Categories

Versions

You are viewing the RapidMiner Server documentation for version 9.3 - Check here for latest version

Configure a reverse proxy for use with RapidMiner Server

A reverse proxy is a server process that accepts client connections and directs to backend application servers, like Rapidminer Server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers. A reverse proxy can be used to provide load balancing between the backend servers or to improve security.

Apache2 and Nginx are two popular implementations of webservers and reverse proxies. Security configuration is much easier within these technologies than on the application server. The application server aims to serve the application (Rapidminer Server), but in most cases doesn't focus on security. Some aspects of security (e.g. HTTPS) can be configured also in the JBoss server (that runs Rapidminer server), but most of them (like providing additional HTTP headers) are not available. A dedicated reverse proxy provides greater flexibility.

Use Apache2 as reverse proxy

To use Apache2 as reverse proxy and enable HTTPS security on it you should install the Apache2 core packages and ensure, that mod-ssl and mod-proxy modules are enabled on them (yum install https mod_ssl or apt-get install apache2)

To define the proxy functionality you should add a Virtualhost configuration to your server. Here we provide an example configuration and will detail the settings by configuration block later.

<VirtualHost *:80>
    ServerName server.rapidminer.com
    Redirect / https://server.rapidminer.com
</VirtualHost>

<VirtualHost *:443>
    ServerName server.rapidminer.com
    DocumentRoot /var/www/html

    ProxyPass "/"  "http://10.0.0.178:8080/"
    ProxyPassReverse "/"  "http://10.0.0.178:8080/"

    SSLEngine on

    SSLCertificateFile /etc/httpd/ssl/certificate.crt
    SSLCertificateKeyFile /etc/httpd/ssl/secret-key.key
    SSLCACertificateFile /etc/httpd/ssl/ca.crt

    SSLProtocol -ALL +TLSv1.2
    SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
    SSLHonorCipherOrder on
    SSLCompression off

    ProxyPreserveHost On
    RequestHeader set X-Forwarded-Proto: "https"

    # If the proxy listens on other port than 443
    # RequestHeader set X-Forwarded-Port: <your-custom-port>

    Header always set Strict-Transport-Security "max-age=63072000;"
    Header set X-Content-Type-Options "nosniff"
    Header always append X-Frame-Options "SAMEORIGIN"
    Header set Cache-Control "no-cache, no-store, no-transform"
    Header set Pragma "no-cache"
    Header set X-XSS-Protection "1;  mode=block"
    Header set Referrer-Policy: "strict-origin-when-cross-origin"
    Header set Content-Security-Policy: "default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';"
    Header set Feature-Policy: "fullscreen 'self'"
    Header set x-permitted-cross-domain-policies "none"

    FileETag None

</VirtualHost>

First we defined a simple HTTP listener in the proxy for the server.rapidminer.com hostname (just an example here) and let all the requests redirect to HTTPS by default:

<VirtualHost *:80>
    ServerName server.rapidminer.com
    Redirect / https://server.rapidminer.com
</VirtualHost>

The HTTPS requests are served by the HTTPS listener on port 443 with the same server.rapidminer.com hostname.

<VirtualHost *:443>
    ServerName server.rapidminer.com
    DocumentRoot /var/www/html
    ...
</VirtualHost>

To proxy the requests to the backend application servers we add the proxy target definitions. In our example the Rapidminer server runs on the 10.0.0.1:8080 endpoint.

ProxyPass "/"  "http://10.0.0.1:8080/"
ProxyPassReverse "/"  "http://10.0.0.1:8080/"

On SELinux enabled systems you may enable the Apache to communicate to the network using the following command /usr/sbin/setsebool -P httpd_can_network_connect 1

To set the HTTPS certificate we need to enable the SSL engine and define the certificate files to use (in a PEM format)

SSLEngine on

SSLCertificateFile /etc/httpd/ssl/certificate.crt
SSLCertificateKeyFile /etc/httpd/ssl/secret-key.key
SSLCACertificateFile /etc/httpd/ssl/ca.crt

To make the HTTPS connection more secure and disable all the weak protocols (like SSLv2 and SSLv3, TLS1.0 and TLS1.1) and all weak Chiper suites we need to add the following lines. Additional best practices can be found on this linked site.

SSLProtocol -ALL +TLSv1.2
SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
SSLHonorCipherOrder on
SSLCompression off

Starting from Apache version 2.4.8 you can add forward secrecy to make the key negotiation more secure using Diffie-Hellman handshake. You can generate the required parameters using the following command openssl dhparam -out dhparam.pem 4096

SSLOpenSSLConfCmd DHParameters "/etc/httpd/ssl/dhparam.pem"

To preserve the original hostname and port in the request, the ProxyPreserveHost property is turned on, and with the RequestHeader set lines we add some headers to the requests, so the application server will assemble the URLs correctly. The default https port is 443, if you need to run your service on another port, you need to forward that port in a header too.

ProxyPreserveHost On
RequestHeader set X-Forwarded-Proto: "https"
# If the proxy listens on other port than 443
# RequestHeader set X-Forwarded-Port: <your-custom-port>

To define additional security-related HTTP headers you can use the Apache2 mod-headers module and add the following lines to your configuration as example. We defined the following headers to make our HTTP transport as secure as possible. We set these headers to work with the Rapidminer Server application. The exact header settings may differ on your installation, please read the references below.

Header always set Strict-Transport-Security "max-age=63072000;"
Header set X-Content-Type-Options "nosniff"
Header always append X-Frame-Options "SAMEORIGIN"
Header set Cache-Control "no-cache, no-store, no-transform"
Header set Pragma "no-cache"
Header set X-XSS-Protection "1;  mode=block"
Header set Referrer-Policy: "strict-origin-when-cross-origin"
Header set Content-Security-Policy: "default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';"
Header set Feature-Policy: "fullscreen 'self'"
Header set x-permitted-cross-domain-policies "none"

It is also a good idea to limit the information provided in the ETag response header field, when the document is based on a static file. You can set it the following way:

FileETag None

If all settings are done, you can check the Apache configuration using the apache2ctl -t and restart the Apache daemon.

Use Nginx as reverse proxy

You can also use nginx as a reverse proxy. Install with the yum install nginx or apt-get install nginx command and then provide a virtualhost configuration to it. The syntax is a bit different, but the concepts are the same for an Apache2 configuration. See our example configuration below:

server {
        listen         80;
        server_name    server.rapidminer.com;
        return         301 https://server.rapidminer.com$request_uri;
}

server
{
        listen          443 ssl;
        server_name     server.rapidminer.com;

        location / {
            proxy_pass       http://10.0.0.1:8080;
            proxy_set_header Host               $host:$server_port;
            proxy_set_header X-Forwarded-Proto  https;
            proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Host   $host:$server_port;
            proxy_set_header X-Forwarded-Server $host;
            proxy_set_header X-Forwarded-Port   $server_port;
            proxy_read_timeout          300;
        }

        ssl_certificate           /etc/nginx/ssl/certificate.chain.crt;
        ssl_certificate_key       /etc/nginx/ssl/secret-key.key;
        ssl_dhparam               /etc/nginx/ssl/dhparam.pem;

        ssl_session_cache shared:SSL:10m;
        ssl_protocols TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 5s;

        add_header Strict-Transport-Security "max-age=63072000; ";
        add_header X-Content-Type-Options "nosniff";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1;  mode=block";
        add_header Cache-Control "no-cache, no-store, no-transform";
        add_header Pragma "no-cache";
        add_header Referrer-Policy "strict-origin-when-cross-origin";
        add_header Content-Security-Policy "default-src https: data: 'self' 'unsafe-inline' 'unsafe-eval';";
        add_header Feature-Policy "fullscreen 'self'";
        add_header x-permitted-cross-domain-policies "none";

        etag off;
}

Test the settings

Check your settings using online checkers:

  • SSLLabs can test the HTTPS certificate installation and make sure the server is protected against well-known SSL attacks.
  • Security Headers Tool checks if the HTTP headers are set secure.

Configure RapidMiner Server for use with a reverse proxy

If a reverse proxy is configured to forward traffic to RapidMiner Server, then some client-related (HTTP session) information is lost:

  • Instead of the original client IP address, RapidMiner Server gets the IP address of the reverse proxy. If the reverse proxy is well-configured, the original client IP is forwarded to the RapidMiner Server in the "X-Forwarded-For" HTTP header.
  • If HTTPS termination occurs in the reverse proxy, and the traffic is forwarded to RapidMiner Server using HTTP, then the original protocol information is lost. If the reverse proxy is well-configured, the original protocol is forwarded to RapidMiner Server in the "X-Forwarded-Proto" HTTP header.

The client IP address is less important, since RapidMiner Server does not depend on it. This information is required only if you plan to do some advanced web access statistics.

The information about the original protocol is more important, because it helps RapidMiner Server build appropriate redirect URLs. If RapidMiner Server does not consider the original protocol, it will assume plain HTTP, and it will reply with HTTP 30X redirects to HTTP URLs, no matter what the original protocol. RapidMiner Server should therefore pay attention to the "X-Forwarded-Proto" HTTP header, and if an HTTP redirect occurs, then the "Location" header in the HTTP response will contain the correct protocol prefix.

To make sure that the response contains the correct protocol prefix, please add the following RemoteIPValve block to the JBoss configuration file standalone.xml.

<subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="ra-host" native="false">
    ...
    <valve name="RemoteIPValve" module="org.jboss.as.web" class-name="org.apache.catalina.valves.RemoteIpValve">
        <param param-name="remoteIpHeader" param-value="x-forwarded-for"/>
        <param param-name="protocolHeader" param-value="x-forwarded-proto"/>
        <param param-name="protocolHeaderHttpsValue" param-value="https"/>
        <!--
        Optional: If the proxy listens on other port than 443
        <param param-name="httpsServerPort" param-value="your-custom-port"/>
        -->
        <param param-name="internalProxies" param-value="172\.\d*\.\d*\.\d*|127\.\d*\.\d*\.\d*" />
    </valve>
</subsystem>

Please pay attention to the internalProxies parameter, and change the expression based on your particular network.

After any changes of the standalone.xml file, reload or restart your Rapidminer Server instance.

When the settings are correctly implemented, the protocol is the following:

In case of an HTTP request, the proxy sends a 3xx redirect header to an HTTPS location.

In case of an HTTPS request:

  1. Client sends the HTTPS request to the proxy
  2. Proxy decrypts the HTTPS traffic and adds relevant extra headers to the request: "Host:", "X-Forwarded-Proto:", "X-Forwarded-For:", "X-Forwarded-Host:", "X-Forwarded-Server:", and optionally "X-Forwarded-Port:"
  3. Proxy sends the request to RapidMiner Server via HTTP.
  4. The RemoteIPValve module in RapidMiner Server first checks whether the request comes from an internal proxy, using the regular expression provided in the internalProxies parameter. If the expression matches, it checks the X-Forwarded headers, provided that they are included in the request, and then the parameter settings will be applied. In all other cases they are left untouched.
  5. RapidMiner Server sends the response via HTTP to the proxy. The "Location:" headers and the links in the content are assembled based on the original request (eg. https://your-server.com:your-custom-port/...)
  6. The proxy adds the extra headers to the response (to protect the client browser from performing unsafe operations).
  7. The proxy sends the response to the client.

References