Dundas BI and reverse proxies
1. Overview
This article provides information about Dundas BI and reverse proxies used on Linux servers.
Dundas BI for Linux uses the built-in Kestrel web server. Kestrel is a cross-platform web server for ASP.NET Core. Dundas BI will work with or without a reverse proxy server.
For more information, see Kestrel web server implementation in ASP.NET Core.
2. Why to use a reverse proxy
Some common reasons for using a reverse proxy:
- Security - limit the exposure of the server, and provide an additional layer of defense.
- Integration - might integrate better with existing infrastructure.
- Load Balancing - simplified HTTPS configuration as only the reverse proxy will require X509 certificate and the application server can just run as HTTP.
3. NGINX example
As described in the Installing Dundas BI on Linux article, the Dundas BI wizard will set up an NGINX reverse proxy. The following is a typical example of how Dundas BI would be set up on Ubuntu without the Dundas BI wizard:
First install NGINX by running the following command:
sudo apt-get update sudo apt-get install nginx
After it is installed, you can create a site definition by creating a file at the following path:
/etc/nginx/sites-available/dundas-bi-website-InstanceName.com
The content will typically look like the following:
server {
listen 443;
listen [::]:443;
server_name somedomain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/somedomaincom/cert.crt;
ssl_certificate_key /etc/nginx/ssl/somedomain/cert.key;
location / {
proxy_pass http://localhost:8008;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 500M;
}
}
This sample is using a sites-available folder, which is the location on Ubuntu for the NGINX site definition files. This location will be different on RHEL. For more information, see: NGINX Wiki.
3.1. Federated authentication and the AuthBridge virtual directory
In order for federated authentication to work properly the Dundas BI AuthBridge website needs to exist directly under the Dundas BI website. If the Dundas BI website exists at http://somesite/, then the AuthBridge website would exist at http://somesite/AuthBridge/.
The following is an extension to the sample above. This sample adds the correct configuration for redirecting the federated traffic to the AuthBridge Kestrel website.
server {
listen 443;
listen [::]:443;
server_name somedomain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/somedomaincom/cert.crt;
ssl_certificate_key /etc/nginx/ssl/somedomain/cert.key;
location /AuthBridge/ {
proxy_pass http://localhost:8009/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Proxy-BaseUri /AuthBridge;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 500M;
}
location / {
proxy_pass http://localhost:8008;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 500M;
}
}
4. Other reverse proxies
It is possible to use other reverse proxies with Dundas BI on Linux. Some other popular options are:
- Apache
- NGINX Plus
- HAProxy