Configuring the Reverse Proxy Server

To install the reverse proxy server, you need to manipulate the DNS configurations to support the reverse proxy.

  1. Enable the following modules to enable Apache2 to act as a reverse proxy for CDSW installations.
    For example:
    sudo a2enmod proxy 
    sudo a2enmod proxy_http 
    sudo a2enmod proxy_balancer 
    sudo a2enmod lbmethod_byrequests 
    sudo a2enmod proxy_wstunnel 
    sudo a2enmod ssl 
    sudo a2enmod proxy_ajp 
    sudo a2enmod rewrite 
    sudo a2enmod deflate 
    sudo a2enmod headers 
    sudo a2enmod proxy_connect 
    sudo a2enmod proxy_html 
    sudo a2enmod proxy_http2
    
  2. Create the configuration file /etc/apache2/sites-enabled/000-deafult.conf and add the following to enable reverse proxy for CDSW.
    For example:
    <VirtualHost *:443>
       ServerName company.cdsw.cloudera.com
       ServerAlias *.company.cdsw.cloudera.com
    
       SSLEngine on
       SSLProxyEngine on
    
       RewriteEngine On
       RewriteCond %{HTTP:Connection} Upgrade [NC]
       RewriteCond %{HTTP:Upgrade} websocket [NC]
       RewriteRule /(.*) wss://backend-company.cdsw.cloudera.com/$1 [P,L]
    
       ProxyPass / https://backend-company.cdsw.cloudera.com/ nocanon
       ProxyPassReverse / https://backend-company.cdsw.cloudera.com/ nocanon
    
    
       SSLCertificateFile /root/ca/cdsw/company.cdsw.cloudera.com.crt
       SSLCertificateKeyFile /root/ca/cdsw/private.key
       SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
    
       Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
       Header always set Access-Control-Allow-Origin "*"
       Header always set Access-Control-Max-Age "1000"
       Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
    
       ProxyPreserveHost On
       ProxyRequests Off
    
       RewriteEngine On
       RewriteRule ^(.*) - [E=CLIENT_IP:%{REMOTE_ADDR},L]
    
       RequestHeader set X-Forwarded-For %{CLIENT_IP}e
       RequestHeader set X-Forwarded-Proto https
       RequestHeader set X-Forwarded-SSL on
       RequestHeader set X-Forwarded-Port 443
    
       AllowEncodedSlashes On
    </VirtualHost>
    
  3. Ensure that port 443 is associated with the host company.cdsw.cloudera.com and is listed first in the default SSL configuration, /etc/apache2/sites-enabled/000-default-ssl.conf.
    root@ip-10-80-161-148:/etc/apache2/sites-enabled# apachectl -S 
    VirtualHost configuration: *:443 company.cdsw.cloudera.com (/etc/apache2/sites-enabled/000-default.conf:1) 
    ServerRoot: "/etc/apache2" 
    Main DocumentRoot: "/var/www/html" 
    Main ErrorLog: "/var/log/apache2/error.log" 
    Mutex proxy-balancer-shm: using_defaults 
    Mutex rewrite-map: using_defaults 
    Mutex ssl-stapling-refresh: using_defaults 
    Mutex ssl-stapling: using_defaults 
    Mutex proxy: using_defaults 
    Mutex ssl-cache: using_defaults 
    Mutex default: dir="/var/run/apache2/" mechanism=default 
    Mutex watchdog-callback: using_defaults 
    PidFile: "/var/run/apache2/apache2.pid" 
    Define: DUMP_VHOSTS 
    Define: DUMP_RUN_CFG 
    User: name="www-data" id=33 
    Group: name="www-data" id=33
    
    You need to ensure this configuration because there is a default SSL configuration that listens to port 443 and the Apache HTTP server serves the request in the order it is defined in the configuration.