f90dad3fd12f2d38f0407507297343d692a56a48 galt Fri Nov 19 14:42:03 2021 -0800 Adding log setting to httpsCertCheck and making it the new default. This makes it even softer on users, gives us more time to prepare, only logs certs to stderr and only if run as a CGI so that SCRIPT_NAME env var is set. The user does not see anything diffent in behavior and output for log level, but we see cert issues in the log. diff --git src/product/ex.hg.conf src/product/ex.hg.conf index 971b738..4430690 100644 --- src/product/ex.hg.conf +++ src/product/ex.hg.conf @@ -1,650 +1,650 @@ ########################################################### # Config file for the UCSC Human Genome server # # the format is in the form of name/value pairs # written 'name=value' (note that there is no space between # the name and its value. # ########################################################### # db.host is the name of the MySQL host to connect to # high-volume sites will want a separate database server from the web server db.host=localhost # db.user is the username is use when connecting to the specified db.host # it needs read-only access. The browser CGIs do not need # read-write access to the database tables db.user=readonly # db.password is the password to use with the specified db.user db.password=access # if your MySQL system is configured for a different socket connection, # use the following variables to override the MySQL defaults: # db.socket=/var/lib/mysql/mysql.sock # db.port=3306 # *!# NOTE: the port override will only work when host is *not* localhost # when localhost is used, MySQL may connect via shared memory # connections and not via TCP/IP socket ports # slow-db is the name of a MySQL host to fallback to if a query failed # on db.host. This means that tables can be dropped from db.host as long as # they are present on slow-db. #slow-db.host=genome-mysql.soe.ucsc.edu #slow-db.user=genomep #slow-db.password=password # If you have assemblies that exists only on this server but not at UCSC, they have to # be declared here, so that the slow-db code does not try to find them on the # genome-mysql.soe.ucsc.edu server #slow-db.excludeDbs=myGenome,myGenome2 # If the slow-db host is far away (more than a few msecs), a table on db.host # with schema information of the slow-db databases will speed up most tracks. # The table is created with the command "makeTableList" and its name is # specified here. If you activate the command below, AND you also have a genome # assembly database on your local mirror that is not present on # genome-mysql.soe.ucsc.edu, then you will need to run the tool 'makeTableList # ' to make your genome usable. The table list is a pretty essential # tool to increase remote data access performance to genomes loaded from UCSC, # via slow-db and gbdbLoc1/2 (see below) and so it is assumed to be present. # The code does not know if a genome is local-only or local-and-UCSC, so the tableList # must be created for local databases if you use the showTableCache speedup. # showTableCache=tableList # If your mysql server is configured to reject the option LOCAL in the command # LOAD DATA INFILE (e.g. in OpenSuse) then you can force the browser to never # use the LOCAL option. Note that for this to work, you have to keep all you # mysql servers on the same machine as the CGIs and these servers must have # file permissions and any security infrastructure like SELinux or AppArmor # setup in a way that allows them to read temporary files that the CGIs # (hgCustom, the custom track loaders) create # db.neverLocal=1 # if you want a different default species selection on the Gateway # page, change this default Human to one of the genomes from the # defaultDb table in hgcentral: # hgsql -e "select genome from defaultDb;" hgcentral # If you need a different version of that specific genome, change # the defaultDb table entry, for example, a different mouse genome # version as default: # hgsql -e 'update defaultDb set name="mm8" where genome="Mouse" # then this defaultGenome would read: defaultGenome=Mouse # defaultGenome=Human # tracks display width has a default maximum width of 5000 pixels # override that limit with a larger number for maxDisplayPixelWidth # maxDisplayPixelWidth=5000 # trackDb table to use. A simple value of `trackDb' is normally sufficient. # In general, the value is a comma-separated list of trackDb format tables to # search. This supports local tracks combined with a mirror of the trackDb # table from UCSC. The names should be in the form `trackDb_suffix'. This # implies a parallel hgFindSpec format search table exists in the form # hgFindSpec_suffix. The specified trackDb tables are searched in the order # specified, with the first occurrence of a track being used. You may associate # trackDb/hgFindSpec tables with other instances of genome databases using a # specification of dbProfile:trackDbTbl, where dbProfile is the name of a # databases profile in hg.conf, and trackDbTbl is the name of the table in the # remote databases. See below for details of dbProfile # db.trackDb=trackDb #db.trackDb=trackDb_local,trackDb #db.trackDb=trackDb,someDbProfile:trackDb # track group table definitions. This is a comma-seperate list similar to # db.trackDb that defines the track group tables. Database profiles # may alow be included using the syntax dbProfile:grpTbl. db.grp=grp #db.grp=grp_local,grp #db.grp=grp,someDbProfile:grp # New browser function as of June 2012: # # The UCSC genome browser is using new hgLogin CGI to replace # sign-in service provided by genomewiki previously. # # To maintain backward compatibility, the hgLogin CGI # reuse most of the genomewiki related configuration parameters such as # host and cookie names. This design make transition from genomewiki # to hgLogin transparent. For current mirror sites with sign-in function # (via a simulated- or locally-installed mediawiki server), as long as # hgLogin is not enabled, all browser functions and current sign-in # functions will work as before. Please refer to # # http://genomewiki.ucsc.edu/index.php/Enabling_hgLogin # # for more details. # # To enable the hgLogin function, set the following 8 parameters as # described below: # login.systemName: must be set to some name to enable hgLogin CGI. # wiki.host: should be set to the host that running the hgLogin CGI. # The host should be in the same domain as value set in # "central.domain". # The special value HTTPHOST for wiki.host will use the # server hostname as supplied by the http request. This allows # login to work if a server is reached under different names. # The default value HTTPHOST should work in all contexts. # Set the values of the two cookies to value exactly the same as below. # required to use hgLogin login.systemName=hgLogin CGI # url to server hosting hgLogin wiki.host=HTTPHOST # Arbitrary name of cookie holding user name wiki.userNameCookie=myLabCookieNameForUserName # Arbitrary name of cookie holding user id wiki.loggedInCookie=myLabCookieNameForUseID # The following 4 parameters are used for UI headings (browserName) and # necessary text string used in emails send out to user. # You should set them to any appropriate local values. # title of host of browser, this text be shown in the user interface of # the login/sign up screens login.browserName=myLab Genome Browser # base url of browser installed login.browserAddr=http://mylab.university.edu # signature written at the bottom of hgLogin system emails login.mailSignature=My Lab browser administrator # from/return email address used for system emails # or NOEMAIL to skip the email confirmation login.mailReturnAddr=browserAdministrator@mylab.university.edu # If login is enabled, then the server should be configured to support HTTPS. # HTTPS is used for hgLogin by default. If the server cannot support HTTPS # but login is still enabled (not recommended), HTTPS for hgLogin can be # disabled by uncommenting this setting: #login.https=off # if https is on, the user login (hgLogin) redirects the user to https. # To do this, it has to use an absolute link that starts with https and the server # name. In certain circumstances, this is not needed, e.g. when the genome browser # is always using https anyways. If the genome browser runs behind a reverse # proxy, this does not work at all, as the CGI does not know that the connection is # already using HTTPs. In these cases, the following statement will not try to # redirect to HTTPS but just use a normal, relative link during/after the login #login.relativeLink=on # If you do not want to use our hgLogin but want to use HTTP Basic Authentication # (e.g. if you have usernames in an htpasswd file or want to use mod_auth_ldap and # validate users against an LDAP server), then you can activate this here. # login.basicAuth=on # Secret text string (like password) for generating and validating secure login key: login.cookieSalt=longSecretTextString # The following 6 parameters are used to set up your browser to accept user suggestions. # After a user submits a suggestion, both the user and the suggestion admin address below # will receive an email containing the suggestion. # email address for the suggestion admin suggest.mailToAddr=suggestion@myuniversitysoe.edu # sender address for the suggestion email suggest.mailFromAddr=browserAdministrator@mylab.university.edu # Keyword in the mail subject line to help filter out spam suggest.filterKeyword=FORYOUREYESONLY # signature written at the bottom of suggestion emails suggest.mailSignature=My Lab browser administrator # contact address for suggestion follow up suggest.mailReturnAddr=browserAdministrator@mylab.university.edu # browser name used in emails suggest.browserName=myLab Genome Browser # The following instructions for using genomewiki has been replaced by the # new hgLogin function as describe above. The section are preserved here # to serve as a reference for the current mirror site using locally # installed mediawiki for the sign-in function. # New browser function as of March 2007, allowing saved genome browser # sessions into genomewiki. These Cookie names depend upon how # your wiki is configured. The wiki system constructs the cookie # names from its own variables $wgDBname and $wgDBprefix # You can find these in your LocalSettings.php, if $wgDbprefix # is not null the cookie name is: $wgDBname_$wgDBprefix_UserName # if wgDbprefix is null then simply: $wgDBname_UserName # same pattern for _UserID and __session below # The example here is for $wgDBName=wikidb and $wgDBprefix=mw1 # wiki.host=genomewiki.ucsc.edu # wiki.userNameCookie=wikidb_mw1_UserName # wiki.loggedInCookie=wikidb_mw1_UserID # You will need to create the namedSessionDb table in your hgcentral db: # hgsql hgcentral < yourSourceTree/src/hg/lib/namedSessionDb.sql # See notes about this in the source tree: src/hg/wikiMods/ # wikiTrack function turned on 2009 (this only works if you operate a # local instance of MediaWiki, see also ../hg/wikiMods/ ) # session cookie is used during wiki page edits # wiki.sessionCookie=wikidb_mw1__session # URL is the wiki location for the article pages # wikiTrack.URL=http://genomewiki.ucsc.edu # browser to return to from wiki created pages # wikiTrack.browser=genome.soe.ucsc.edu # You will need to create the namedSessionDb table in your hgcentral db: # hgsql hgcentral < yourSourceTree/src/hg/lib/namedSessionDb.sql # See notes about this in the source tree: src/hg/wikiMods/ # List of wiki user names that have super user edit privileges # to wiki track items. Currently this is only a delete item privilege. # wikiTrack.editors=Hiram # List of databases to enable the wikiTrack function # wikiTrack.dbList=hg18,mm9,hg19 # New browser function as of April 2007, custom track data is kept # in a database instead of in trash files. This function requires # several other factors to be in place before it will work. # This was an optional feature for quite some time in 2007 and 2008, # but it is now mandatory. The older file-based trash system will # appear to work, but it does not operate properly, and can not # operate some of the newer types of custom tracks. # # See also: # http://genomewiki.ucsc.edu/index.php?title=Using_custom_track_database # Use these settings to provide host, user, and password settings customTracks.host= customTracks.user= customTracks.password= customTracks.useAll=yes customTracks.tmpdir=/data/tmp/ct # tmpdir of /data/tmp is the default location if not specified here # Set this to a directory as recommended in the genomewiki # discussion mentioned above. # self destruct option June 2011. To avoid problem of lost long running # CGI processes. Default CGI expiration time is 20 minutes, # enable cgiExpireMinutes to change that default. # A time of 0 indicates no expiration time. positive integer only # browser.cgiExpireMinutes=20 # default for cgiTime printout to Apache error_log is "yes" # uncomment this cgiTime=no option to turn off the printouts to error_log # browser.cgiTime=no # Do not show the generic 500 Apache error, but show the browser error message # instead to the user. showEarlyErrors=on # The opposite: try to suppress very early errors as far as possible as # show a 500 Apache error instead. This somewhat reduces the options for # Cross-Site-Scripting attacks but makes it harder for users to find out # what caused an error, e.g. in custom tracks. # suppressVeryEarlyErrors=on # There are additional fonts available, not all are perfect. # Uncomment this to see extra font selections in the configure page # fonts.extra=yes # central.host is the name of the host of the central MySQL # database where stuff common to all versions of the genome # and the user database is stored. central.db=hgcentral central.host=localhost # # Be sure this user has UPDATE AND INSERT privs for hgcentral # The central.domain will allow the browser cookie-cart # function to work. Set it to the domain of your Apache # WEB server. For example, if your browser URL is: # http://mylab.university.edu/cgi-bin/hgTracks?db=hg19 # set central.domain to: mylab.university.edu # An exception to this is when multiple virtual hosts share the # same central database and central.cookie setting (see below). # In #that case, domain should be inclusive of all virtual hosts # (e.g. only #.university.edu). # The special value HTTPHOST will set the domain to whatever # servername was sent with the last HTTP request. This allows cookies # to work if a server has multiple names. central.user=readwrite central.password=update central.domain=mylab.university.edu # use this cookie setting to keep your installation hguid cookie setting # distinct from UCSC hguid cookie. If you have *multiple* central # databases for multiple hosts, set a distinct cookie name per # central database. # central.cookie=hguid.mylab # Configuratuion database containing cart tables. Normally thest in in the # same database as central.db, however can be overriden with these # variables if needed. If any of these are set, all must be set. # cart.db= # cart.host= # cart.user= # cart.password= # personalize the background of the browser with a specified jpg # floret.jpg is the standard UCSC default browser.background=../images/floret.jpg # Change this default documentRoot if different in your installation, # to allow some of the browser cgi binaries to find help text files browser.documentRoot=/usr/local/apache/htdocs # Options to personalize the visual style of the browser # Personalize the background of CGIs that don't use images #browser.bgcolor=FFF9D2 # Add a custom CSS file #browser.style=gbib.css # Give the user a choice between different background images and CSS files #browser.theme.modern=background.png,HGStyle #browser.theme.classic=floret.png,HGStyle-old # optional location of grepIndex files grepIndex.genbank=/data/tmp/grepIndex grepIndex.default=/gbdb # new option for track reording functions, August 2006 hgTracks.trackReordering=on # in case of failure of the above central.host machine, # the following settings will be used to access a secondary # mirror of the database backupcentral.db=hgcentral backupcentral.host=localhost backupcentral.user=readwrite backupcentral.password=update # archivecentral settings are used for archived assemblies # that have been moved to a different machine. archivecentral.db=hgcentral archivecentral.host=localhost archivecentral.user=readwrite archivecentral.password=update # Big data files (sequences, bigBed, bigWig, trix, etc) are stored in /gbdb by default. # The directory can be moved to another location on the local file system. # The trailing slash is required. # gbdbLoc1=/usr/local/browser/gbdb/ # If a gbdb file is not available on the local file system, then the browser # can also load it from a webserver. The trailing slash is required. # The browser will first try to load a file via gbdbLoc1 and if the file does # not exist, fall back to gbdbLoc2. # gbdbLoc2=http://hgdownload.soe.ucsc.edu/gbdb/ # Bottleneck info for taming hyperactive web bots # bottleneck.host=yourHost # bottleneck.port=17776 # directory for temporary bbi file caching, default is /tmp/udcCache # see also: README.udc # udc.cacheDir=/tmp/udcCache # it is OK to specify udc.cachDir=../trash/udcCache # to place it in trash. # Parallel fetching of remote network resources using bigDataUrl such # as trackHubs and customTracks # how many threads to use (set to 0 to disable) parallelFetch.threads=20 # how long to wait in seconds for parallel fetch to finish parallelFetch.timeout=90 # An include directive can be used to read text from other files. this is # especially useful when there are multiple browsers hidden behind virtual # hosts. The path to the include file is either absolute or relative to # the including file (*not* relative to the current direct directory). # include ../cgi-bin-default/hg.conf # A delete directive can be used to delete previouly defined values. # this is useful in conjunction with include when an undefined # value has different meaning than an empty value: # delete archivecentral.db [othervars ...] # Option to disable the "All Tables" query in the table browser. Useful if # one wants to be restrictive about what tables can be seen. # hgta.disableAllTables=yes # # Option to disable the "Send output to Galaxy/Great" in the table browser # Useful if the server is not reachable from galaxy/great # hgta.disableSendOutput=yes # # Option to change the Galaxy target URL to a different site than the main # Galaxy site at usegalaxy.org. The Galaxy CGI is usually called "tool_runner" # galaxyUrl=http://galaxy-qld.genome.edu.au/tool_runner # # Option to "Send output to GenomeSpace" in the table browser # genomeSpace.dmServer=https://dm.genomespace.org/datamanager # genomeSpace.identityServerUrl=https://identity.genomespace.org/identityServer/basic # # Option to disable .nib directories. If set to "no", the # browser will try to use the .2bit file instead of the .nib files, even if # they are setup in hgcentral.dbDb and .chromInfo. .nib files can then # be deleted from this mirror. # allowNib=no # # Base Url of links to Encode PDF files # When this is set as below, the ENCODE PDF files can be deleted from this # mirror. They will get loaded from UCSC. # hgEncodeVocabDocBaseUrl=http://genome.ucsc.edu # If this option is enabled, the browser CGIs will attempt to generate a an # stack traceback on error and dump it to stderr (which is normally captured # in the web server error log). This requires the pstack package to be # installed, which is available on for unix and linux systems. If # signalsHandler is enabled, the stack will also be printed when a signal # indicates an error occurs. # browser.dumpStack=on # log signals # signalsHandler=on # turn on google analytics by setting this key. This is the identifier # specified by your analytics account # set key for analytics account, used in the getTracker(key) function # analyticsKey= # These settings enable geographic allele frequency images on the # details pages for the HGDP Allele Frequency (hgdpGeo) track. # (HGDP = Human Genome Diversity Project) # Programs required for per-SNP geographic maps of HGDP population # allele frequencies: hgc.psxyPath=/hive/data/outside/GMT4.3.1/bin/psxy hgc.ps2rasterPath=/hive/data/outside/GMT4.3.1/bin/ps2raster hgc.ghostscriptPath=/usr/bin/ghostscript # the RNAplot program from the Vienna RNA package # http://www.tbi.univie.ac.at/~ronny/RNA/index.html is used for the RNA # structure plots on the hgGene page. By default it is searched in the # cgi-bin directory itself. # rnaPlotPath=/usr/bin/RNAplot # The 'dot' program from the graphviz package is used by hgGeneGraph # to layout the protein interaction network. We provide a static # binary with the Genome Browser for convenience # graphvizPath=ext/dot_static # # Customize your downloads.server machine name here # This can be used in track html description pages when they use # the variable downloadsServer # Also used by Encode tracks # downloads.server= # enable user specific javascript # browser.javaScriptDir=js/ # enable user specific style directory (CSS files) # browser.styleDir=style-public # enable user specific style/images directory # browser.styleImagesDir=style/images-public # enable user specific css file # browser.style=/style/mystyle.css # enable user specific trix file for track search tool # does substitution on the $db variable # browser.trixPath=/gbdb/$db/trackDb.ix # HTTPS CERTIFICATE VERIFY -# Options are abort, warn, or none (currently default is warn) -#httpsCertCheck=warn +# Options are abort, warn, log, or none (currently default is warn) +#httpsCertCheck=log # domains to whitelist, skip cert checking, space-separated list #httpsCertCheckDomainExceptions= # PROXY # enable http(s) proxy support in net.c #httpProxy=http://someProxyServer:3128 #httpsProxy=http://someProxyServer:3128 #ftpProxy=ftp://127.0.0.1:2121 # if proxy server needs BASIC authentication #httpProxy=http://user:password@someProxyServer:3128 #httpsProxy=http://user:password@someProxyServer:3128 # if some domain suffixes should not be proxied: #noProxy=ucsc.edu,mit.edu,localhost,127.0.0.1 # enable local file access for custom tracks # By default you have to supply http:// URLs for custom track data, e.g. in bigDataUrls # With this statement, you can allow loading from local files, as long as the path # starts with a specific prefix # udc.localDir=/bamFiles # deactivate local disk caching # The system that loads customTrack and track hubs/assembly hubs (internally called UDC) # caches files on local disk in the trash directory. The main disk format in # OSX does not have the functionality needed ("sparse files"), so you can # switch off this cache. # udc.useLocalDiskCache=off # Directory to find CRAM reference sequences in. If a CRAM reference sequence # is not found in this directory, a request file containing the URL to fetch # the sequence will be created in a subdirectory named "pending". A # subdirectory named "error" will be checked for error messages related to # the fetch of reference sequences. # cramRef=/cramFiles ## # Database profiles ## # The dbProfile facility provides a limited mechanism for access tracks from # multiple database servers. This is particularly useful when a mirror server # contains the majority of the track data needs to be shared by multiple # groups with a small number of locally produced tracks that they the need to # keep isolated from the other groups. A dbProfile associates a MySQL host, # user, and password with a dbProfile name. To define a dbProfile named # myProfile, define the hg.conf variables: # # myProfile.host # myProfile.user # myProfile.password # # The default profile is named `db', and is defined by the `db.*' variables # described above. The `customTracks.*' and `central.*' variables also define # profiles. # # Profiles can be associated with an entire genome databases or some types of # tables. To associate database myGenome with myProfile, define the # variable: # myGenome.profile=myProfile # # A dbProfile may be associated with a trackDb/hgFindSpec table pair or a grp # table as described in the `db.trackDb' and `db.grp' variables above. To # associate a particular track table, specify the "dbProfile" setting in the # trackDb entry: # # track myTrack # ... # dbProfile myProfile # # Note that dbProfile only works on a small number of track types and is not # well tested. In general, the dbProfile facility has not been widely use and # may still contain bugs. The recommended approach for setting up a # remote/local server pair is to use the default profile for the remote server # with the majority of tracks, and use a non-default profile for local tracks # and trackDb tables. A common configuration would be: #db.host=oursharedhost #db.user=readonly #db.password=access # #myStuff.host=localhost #myStuff.user=readonly #myStuff.password=access # #db.trackDb=myStuff:trackDb,trackDb #db.grp=myStuffgrp,grp # ## # Track Data Hub related conf variables ## # email address that appears in the hgHubConnect CGI #hub.emailAddress=browserAdministrator@mylab.university.edu # to use something other than "hubPublic" for the hubPublic table #hub.publicTableName=alternateHubPublicTable # to use something other than "hubStatus" for the hubStatus table #hub.statusTableName=alternateHubStatusTable # time in seconds to wait before re-trying a hub with error status # default is 30 minutes (1800 seconds) #hub.timeToCheck=1800 # Directory where a static cache of public hub files exists to # support hub search. #hgHubConnect.cacheDir=../trash/hgHubConnect/hubCrawl # Log visible tracks to error_log # trackLog=on # warning: this can greatly increase the size of your apache error_log # Display phylogenetic tree in hgGateway (URL relative to cgi-bin) # hgGateway.dbDbTaxonomy=../js/dbDbTaxonomy.js # Configuration options for creating session thumbnails: # # System path from cgi-bin to an alternate directory to store # thumbnails (default is ../trash/hgPS). #sessionThumbnail.imgDir=../trash/hgPS # Path from cgi-bin to the thumbnail directory as seen from # the web (default is ../trash/hgPS). #sessionThumbnail.webPath=../trash/hgPS # System path to Imagemagick convert executable, in case it's not # in Apache's path. #sessionThumbnail.convertPath=/usr/bin/convert # Suppress creation of thumbnails and associated warnings. Must # be set to "on" to disable thumbnail creation. #sessionThumbnail.suppress=on # deactivate the hgMirror CGI on this machine # hgMirror is currently only supported on the GBIB VirtualMachine # default is 0 # allowHgMirror=1 # use 2bit files instead of nib. This is only relevant in failover mode # e.g. on GBIB/GBIC on-line modes. and for very old assemblies. # Only the assemblies dm1, cb1, hg16, and sacCer1 default to using .nib # files. Default is no. # forceTwoBit=yes # Turn off option to save blat results as a custom track. Default is on. # useBlatBigPsl=off # number of sequences allowed to submit to on-line blat, default is 25 # hgBlat.maxSequenceCount=25 # use a database other than hgFixed for the location of genbank table like gbCdnaInfo # genbankDb=hgFixed # use a table other than clade to hold the mappings from clades to their labels # cladeTableName=clade # # use a table other than genomeClade to hold the mappings from genome to clade # genomeCladeTableName=genomeClade # # use a table other than defaultDb to hold the default assembly for a genome # defaultDbTableName=defaultDb # # use a table other than dbDb to describe attributes of installed assemblies # dbDbTableName=dbDb # # use a table other than userDb to describe the user database # userDbTableName=userDb # put error lines from warnings about bigBeds in the apache error_log # bigWarn=on # # specify the root directory for a CGI to use instead of the directory the script lives in # browser.cgiRoot=/usr/local/apache/cgi-bin # Limit the number of bytes that the custom track loader for MAF or VCF track will read in # customTracks.maxBytes=52428800 # Allows hgHubConnect to run hubCheck and present a tree of errors or the overall hub # layout. Requires the hubCheck program to be present in the loader directory # hgHubConnect.validateHub=on