External Termination
External TLS termination can be provided through a number of different approaches.
- Load balancers, such as the AWS Elastic Load Balancer
- Modern firewalls
- Reverse web proxies, such as
nginx
- VPN appliances supporting TLS/SSL VPN
Organizations that require external termination will often have standardized on single approach for TLS. The primary advantage of this approach is that it allows such organizations to integrate with Cloudera Data Science Workbench without violating their IT department's policies for TLS. For example, with an external termination proxy, Cloudera Data Science Workbench does not need access to the TLS private key.
Load balancers and proxies often require a URL they can ping to validate
the status of the web service backend. For instance, you can configure a load balancer to
send an HTTP GET request to /internal/load-balancer/health-ping
. If the response is 200 (OK), that means
the backend is healthy. Note that, as with all communication to the web backend from the
load balancer when TLS is terminated externally, this request should be sent over HTTP and
not HTTPS.
Note that any terminating load balancer must provide the following header fields so that Cloudera Data Science Workbench can detect the IP address and protocol used by the client:
- X-Forwarded-For (client's IP address),
- X-Forwarded-Proto (client's requested protocol, i.e. HTTPS),
- X-Forwarded-Host (the "Host" header of the client's original request).
See Configuring HTTP Headers for Cloudera Data Science Workbench for more details on how to customize HTTP headers required by Cloudera Data Science Workbench.