Reverse proxy

To expose your Seqera instance behind a reverse proxy, complete the following steps:

  1. Use the Seqera frontend unprivileged image.
  2. Add TOWER_BASE_PATH to the environment variables of the frontend container:
    • TOWER_BASE_PATH: "/myseqera/" exposes your instance at https://example.com/myseqera/ (this must match your proxy configuration)
  3. In the backend/cron environment variables or in the Seqera config file, edit the following environment variables:
    • Set TOWER_SERVER_URL to the complete URL where you want to expose your instance, e.g., TOWER_SERVER_URL: "https://example.com/mytower" (without the trailing slash)
    • Disable/unset TOWER_LANDING_URL

  4. Configure your reverse proxy to redirect all Seqera-related links to your Seqera frontend container:

    • If your frontend container listens on http://tower-frontend:8080 and you're using Apache HTTP as your reverse proxy, add the following lines at the end of your configuration file (replace /myseqera/ with the URL you defined in TOWER_BASE_PATH):
     1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
    LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so

RewriteEngine  on
RewriteRule       "^/myseqera/(.*)$"   http://tower-frontend:8080/$1 [P]
ProxyPassReverse  "/myseqera/"         http://tower-frontend:8080/
RewriteRule       "^/api/(.*)$"       http://tower-frontend:8080/api/$1 [P]
ProxyPassReverse  "/api/"             http://tower-frontend:8080/api/
RewriteRule       "^/oauth/(.*)$"     http://tower-frontend:8080/oauth/$1 [P]
ProxyPassReverse  "/oauth/"           http://tower-frontend:8080/oauth/
RewriteRule       "^/openapi/(.*)$"   http://tower-frontend:8080/openapi/$1 [P]
ProxyPassReverse  "/openapi/"         http://tower-frontend:8080/openapi/
RewriteRule       "^/content/(.*)$"   http://tower-frontend:8080/content/$1 [P]
ProxyPassReverse  "/content/"         http://tower-frontend:8080/content/
    • A similar configuration should be applied for NGINX or other reverse proxies. Redirect visits to /api/, /oauth/, /openapi/, and /content/.

After you configure the reverse proxy, the Seqera frontend URL (default http://tower-frontend:8080) should return a blank page. This behavior is expected, because Seqera is now configured to work only from behind the reverse proxy.

Back to top