Hi --
My group at a major hospital wants to visualize ca. 1 TB of BAM files from
an internal server as UCSC Genome Browser custom tracks, without needing to
copy them all to an external webserver. I'm trying to think of
sufficiently draconian security measures that admins will
allow reverse-proxy access to these files through the firewall by the UCSC
Genome Browser. Seems this would be a common need; so worth some effort to
make solid. What do you think of these parameters?
1. Limit reverse-proxy access to *just* the UCSC Genome Browser servers.
If you can tell us the IP address/range, that would be best, to foil DNS
spoofing.
2. ProxyPass doesn't allow queries in URLs; also block directory
listing and all access methods but GET.
3. Obfuscate each filename with a long random hex number so they can't
be guessed.
4. Internal server disallow access except to the BAM directory and don't
follow symbolic links; so no access to the rest of its filesystem.
(See suggested implementation and links below.)
Comments? *Specific request: if possible specify the IP address range* from
which UCSC server file access requests could come.
Thanks much and happy New Year!
Howie
PS: Here are some resources and an (untested) suggested implementation, for
anyone trying something similar.
*UCSC custom tracks*
- Basics: http://genome.ucsc.edu/goldenPath/help/bam.html and
http://genome.ucsc.edu/goldenPath/help/customTrack.html#SHARE
- Our server must accept byte-range requests (206 Partial Content
response):
https://lists.soe.ucsc.edu/pipermail/genome/2011-February/025008.html
and
http://comments.gmane.org/gmane.science.biology.ucscgenome.general/7742
- FTP-specific:
http://www.mail-archive.com/[email protected]/msg01742.html
*Reverse proxy*
Apache mod_proxy basics: http://httpd.apache.org/docs/2.0/mod/mod_proxy.html .
Security tips: http://httpd.apache.org/docs/2.0/misc/security_tips.html
*Sample config*
For our server named ourlocalserver to serve *only* files physically
located in /var/www/html/bamfiles
and an external webserver to make them available *only* to the UCSC servers
at external URL http://example.org/ourgroup/bamfiles
I think the config should look something like the following.
*External webserver*
ProxyRequests Off
<Proxy *>
Order Deny,Allow
Deny from all
Allow from (IP address of http://genome.ucsc.edu)
</Proxy>
ProxyPass /ourgroup/bamfiles http://localserver/bamfiles
*Internal server configuration*
Lock down access to the filesystem by default:
UserDir disabled root
<Directory />
Order Deny,Allow
Deny from all
Options -Indexes -FollowSymLinks
AllowOverride None
</Directory>
Only enable access to BAM directory:
<Directory /var/www/html/bamfiles>
Order Deny,Allow
Allow from all
</Directory>
Disable all but GET: (not sure if Deny all is correct, but that's what I
want: so no one can POST etc.)
<LimitExcept GET>
Deny all
</LimitExcept>
--
Howard Goodell, Sc.D.
617 401-1090 cell
Skype howiegoodell
Google Talk howie.goodell
“He that will not apply new remedies must expect new evils, for time is the
greatest innovator.”
—Francis Bacon, Essays
_______________________________________________
Genome maillist - [email protected]
https://lists.soe.ucsc.edu/mailman/listinfo/genome
