Dundas BI and reverse proxies
1. Overview
This article provides information about Dundas BI and reverse proxies used on Linux servers.
Dundas BI for Linux uses the built-in Kestrel web server. Kestrel is a cross-platform web server for ASP.NET Core. Dundas BI will work with or without a reverse proxy server.
For more information, see Kestrel web server implementation in ASP.NET Core.
2. Why to use a reverse proxy
Some common reasons for using a reverse proxy:
- Security - limit the exposure of the server, and provide an additional layer of defense.
- Integration - might integrate better with existing infrastructure.
- Load Balancing - simplified HTTPS configuration as only the reverse proxy will require a X509 certificate and the application server can just run as HTTP.
3. NGINX example
As described in the Installing Dundas BI on Linux article, the Dundas BI wizard will set up an NGINX reverse proxy. The following is a typical example of how Dundas BI would be set up on Ubuntu without the Dundas BI wizard:
First install NGINX by running the following command:
sudo apt-get update sudo apt-get install nginx
After it is installed, you can create a site definition by creating a file at the following path, for example:
/etc/nginx/sites-available/dundas-bi-website-InstanceName.conf
The content will typically look like the following:
# falling back to $scheme if no X-Forwarded-Proto header is received
map $http_x_forwarded_proto $client_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}
server {
listen 443;
listen [::]:443;
server_name somedomain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/somedomaincom/cert.crt;
ssl_certificate_key /etc/nginx/ssl/somedomain/cert.key;
location / {
proxy_pass http://localhost:8008;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $client_scheme;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 500M;
}
}
This sample is using a sites-available folder, which is the location on Ubuntu for the NGINX site definition files. This location will be different on RHEL. For more information, see: NGINX Wiki. Also be aware of restrictions from SELinux on RHEL.
3.1. Federated authentication and the AuthBridge virtual directory
In order for federated authentication to work properly, the Dundas BI AuthBridge website needs to exist directly under the Dundas BI website. If the Dundas BI website exists at http://somesite/, then the AuthBridge website would exist at http://somesite/AuthBridge/.
The following is an extension to the sample above. This sample adds the correct configuration for redirecting the federated traffic to the AuthBridge Kestrel website.
# falling back to $scheme if no X-Forwarded-Proto header is received
map $http_x_forwarded_proto $client_scheme {
default $http_x_forwarded_proto;
'' $scheme;
}
server {
listen 443;
listen [::]:443;
server_name somedomain.com;
ssl on;
ssl_certificate /etc/nginx/ssl/somedomaincom/cert.crt;
ssl_certificate_key /etc/nginx/ssl/somedomain/cert.key;
location /AuthBridge/ {
proxy_pass http://localhost:8009/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $client_scheme;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Proxy-BasePath /AuthBridge;
proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 500M;
}
location / {
proxy_pass http://localhost:8008;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $http_host;
proxy_cache_bypass $http_upgrade;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $client_scheme;
proxy_connect_timeout 86400;
proxy_send_timeout 86400;
proxy_read_timeout 86400;
send_timeout 86400;
client_max_body_size 500M;
}
}
In the case above, the Dundas BI Kestrel website is located at http://localhost:8008 and the Dundas BI AuthBridge Kestrel website is located at http://localhost:8009.
3.2. Accessing Dundas BI via a path
Starting with Dundas BI version 10, you can set up NGINX or your other reverse proxy to make Dundas BI accessible under a path in the URL rather than at the root of the site when running on Linux - for example, at http://somesite/dundasbi/ rather than http://somesite/.
The configuration for doing so is the same as shown in the previous section for the /AuthBridge/ location: add a line to the configuration that sets the X-Proxy-BasePath header value to the same path to Dundas BI you've specified as the location without a trailing slash. For example:
proxy_set_header X-Proxy-BasePath /DundasBI;
If you are using federated authentication, the AuthBridge website must now be accessible as an /AuthBridge/ subdirectory under the Dundas BI path, so the example in the previous section would need to be modified accordingly to set this header value to /DundasBI/AuthBridge.
4. Other reverse proxies
It is possible to use other reverse proxies with Dundas BI on Linux. Some other popular options are:
- Apache
- NGINX Plus
- HAProxy