Bioblend NGINX HTTPS

breakthewall · October 13, 2025, 3:20pm

Hi,

I have a Galaxy instance behind an NGINX reverse-proxy protected by SSL, i.e. HTTPS. I try to use Bioblend to get access to Galaxy through the reverse proxy but I have SSL errors.

Python 3.13.7 | packaged by conda-forge | (main, Sep 3 2025, 14:33:26) [Clang 19.1.7 ] on darwin
Type “help”, “copyright”, “credits” or “license” for more information.

>>> from bioblend.galaxy import GalaxyInstance

gi = GalaxyInstance(‘localhost’, key=‘XXX’, verify=‘XXX/fullchain.pem’)
libs = gi.libraries.get_libraries()
Traceback (most recent call last):
File “”, line 1, in
libs = gi.libraries.get_libraries()
File “/opt/anaconda3/envs/bioblend/lib/python3.13/site-packages/bioblend/galaxy/libraries/init.py”, line 317, in get_libraries
libraries = self._get(params={“deleted”: deleted})
File “/opt/anaconda3/envs/bioblend/lib/python3.13/site-packages/bioblend/galaxy/client.py”, line 162, in _get
raise ConnectionError(
…<3 lines>…
)
bioblend.ConnectionError: HTTPSConnectionPool(host=‘localhost’, port=443): Max retries exceeded with url: /api/libraries?deleted=False (Caused by SSLError(SSLCertVerificationError(1, “[SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: Hostname mismatch, certificate is not valid for ‘localhost’. (_ssl.c:1032)”))), 0 attempts left:

Any help will be appreciated. Thanks!

jennaj · October 13, 2025, 7:42pm

Hi @breakthewall

Glad you solved the other problem! Are you still having problems with this one?

The error is about the certificate being registered under something other than “localhost”. This part of your command is forcing the “exact match”.

verify=‘XXX/fullchain.pem’

An example is here:

API documentation for interacting with Galaxy — BioBlend 1.6.0 documentation

Related, this is the section of the README in the docker-galaxy Github has some details about the image and how to set the PROXY_PREFIX variable.

GitHub - bgruening/docker-galaxy: 🐋📊📚 Docker Images tracking the stable Galaxy releases.

With discussion for the base install galaxy_root and proxy_prefix variables discussed here:

Proxying Galaxy with NGINX — Galaxy Project 25.0.3.dev0 documentation

In short, Bioblend is checking for the HOST URL the certificate was registered under, then that is mapped to where you keep Galaxy itself (same location or different).

Does this help? I asked the Admins to double check my advice! They will reply back here (to better document the conversation), but this is the cross-post as a reference. Thanks!

breakthewall · October 14, 2025, 8:09am

Hey Jenna,

thank you so much for your reply!

About the certificate, it is stored on the proxy and registered for localhost since my instance is available under https://localhost, which is forwarded to http://local-docker-ip:8080 by the proxy. the bind value in galaxy.yml is 0.0.0.0:8080.

I have no prefix, Galaxy is served from /.

I have no problem with the reverse proxy itself, it works well. My problem is to access it with Bioblend.

To double-check I ran the following command on my certificate:

openssl x509 -in fullchain.pem -subject -noout

that gave:

subject=CN=localhost

Thanks!

jennaj · October 14, 2025, 11:27pm

Great, thanks for clarifying @breakthewall

I think you might just need to add in the https then. Would you give this a try to see if it is enough?

gi = GalaxyInstance(‘https://localhost’, key=‘API_KEY’, verify=‘path/to/fullchain.pem’)

Thanks!

breakthewall · October 15, 2025, 7:45am

Thank you Jenna but I already tried this (see my first post).

Best,

Joan

jennaj · October 15, 2025, 6:01pm

Oh, ok, because it looks like what was quoted didn’t include the https:// part of the address! All good. I’ve decided to ask the people who create the container for feedback. Let’s keep the conversation here (the forum is preferred for Q&A) but as a reference this is where I posted.

My guess is still that the PROXY_PREFIX is involved when working with the container, and possibly required, but they can confirm and advise.

ps: Thanks for the kind comments! I’m just summarizing our group’s combined experience.

breakthewall · October 15, 2025, 6:48pm

Ah you’re totally right, I didn’t include the good command in my first post, my bad. Anyway, I had tried both, i.e. w and w/o https://.

FYI I’m using a Docker container I’ve built from scratch, not the one made by Björn with which I had some struggles.

jennaj · October 17, 2025, 9:18pm

AH, ok, then you might want to review how the docker-galaxy was served. There are nested dockers! Using a proxy path is likely required to redirect to the where Galaxy actually lives.