WARNING: These notes are going to be eliminated by automation anytime soon (see Future section below).
Edit the file under /etc/nginx/sites-available/default
to make sure it looks like this (read SSL section below for the encryption bits):
server {
auth_basic "UMCCR AWS IGV Server";
auth_basic_user_file /etc/nginx/htpasswd;
root /var/www/html;
# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;
server_name igv.dev.umccr.org; # managed by Certbot
location / {
# First attempt to serve request as file, then
# as directory, then fall back to displaying a 404.
try_files $uri $uri/ =404;
}
location /igv {
alias /var/www/igv;
autoindex on;
}
listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/igv.dev.umccr.org/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/igv.dev.umccr.org/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Then ln -sf /etc/nginx/sites-available/default /etc/nginx/sites-enabled/default
certbot
from letsencrypt can be used to easily setup free SSL certificates.
Placing the following lines in our /etc/fstab
will allow us to expose a read-only S3 bucket under /mnt/igv
and /mnt/primary
so that NGINX web server can pickup on BAM/BAI files.
#s3fs#bucket1 /mnt/primary fuse _netdev,iam_role=auto,auto,users,defaults,uid=www-data,gid=www-data,ro,allow_other 0 0
s3fs#bucket2 /mnt/igv fuse _netdev,iam_role=auto,ro,auto,users,defaults,uid=www-data,gid=www-data,allow_other 0 0
Note that iam_role=auto
assumes that the IAM instance profile for the currently running instance has access to the referred S3 bucket (in order to avoid hardcoded IAM credentials on the machine image).
This is an example IGV XML Server file, to be generated automatically via aws s3 ls s3://bucket1/*
and some python Jinja2 templating:
<?xml version="1.0" encoding="UTF-8"?>
<Global name="UMCCR AWS IGV server" version="1">
<Category name="UMCCR Amazon IGV bucket">
<Resource name="small_bam" path="https://igv.dev.umccr.org/igv/test.bam"></Resource>
<Resource name="ipmn2984_tumor-normal" path="https://igv.dev.umccr.org/igv/ipmn2984__IPMN2984_tumor-tumor.mini.bam"></Resource>
<Resource name="ipmn2984_tumor-tumor" path="https://igv.dev.umccr.org/igv/ipmn2984__IPMN2984_tumor-tumor.mini.bam"></Resource>
</Category>
</Global>
Which should be pointed by an accompanying .txt
file:
root@ip-172-31-30-42:/var/www/igv# cat umccr_registry.txt
https://igv.dev.umccr.org/igv/umccr_registry.xml
As a stopgap solution, the igv_regenerate.sh
shell script takes care of this process, not automatically.
This service should ideally only have exposed HTTPS (443). In order to do that, security groups should be setup accordingly. Also on the OS-level, ufw
can be also used like this:
$ sudo apt-get install -y ufw
$ sudo ufw allow https
$ sudo ufw allow ssh
$ sudo ufw enable
$ sudo service ufw restart