You are viewing the RapidMiner Server documentation for version 9.0 - Check here for latest version
Configuring reverse proxy to use with RapidMiner Server
A reverse proxy is a server process that accepts client connections and directs to backend application servers, like Rapidminer Server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers. A reverse proxy can be used to provide load balancing between the backend servers or improved security.
Apache2 and Nginx are two popular implementations of webservers and reverse proxies. Security configuration is much easier within these technologies than on the application server. The application server aims to serve the application (Rapidminer Server), but in most cases doesn't focus on security. Some aspects of security (e.g. HTTPS) can be configured also in the JBoss server (that runs Rapidminer server), but most of them (like providing additional HTTP headers) are not available. A dedicated reverse proxy provides greater flexibility.
Using Apache2 as reverse proxy
To use Apache2 as reverse proxy and enable HTTPS security on it you should install the Apache2 core packages and ensure, that mod-ssl and mod-proxy modules are enabled on them (yum install https mod_ssl or apt-get install apache2)
To define the proxy functionality you should add a Virtualhost configuration to your server. Here we provide an example configuration and will detail the settings by configuration block later.
<VirtualHost *:80>
ServerName server.rapidminer.com
Redirect / https://server.rapidminer.com
</VirtualHost>
<VirtualHost *:443>
ServerName server.rapidminer.com
DocumentRoot /var/www/html
ProxyPass "/" "http://10.0.0.178:8080/"
ProxyPassReverse "/" "http://10.0.0.178:8080/"
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/certificate.crt
SSLCertificateKeyFile /etc/httpd/ssl/secret-key.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression off
Header always set Strict-Transport-Security "max-age=63072000;"
Header set X-Content-Type-Options "nosniff"
Header always append X-Frame-Options "SAMEORIGIN"
Header set Cache-Control "no-cache, no-store, no-transform"
Header set Pragma "no-cache"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy: "strict-origin-when-cross-origin"
Header set Content-Security-Policy: "default-src https: 'self' 'unsafe-inline';"
Header set Feature-Policy: "fullscreen 'self'"
Header set x-permitted-cross-domain-policies "none"
FileETag None
</VirtualHost>
First we defined a simple HTTP listener in the proxy for the server.rapidminer.com hostname (just an example here) and let all the requests redirect to HTTPS by default:
<VirtualHost *:80>
ServerName server.rapidminer.com
Redirect / https://server.rapidminer.com
</VirtualHost>
The HTTPS requests are served by the HTTPS listener on port 443 with the same server.rapidminer.com hostname.
<VirtualHost *:443>
ServerName server.rapidminer.com
DocumentRoot /var/www/html
...
</VirtualHost>
To proxy the requests to the backend application servers we add the proxy target definitions. In our example the Rapidminer server runs on the 10.0.0.1:8080 endpoint.
ProxyPass "/" "http://10.0.0.1:8080/"
ProxyPassReverse "/" "http://10.0.0.1:8080/"
On SELinux enabled systems you may enable the Apache to communicate to the network using the following command /usr/sbin/setsebool -P httpd_can_network_connect 1
To set the HTTPS certificate we need to enable the SSL engine and define the certificate files to use (in a PEM format)
SSLEngine on
SSLCertificateFile /etc/httpd/ssl/certificate.crt
SSLCertificateKeyFile /etc/httpd/ssl/secret-key.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt
To make the HTTPS connection more secure and disable all the weak protocols (like SSLv2 and SSLv3, TLS1.0 and TLS1.1) and all weak Chiper suites we need to add the following lines. Additional best practices can be found on this linked site.
SSLProtocol -ALL +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression off
Starting from Apache version 2.4.8 you can add forward secrecy to make the key negotiation more secure using Diffie-Hellman handshake. You can generate the required parameters using the following command openssl dhparam -out dhparam.pem 4096
SSLOpenSSLConfCmd DHParameters "/etc/httpd/ssl/dhparam.pem"
To define additional security-related HTTP headers you can use the Apache2 mod-headers module and add the following lines to your configuration as example. We defined the following headers to make our HTTP transport as secure as possible. We set these headers to work with the Rapidminer Server application. The exact header settings may differ on your installation, please read the references below.
- Strict-Transport-Security
- X-Content-Type-Options
- X-Frame-Options
- Cache-Control
- Pragma
- X-XSS-Protection
- Referrer-Policy
- Content-Security-Policy
- Feature-Policy
X-permitted-cross-domain-policies
Header always set Strict-Transport-Security "max-age=63072000;" Header set X-Content-Type-Options "nosniff" Header always append X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block" Header set Cache-Control "no-cache, no-store, no-transform" Header set Pragma "no-cache" Header set Referrer-Policy: "strict-origin-when-cross-origin" Header set Content-Security-Policy: "default-src https: 'self' 'unsafe-inline';" Header set Feature-Policy: "fullscreen 'self'" Header set x-permitted-cross-domain-policies "none"
It is also a good idea to limit the information provided in the ETag response header field, when the document is based on a static file. You can set it the following way:
FileETag None
If all settings are done, you can check the Apache configuration using the apache2ctl -t and restart the Apache daemon.
Using Nginx as reverse proxy
You can also use nginx as a reverse proxy. Install with the yum install nginx or apt-get install nginx command and then provide a virtualhost configuration to it. The syntax is a bit different, but the concepts are the same for an Apache2 configuration. See our example configuration below:
server {
listen 80;
server_name server.rapidminer.com;
return 301 https://$host$request_uri;
}
server
{
listen 443 ssl;
server_name server.rapidminer.com;
location / {
proxy_pass http://10.0.0.1:8080;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 300;
}
ssl on;
ssl_certificate /etc/nginx/ssl/certificate.chain.crt;
ssl_certificate_key /etc/nginx/ssl/secret-key.key;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_session_cache shared:SSL:10m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;
# OCSP Stapling
ssl_stapling on;
ssl_stapling_verify on;
resolver 8.8.8.8 8.8.4.4 valid=300s;
resolver_timeout 5s;
add_header Strict-Transport-Security "max-age=63072000; ";
add_header X-Content-Type-Options "nosniff";
add_header X-Frame-Options "SAMEORIGIN";
add_header Cache-Control "no-cache, no-store, no-transform";
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "strict-origin-when-cross-origin";
add_header Content-Security-Policy "default-src https: 'self' 'unsafe-inline';";
add_header Feature-Policy "fullscreen 'self'";
etag off;
}
Testing the settings
We prefer to check your setting using online checkers:
- SSLLabs is able to test the HTTPS certificate installation and if the server is protected against well-known SSL attacks.
- Security Headers Tool checks if the HTTP headers are set secure.
References
- https://www.keycdn.com/blog/http-security-headers/
- https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
- https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html