firewall by the UCSC > Genome Browser. Seems this would be a common need; so worth some effort to > make solid. What do you think of these parameters? > > 1. Limit reverse-proxy access to *just* the UCSC Genome Browser servers. > If you can tell us the IP address/range, that would be best, to foil DNS > spoofing. > 2. ProxyPass doesn't allow queries in URLs; also block directory > listing and all access methods but GET. > 3. Obfuscate each filename with a long random hex number so they can't > be guessed. > 4. Internal server disallow access except to the BAM directory and don't > follow symbolic links; so no access to the rest of its filesystem. > > (See suggested implementation and links below.) > > Comments? *Specific request: if possible specify the IP address range* from > which UCSC server file access requests could come. > > Thanks much and happy New Year! > Howie > > PS: Here are some resources and an (untested) suggested implementation, for > anyone trying something similar. > > *UCSC custom tracks* > > - Basics: http://genome.ucsc.edu/goldenPath/help/bam.html and > http://genome.ucsc.edu/goldenPath/help/customTrack.html#SHARE > - Our server must accept byte-range requests (206 Partial Content > response): > https://lists.soe.ucsc.edu/pipermail/genome/2011-February/025008.html > and > http://comments.gmane.org/gmane.science.biology.ucscgenome.general/7742 > - FTP-specific: > http://www.mail-archive.com/[email protected]/msg01742.html > > *Reverse proxy* > Apache mod_proxy basics: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html . > > Security tips: http://httpd.apache.org/docs/2.0/misc/security_tips.html > > *Sample config* > For our server named ourlocalserver to serve *only* files physically > located in /var/www/html/bamfiles > and an external webserver to make them available *only* to the UCSC servers > at external URL http://example.org/ourgroup/bamfiles > I think the config should look something like the following. > > *External webserver* > > ProxyRequests Off > > <Proxy *> > Order Deny,Allow > Deny from all > Allow from (IP address of http://genome.ucsc.edu) > </Proxy> > > ProxyPass /ourgroup/bamfiles http://localserver/bamfiles > > > *Internal server configuration* > > Lock down access to the filesystem by default: > > UserDir disabled root > > <Directory /> > Order Deny,Allow > Deny from all > Options -Indexes -FollowSymLinks > AllowOverride None > </Directory> > > > Only enable access to BAM directory: > > <Directory /var/www/html/bamfiles> > Order Deny,Allow > Allow from all > > </Directory> > > > Disable all but GET: (not sure if Deny all is correct, but that's what I > want: so no one can POST etc.) > > <LimitExcept GET> > Deny all > </LimitExcept> > > > > _______________________________________________ Genome maillist - [email protected] https://lists.soe.ucsc.edu/mailman/listinfo/genome
