Does this role support the proxy to "double proxy"?

[pcm32]

Hi! I'm after doing the following setup:

• VM1 Galaxy server -> VM2 run docker containers for interactive environments

According to what I read in https://github.com/galaxyproject/gx-it-proxy I would assume that I need a double proxy running on VM1 to redirect clients to VM2 once the interactive tool is running there. However, currently https://github.com/usegalaxy-eu/ansible-gie-proxy/blob/cefe920cdb7be4971f63f940aa2e905a8044a710/defaults/main.yml#L22 tells me that this role is not supporting the double proxying (so that client->VM1->VM2), as the --forwardIP and --forwardPort parts are not there.

• Do I need a double proxy for this?
• If I do, does this role support it and I'm missing something?

or is it just enough to set gie_proxy_ip to the VM2 IP?

I'm mostly trying to follow https://training.galaxyproject.org/training-material/topics/admin/tutorials/interactive-tools/tutorial.html adapted to my constraints (separate Galaxy and interactive tools running machines). Is there any other docs I should be aware of for achieving this? Thanks!

[hexylena]

You probably don't need a double proxy. EU has this setup, main server proxies to a server running the containers (which are accessible from the main server.)

gie_proxy_ip should be the address the proxy should bind to, 127.0.0.1 is probably your choice here. (And then nginx on top, passing requests/WS to the proxy, which passes it to the container, running somewhere in your infra.)

EU uses a non-standard role for this, but you can infer some things from our systemd config here: https://github.com/usegalaxy-eu/infrastructure-playbook/blob/master/roles/usegalaxy-eu.gie-node-proxy/templates/galaxy-gie-proxy.service.j2

[pcm32]

Thanks @hexylena, so is the IP of the machine running the containers somehow embedded in this sqlite mentioned here: https://github.com/usegalaxy-eu/infrastructure-playbook/blob/31a87c0d5071b7b39f25018d224e3c9af232c44a/roles/usegalaxy-eu.gie-node-proxy/templates/galaxy-gie-proxy.service.j2#L13

or is the docker client on the Galaxy host configured to talk to the docker daemon in the second machines where the containers actually run? Otherwise, I don't see where the link to the second IP is done for gie-proxy to send you over to the machine with the containers.

Thanks!

[hexylena]

Yep, the IP is in the sqlite DB.

$ sqlite3 /opt/galaxy/mutable-config/interactivetools_map.sqlite .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE gxitproxy
                                 (key text,
                                  key_type text,
                                  token text,
                                  host text,
                                  port integer,
                                  info text,
                                  PRIMARY KEY (key, key_type)
                                  );
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.24',1106,NULL);
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.24',1122,NULL);
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.78',1071,NULL);
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.21',1111,NULL);
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.22',1082,NULL);
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.24',1134,NULL);
INSERT INTO "gxitproxy" VALUES('yyy','interactivetoolentrypoint','xxxx','132.230.68.21',1113,NULL);