SSL/TLS
We recommend using public TLS certificates wherever possible. Private certificates are supported, but require additional configuration during Tower installation and Nextflow execution.
Configure Nextflow Tower to trust your private certificate
If you secure related infrastructure (such as private git repositories) with certificates issued by a private Certificate Authority, these certificates must be loaded into the Tower Enterprise containers. You can achieve this in several ways.
??? example "Options" 1. This guide assumes you are using the original containers supplied by Seqera. 2. Replace TARGET_HOSTNAME, TARGET_ALIAS, and PRIVATE_CERT.pem with your unique values. 3. Previous instructions advised using openssl. As of April 2023, the native keytool utility is preferred as it simplifies steps and better accommodates private CA certificates.
=== "Use Docker volume"
-
Retrieve the private certificate on your Tower container host.
keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem -
Modify the
backendandcroncontainer configuration blocks in docker-compose.yml.CONTAINER_NAME:
# -- Other keys here like `image` and `networks`--
# Add a new mount for the downloaded certificate.
volumes:
- type: bind
source: /PRIVATE_CERT.pem
target: /etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem
# Add a new keytool import line PRIOR to 'update-ca-trust' for the certificate.
command: >
sh -c "keytool -import -trustcacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /etc/pki/ca-trust/source/anchor/TARGET_HOSTNAME.pem &&
update-ca-trust &&
/wait-for-it.sh db:3306 -t 60 &&
/tower.sh"
=== "Use K8s ConfigMap"
-
Retrieve the private certificate on a machine with CLI access to your Kubernetes cluster.
keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem -
Load the certificate as a ConfigMap in the same namespace where your Tower instance will run.
kubectl create configmap private-cert-pemstore --from-file=/PRIVATE_CERT.pem -
Modify both the
backendandcronDeployment objects:-
Define a new volume based on the certificate ConfigMap.
spec:
template:
spec:
volumes:
- name: private-cert-pemstore
configMap:
name: private-cert-pemstore -
Add a volumeMount entry into the container definition.
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
volumeMounts:
- name: private-cert-pemstore
mountPath: /etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem
subPath: PRIVATE_CERT.pem -
Modify the container start command to load the certificate prior to running Tower.
spec:
template:
spec:
containers:
- name: CONTAINER_NAME
command: ["/bin/sh"]
args:
- -c
- |
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /PRIVATE_CERT.pem;
./tower.sh
-
=== "Download on Pod start"
-
Modify both the
backendandcronDeployment objects to retrieve and load the certificate prior to running Tower.spec:
template:
spec:
containers:
- name: CONTAINER_NAME
command: ["/bin/sh"]
args:
- -c
- |
keytool -printcert -rfc -sslserver TARGET_HOST:443 > /PRIVATE_CERT.pem;
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /PRIVATE_CERT.pem;
./tower.sh
Configure the Nextflow launcher image to trust your private certificate
If you secure infrastructure such as private git repositories or your Tower Enterprise instance with certificates issued by a private Certificate Authority, these certificates must also be loaded into the Nextflow launcher container.
??? example "Options" 1. This guide assumes you are using the default nf-launcher image supplied by Seqera. 2. Remember to replace TARGET_HOSTNAME, TARGET_ALIAS, and PRIVATE_CERT.pem with unique values. 3. Previous instructions advised using openssl. As of April 2023, the native keytool utility is preferred as it simplifies steps and better accommodates private CA certificates.
=== "Import certificate via pre-run script"
- Add the following to your compute environment pre-run script:
keytool -printcert -rfc -sslserver TARGET_HOSTNAME:443 > /PRIVATE_CERT.pem
keytool -import -trustcacerts -cacerts -storepass changeit -noprompt -alias TARGET_ALIAS -file /PRIVATE_CERT.pem
cp /PRIVATE_CERT.pem /etc/pki/ca-trust/source/anchors/PRIVATE_CERT.pem
update-ca-trust
Configure Tower to present a SSL/TLS certificate
You can secure your Tower implementation with a TLS certificate in several ways.
??? example "Options" === "Load balancer (recommended)"
Place a load balancer, configured to present a certificate and act as a TLS termination point, in front of the Tower application.
This solution is likely already implemented for cloud-based Kubernetes implementations and can be easily implemented for Docker Compose-based stacks. See this example.
=== "Reverse proxy container"
This solution works well for Docker Compose-based stacks to avoid the additional cost and maintenance of a load balancer. See this example.
=== "Modify frontend container"
Due to complications that can be encountered during upgrades, this approach is not recommended.
Show me anyway
This example assumes deployment on an Amazon Linux 2 AMI.
-
Install nginx and other required packages:
sudo amazon-linux-extras install nginx1.12
sudo wget -r --no-parent -A 'epel-release-*.rpm' https://dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/
sudo rpm -Uvh dl.fedoraproject.org/pub/epel/7/x86_64/Packages/e/epel-release-*.rpm
sudo yum-config-manager --enable epel*
sudo yum repolist all
sudo amazon-linux-extras install epel -y -
Generate a private certificate and key.
-
Create a
ssl.conffile.
server {
server_name your.server.name; # replace with your server name
root /usr/share/nginx/html;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Authorization $http_authorization;
proxy_pass_header Authorization;
proxy_pass http://frontend/;
proxy_read_timeout 90;
proxy_redirect http://frontend/ https://your.redirect.url/;
}
error_page 404 /404.html;
location = /40x.html {
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
}
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate /etc/ssl/testcrt.crt;
ssl_certificate_key /etc/ssl/testkey.key;
} -
Make a local copy of the
frontendcontainer's/etc/nginx/nginx.conffile. -
Add the following to the
serverblock of your localnginx.conffile:include /etc/nginx/ssl.conf; -
Modify the
frontendcontainer definition in yourdocker-compose.ymlfile:frontend:
image: cr.seqera.io/frontend:${TAG}
networks:
- frontend
ports:
- 8000:80
- 443:443
volumes:
- $PWD/nginx.conf:/etc/nginx/nginx.conf
- $PWD/ssl.conf:/etc/nginx/ssl.conf
- $PWD/cert/testcrt.crt:/etc/ssl/testcrt.crt
- $PWD/cert/testkey.key:/etc/ssl/testkey.key
restart: always
depends_on:
- backend
TLS version support
Tower Enterprise versions 22.3.2 and earlier rely on Java 11 (Amazon Corretto). You may encounter issues when integrating with third-party services that enforce TLS v1.2 (e.g. Azure Active Directory OIDC).
TLS v1.2 can be explicitly enabled by default using JDK environment variables:
_JAVA_OPTIONS="-Dmail.smtp.ssl.protocols=TLSv1.2