Categories

Versions

You are viewing the RapidMiner Server documentation for version 9.2 - Check here for latest version

Configuring reverse proxy to use with RapidMiner Server

A reverse proxy is a server process that accepts client connections and directs to backend application servers, like Rapidminer Server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers. A reverse proxy can be used to provide load balancing between the backend servers or improved security.

Apache2 and Nginx are two popular implementations of webservers and reverse proxies. Security configuration is much easier within these technologies than on the application server. The application server aims to serve the application (Rapidminer Server), but in most cases doesn't focus on security. Some aspects of security (e.g. HTTPS) can be configured also in the JBoss server (that runs Rapidminer server), but most of them (like providing additional HTTP headers) are not available. A dedicated reverse proxy provides greater flexibility.

Using Apache2 as reverse proxy

To use Apache2 as reverse proxy and enable HTTPS security on it you should install the Apache2 core packages and ensure, that mod-ssl and mod-proxy modules are enabled on them (yum install https mod_ssl or apt-get install apache2)

To define the proxy functionality you should add a Virtualhost configuration to your server. Here we provide an example configuration and will detail the settings by configuration block later.

<VirtualHost *:80>
    ServerName server.rapidminer.com
    Redirect / https://server.rapidminer.com
</VirtualHost>

<VirtualHost *:443>
    ServerName server.rapidminer.com
    DocumentRoot /var/www/html

    ProxyPass "/"  "http://10.0.0.178:8080/"
    ProxyPassReverse "/"  "http://10.0.0.178:8080/"

    SSLEngine on

    SSLCertificateFile /etc/httpd/ssl/certificate.crt
    SSLCertificateKeyFile /etc/httpd/ssl/secret-key.key
    SSLCACertificateFile /etc/httpd/ssl/ca.crt

    SSLProtocol -ALL +TLSv1.2
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLCompression off

    Header always set Strict-Transport-Security "max-age=63072000;"
    Header set X-Content-Type-Options "nosniff"
    Header always append X-Frame-Options "SAMEORIGIN"
    Header set Cache-Control "no-cache, no-store, no-transform"
    Header set Pragma "no-cache"
    Header set X-XSS-Protection "1;  mode=block"
    Header set Referrer-Policy: "strict-origin-when-cross-origin"
    Header set Content-Security-Policy: "default-src https: 'self' 'unsafe-inline';"
    Header set Feature-Policy: "fullscreen 'self'"
    Header set x-permitted-cross-domain-policies "none"

    FileETag None

</VirtualHost>

First we defined a simple HTTP listener in the proxy for the server.rapidminer.com hostname (just an example here) and let all the requests redirect to HTTPS by default:

<VirtualHost *:80>
    ServerName server.rapidminer.com
    Redirect / https://server.rapidminer.com
</VirtualHost>

The HTTPS requests are served by the HTTPS listener on port 443 with the same server.rapidminer.com hostname.

<VirtualHost *:443>
    ServerName server.rapidminer.com
    DocumentRoot /var/www/html

    ...

</VirtualHost>

To proxy the requests to the backend application servers we add the proxy target definitions. In our example the Rapidminer server runs on the 10.0.0.1:8080 endpoint.

    ProxyPass "/"  "http://10.0.0.1:8080/"
    ProxyPassReverse "/"  "http://10.0.0.1:8080/"

On SELinux enabled systems you may enable the Apache to communicate to the network using the following command /usr/sbin/setsebool -P httpd_can_network_connect 1

To set the HTTPS certificate we need to enable the SSL engine and define the certificate files to use (in a PEM format)

    SSLEngine on

    SSLCertificateFile /etc/httpd/ssl/certificate.crt
    SSLCertificateKeyFile /etc/httpd/ssl/secret-key.key
    SSLCACertificateFile /etc/httpd/ssl/ca.crt

To make the HTTPS connection more secure and disable all the weak protocols (like SSLv2 and SSLv3, TLS1.0 and TLS1.1) and all weak Chiper suites we need to add the following lines. Additional best practices can be found on this linked site.

    SSLProtocol -ALL +TLSv1.2
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLCompression off

Starting from Apache version 2.4.8 you can add forward secrecy to make the key negotiation more secure using Diffie-Hellman handshake. You can generate the required parameters using the following command openssl dhparam -out dhparam.pem 4096

    SSLOpenSSLConfCmd DHParameters "/etc/httpd/ssl/dhparam.pem"

To define additional security-related HTTP headers you can use the Apache2 mod-headers module and add the following lines to your configuration as example. We defined the following headers to make our HTTP transport as secure as possible. We set these headers to work with the Rapidminer Server application. The exact header settings may differ on your installation, please read the references below.

  • Strict-Transport-Security
  • X-Content-Type-Options
  • X-Frame-Options
  • Cache-Control
  • Pragma
  • X-XSS-Protection
  • Referrer-Policy
  • Content-Security-Policy
  • Feature-Policy
  • X-permitted-cross-domain-policies

      Header always set Strict-Transport-Security "max-age=63072000;"
      Header set X-Content-Type-Options "nosniff"
      Header always append X-Frame-Options "SAMEORIGIN"
      Header set X-XSS-Protection "1;  mode=block"
      Header set Cache-Control "no-cache, no-store, no-transform"
      Header set Pragma "no-cache"
      Header set Referrer-Policy: "strict-origin-when-cross-origin"
      Header set Content-Security-Policy: "default-src https: 'self' 'unsafe-inline';"
      Header set Feature-Policy: "fullscreen 'self'"
      Header set x-permitted-cross-domain-policies "none"
    

It is also a good idea to limit the information provided in the ETag response header field, when the document is based on a static file. You can set it the following way:

    FileETag None

If all settings are done, you can check the Apache configuration using the apache2ctl -t and restart the Apache daemon.

Using Nginx as reverse proxy

You can also use nginx as a reverse proxy. Install with the yum install nginx or apt-get install nginx command and then provide a virtualhost configuration to it. The syntax is a bit different, but the concepts are the same for an Apache2 configuration. See our example configuration below:

server {
        listen         80;
        server_name    server.rapidminer.com;
        return         301 https://$host$request_uri;
}

server
{
        listen          443 ssl;
        server_name     server.rapidminer.com;

        location / {
            proxy_pass       http://10.0.0.1:8080;
            proxy_set_header Host                $host;
            proxy_set_header X-Forwarded-For     $remote_addr;
            proxy_set_header X-Forwarded-Proto   $scheme;
            proxy_read_timeout          300;
        }

        ssl on;
        ssl_certificate           /etc/nginx/ssl/certificate.chain.crt;
        ssl_certificate_key       /etc/nginx/ssl/secret-key.key;
        ssl_dhparam               /etc/nginx/ssl/dhparam.pem;

        ssl_session_cache shared:SSL:10m;
        ssl_protocols  TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        add_header Strict-Transport-Security "max-age=63072000; ";
        add_header X-Content-Type-Options "nosniff";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header Cache-Control "no-cache, no-store, no-transform";
        add_header X-XSS-Protection "1;  mode=block";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Content-Security-Policy "default-src https: 'self' 'unsafe-inline';";
        add_header Feature-Policy "fullscreen 'self'";

        etag off;

}

Testing the settings

We prefer to check your setting using online checkers:

  • SSLLabs is able to test the HTTPS certificate installation and if the server is protected against well-known SSL attacks.
  • Security Headers Tool checks if the HTTP headers are set secure.

References

  • https://www.keycdn.com/blog/http-security-headers/
  • https://raymii.org/s/tutorials/Strong_SSL_Security_On_Apache2.html
  • https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html