Versions Compared

Old Version 1

changes.mady.by.user user-50d80

Saved on

compared with

New Version 2

changes.mady.by.user user-50d80

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Published by Scroll Versions from space DTPDEVEL and version 2020.2

...

Introduction

Reverse proxies are intermediaries between backend servers and clients. They accept incoming requests from a client, modify the request per the proxy's configuration, and send the modified request to the server. As a result, reverse proxies can improve server performance and increase infrastructure security.

There are several ways to configure a reverse proxy, but DTP supports port-to-port and path-to-port configurations. The "path" in path-to-port configurations are referred to as "context paths." In either method, the reverse proxy server is configured sometimes used to ensure high availability or strengthen network security. You can run DTP in a reverse proxy environment by configuring the reverse proxy server to forward user requests to the port where the applications are hosted. Additionally, you must either configure the reverse proxy server to send the required headers to DTP or update the DTP Tomcat server configuration. 

The following diagram shows the basic reverse proxy flow.

Image Removed

The following diagram shows the reverse proxy flow for an environment configured to use context paths.

Image Removed

Configuration

Configure your reverse proxy to send the following headers to DTP:

  • X-Forwarded-Host
  • X-Forwarded-Proto
  • X-Forwarded-Prefix 

The X-Forwarded-Prefix header is only required if you configured the context path settings in your DTP applications (i.e., Enterprise Pack, Data Collector). The header values should match the context path field in the Enterprise Pack network configuration settings (see to Network Settings) and/or the value of the <dc-reverse-proxy-path> element in the Data Collector configuration file (see Configuring Data Collector) for context path settings for Data Collector. 

...

Port-to-Port Configuration

In a port-to-port configuration, the reverse proxy is configured to accept client traffic on one port, and direct them to one of the DTP application ports. This type of configuration limits the implementation to the number of available ports on the proxy server. The following formats demonstrate how the port-to-port configuration may be applied for DTP applications.

DTP Report Center:

<PROTOCOL>://<PROXY>:8080 -> <PROTOCOL>://<DTP_HOST>:8080

Data Collector:

<PROTOCOL>://<PROXY>:8082 -> <PROTOCOL>:// <DTP_HOST>:8082

Enterprise Pack:

<PROTOCOL>://<PROXY>:8314 -> <PROTOCOL>:// <DTP_HOST>:8314

Requirements

The reverse proxy must be configured to add X-Forwarded- headers to the request directed to DTP so that the application can properly generate URLs. The X-Forwarded- headers affect HTTP redirects for login, navigation, and links sent to third-party applications, such as ALM systems. The following X-Forwarded- headers are required:

  • X-Forwarded-Host 
  • X-Forwarded-Proto  (required only when proxying to a different protocol)

Forwarding Requests

Refer to your reverse proxy server documentation for details on how to forward requests.  The The following examples show how a reverse proxy may be configured on nginx.

Forwarding Configuration for Context Path Configurations

The following example demonstrates how you could configure nginx if you configured your DTP applications (including Extension Designer) to be accessible through a single port on different context paths.  

are intended to provide basic guidance on reverse proxy server configuration.   

Forwarding Configuration with NGINX

In the following configuration, all underlying services/webapps should be running on the local machine over HTTP (Data Collector uses HTTPS by default). The configuration supports protocol redirection (e.g., HTTPS to HTTP), but additional configuration is required to enable HTTPS on the reverse proxy (refer to the comments in the example).  

Code Block
languagebash
http {

  # Simplifies setting the "Connection" header.
  # Required by Enterprise Pack application.
  map $http_upgrade $connection_upgrade
Code Block
 server {
    listendefault 80upgrade;
    ''     server_name proxy.company.com close;
  }

  
# Add necessary headers location /dtp/data-collector/ {for WebSocket proxying.
  # Required by Enterprise Pack application.
  proxy_http_pass  http://dtp.host.com:8082/version 1.1;
  proxy_set_header Upgrade    $http_upgrade;
  proxy_set_header X-Forwarded-Host $http_hostConnection $connection_upgrade;

  # Add necessary "X-Forwarded-" proxy headers.
  proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Forwarded-Prefix /dtp/data-collector;Host   $http_host;

  # ssl_certificate }
    /path/to/cert;
    location# ssl_certificate_key /dtppath/enterprise-pack/to/key;

  server {
    listen 9080;
   proxy_pass # listen  http://dtp.host.com:8314/9443 ssl;
    location / {
  proxy_set_header X-Forwarded-Host $http_host;
  # Proxy incoming requests   proxy_set_header X-Forwarded-Proto $scheme;to DTP.
        proxy_set_header X-Forwarded-Prefix /dtp/enterprise-packpass http://localhost:8080/;
    }
  }

  proxy_http_version 1.1;server {
        proxy_set_header Upgrade $http_upgradelisten 9082;
    # listen 9082  proxy_set_header Connection "upgrade";
    }ssl;
    location / {
    
  # Proxy locationincoming /dtp/ {
  requests to Data Collector.
      proxy_pass   http://dtp.host.com:8080localhost:8082/;
    }
  }

  proxy_set_header X-Forwarded-Host $http_host;server {
        proxy_set_header X-Forwarded-Proto $schemelisten 9314;
    # listen   set $proxy_x_forwarded_prefix /dtp9314 ssl;
    location / {
  if ($uri ~ "^/dtp/(pst|pstsec|grs|tcm|licenseserver)(?:/.*)$") {
 # Proxy incoming requests to Enterprise Pack.
     set $proxy_x_forwarded_prefix $proxy_x_forwarded_prefix/$1proxy_pass http://localhost:8314/;
      }
  }
        proxy_set_header X-Forwarded-Prefix $proxy_x_forwarded_prefix;
    }
}

Forwarding Configuration for DTP

The following example demonstrates how you could configure nginx to access DTP hosted at port 8443 through the reverse proxy at port 3001.  

}

The configuration should be saved with LF line endings. The comments nested in configuration blocks can cause parsing issues when CRLF line endings are used.

See Network Settings for additional information about using DTP Enterprise Pack in a reverse proxy environment.

See Configuring Data Collector for additional information about using Data Collector in a reverse proxy environment. 

Reverse Proxy Support for WebSockets 

Refer to the following documentation if you are configuring your NGINX reverse proxy server for WebSockets communication: http://nginx.org/en/docs/http/websocket.html

Path-to-Port Configurations (Context Paths)

In a path-to-port configuration, client traffic is sent to the proxy at a specific context path and is directed to one of the DTP application ports. The path-to-port configuration is not limited to the number of ports available on the proxy server, which can direct requests to many different backend servers based on the context path in the request. For this reason, the standard HTTP ports (80 for HTTP and 433 for HTTPS) are often used in the configuration.

The following formats demonstrate how the context path configuration may be applied for DTP applications.

DTP Report Center

<PROTOCOL>://<PROXY>:8080/grs -> <PROTOCOL>://<DTP_HOST>/grs

Data collector

<PROTOCOL>://<PROXY>:8082 -> <PROTOCOL>:// <DTP_HOST>:8082

Enterprise Pack

<PROTOCOL>://<PROXY>:8314 -> <PROTOCOL>:// <DTP_HOST>:8314

It's not required, but all DTP and Enterprise Pack servers are generally configured under a common context path with individual services/webapps served on a sub-context path:

<PROTOCOL>://<PROXY>/dtp/<WEBAPP> -> <PROTOCOL>://dtp:<PORT>/<WEBAPP>

Requirements

Configure your reverse proxy to send the following headers to DTP:

  • X-Forwarded-Host 
  • X-Forwarded-Prefix 
  • X-Forwarded-Proto  (required only when proxying to a different protocol)

The header values should match the context path field in the Enterprise Pack network configuration settings (see to Network Settings) and/or the value of the <dc-reverse-proxy-path> element in the Data Collector configuration file (see Configuring Data Collector). The Host header should be the host of the original request, i.e., the reverse proxy host.

Forwarding Requests

Refer to your reverse proxy server documentation for details on how to forward requests. The following examples are intended to provide basic guidance on reverse proxy server configuration.   

Forwarding Request for Context Path Configurations on NGINX

In the following configuration, underlying services/webapps should be running on the local machine over HTTP (Data Collector uses HTTPS by default). The configuration supports protocol redirection (e.g., HTTPS to HTTP), but additional configuration is required to enable HTTPS on the reverse proxy (refer to the comments in the example).  

Code Block
languagebash
 http {

  # Simplifies setting the "Connection" header.
  # Required by Enterprise Pack application.
  map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;
  }

  # Simplifies setting the "X-Forwarded-Prefix" header.
  map $request_uri $x_forwarded_prefix {
    ~^/dtp/(dc|ep|grs|licenseserver|pst|pstsec|tcm)/?   /dtp/$1;
    ~^/dtp/?.*
No Format
# DTP: HTTPS 3001 -> HTTPS 8443
server {
    listen  3001            ssl;
    listen  [::]:3001       ssl;

    ssl on;
    ssl_certificate /etc/nginx/certs/ssl-certificate-bundle.crt;
    ssl_certificate_key /etc/nginx/certs/ssl-certificate-key.key;
    ssl_session_cache       builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
 
    location / {
        proxy_pass              https://dtp.yourcompany.com:8443;
  }

  server {
   proxy_set_header listen 80;
      Host $http_host;
    # listen 443  proxy_set_headerssl;
    # ssl_certificate    X-Forwarded-Host $http_host /path/to/cert;
    #    proxy_set_header ssl_certificate_key /path/to/key;

    location /dtp/  X-Forwarded-Proto https;
{

      # Redirect to app proxy_read_timeoutwith a trailing slash if not 90;present.
    }
}

Forwarding Configuration for Enterprise Pack

The following example demonstrates how you could configure nginx to access Enterprise Pack hosted at port 8314 through the reverse proxy at port 3002. See Network Settings for additional information about using DTP Enterprise Pack in a reverse proxy environment.

No Format
# Enterprise Pack: HTTPS 3002 -> HTTP 8314
serverif ($request_uri = $x_forwarded_prefix) {
    listen  3002  return 301 $request_uri/;
        ssl;}

    listen  [::]:3002       ssl;

# Add necessary headers for WebSocket proxying.
     ssl on;
# Required by Enterprise ssl_certificate /etc/nginx/certs/ssl-certificate-bundle.crt; 
Pack application.
      sslproxy_certificatehttp_key /etc/nginx/certs/ssl-certificate-key.key; 
version 1.1;
      sslproxy_sessionset_cacheheader builtin:1000 shared:SSL:10m; 
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2; Upgrade    $http_upgrade;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4; 
    ssl_prefer_server_ciphers on; proxy_set_header Connection $connection_upgrade;

    
  #  location / {
 Add necessary "X-Forwarded-" proxy headers.
       proxy_pass set_header X-Forwarded-Proto  $scheme;
      proxy_set_header X-Forwarded-Host    http://entpack.yourcompany.com:8314$http_host;
        proxy_set_header        X-Forwarded-For $proxy_add_xPrefix $x_forwarded_forprefix;

      # Proxy incoming requests to the proxy_set_headerDTP server by default.
     X-Forwarded-Host $http_host;proxy_pass http://localhost:8080/;

      location  proxy_set_header/dtp/dc/ {
        # Proxy  X-Forwarded-Proto https;incoming requests to Data Collector.
        proxy_read_timeoutpass http://localhost:8082/;
      90;}

      location /dtp/ep/ 
{
        # websocket
Proxy incoming requests to     proxy_http_version 1.1;Enterprise Pack.
        proxy_set_header Upgrade $http_upgradepass http://localhost:8314/;
      }
  proxy_set_header Connection "upgrade";  
  
  }
  }
}

Forwarding Configuration for Data Collector

The configuration should be saved with LF line endings. The comments nested in configuration blocks can cause parsing issues when CRLF line endings are used.

See Network Settings for additional information about using DTP Enterprise Pack in a reverse proxy environment.

The following example demonstrates how you could configure nginx to send data to Data Collector hosted at port 8082 through the reverse proxy at port 3003. See Configuring Data Collector for additional information about using Data Collector in a reverse proxy environment. 

No Format
# Data Collector: HTTPS 3003 -> HTTPS 8082
server {
    listen  3003            ssl;
    listen  [::]:3003       ssl;    
   
    ssl on;
    ssl_certificate /etc/nginx/certs/ssl-certificate-bundle.crt; 
    ssl_certificate_key /etc/nginx/certs/ssl-certificate-key.key; 
    ssl_session_cache       builtin:1000 shared:SSL:10m;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;    

    location / {
        proxy_pass              https://dc.yourcompany.com:8082;
        proxy_set_header        X-Forwarded-Host $http_host;
        proxy_set_header        X-Forwarded-Proto $scheme;
        proxy_read_timeout      90;    
    }
}

Reverse Proxy Support for WebSockets 

Reverse Proxy Support for WebSockets 

Refer to the following documentation if you are configuring your NGINX reverse proxy server for WebSockets communication: http://nginx.org/en/docs/http/websocket.html

Forwarding Request for Context Path Configurations on Apache HTTPD

In the following configuration, DTP_HOSTNAME should be provided as an environment variable and the underlying services/webapps should be running on HTTP (Data Collector uses HTTPS by default). The configuration supports protocol redirection (e.g., HTTPS to HTTP), but additional configuration is required to enable HTTPS on the reverse proxy (refer to the comments in example).

Code Block
languagebash
 Listen 80
 
# Listen 443 https
# SSLEngine on
# SSLVerifyClient none
# SSLProxyCheckPeerCN off
# SSLCertificateFile /path/to/cert
# SSLCertificateKeyFile /path/to/key
 
# Automatically add the following headers to proxied requests.
# - X-Forwarded-For
# - X-Forwarded-Host
# - X-Forwarded-Server
ProxyAddHeaders on
 
# Enable the "RewriteRule" directive used for WebSocket proxying.
RewriteEngine on
 
<Location /dtp>
    RequestHeader set X-Forwarded-Prefix /dtp
    RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
 
    ProxyPass "http://${DTP_HOSTNAME}:8080"
    ProxyPassReverse "http://${DTP_HOSTNAME}:8080"
</Location>
 
<LocationMatch "^/dtp/(?<app>dc|ep|grs|licenseserver|pst|pstsec|tcm)">
    RequestHeader set X-Forwarded-Prefix "/dtp/%{MATCH_APP}e"
</LocationMatch>
 
<Location /dtp/dc>
    ProxyPass "http://${DTP_HOSTNAME}:8082"
    ProxyPassReverse "http://${DTP_HOSTNAME}:8082"
</Location>
 
<Location /dtp/ep>
    ProxyPass "http://${DTP_HOSTNAME}:8314"
    ProxyPassReverse "http://${DTP_HOSTNAME}:8314"
 
    # mod_proxy_wstunnel is required for WebSocket proxying.
 
    # Rewrite for Enterprise Pack WebSockets.
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteCond %{REQUEST_URI} ^/dtp/ep/(socket\.io/.*) [NC]
    RewriteRule .* "ws://${DTP_HOSTNAME}:8314/%1" [P,L]
 
    # Rewrite for Node-RED WebSockets.
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteCond %{HTTP:Connection} upgrade [NC]
    RewriteRule .* "ws://${DTP_HOSTNAME}:8314%{REQUEST_URI}" [P,L]
</Location>

(warning) The order of the <Location> and <LocationMatch> directives is important. All of the <Location> and <LocationMatch> directives that match the incoming request are merged at runtime.See the following documentation to configure your reverse proxy server for WebSockets communication: http://nginx.org/en/docs/http/websocket.html

Known Issues and Constraints

...