Configuring the Reverse Proxy Server
To install the reverse proxy server, you need to manipulate the DNS configurations to support the reverse proxy.
-
Enable the following modules to enable Apache2 to act as a reverse proxy for CDSW
installations.
For example:
sudo a2enmod proxy sudo a2enmod proxy_http sudo a2enmod proxy_balancer sudo a2enmod lbmethod_byrequests sudo a2enmod proxy_wstunnel sudo a2enmod ssl sudo a2enmod proxy_ajp sudo a2enmod rewrite sudo a2enmod deflate sudo a2enmod headers sudo a2enmod proxy_connect sudo a2enmod proxy_html sudo a2enmod proxy_http2
-
Create the configuration file
/etc/apache2/sites-enabled/000-deafult.conf and add the
following to enable reverse proxy for CDSW.
For example:
<VirtualHost *:443> ServerName company.cdsw.cloudera.com ServerAlias *.company.cdsw.cloudera.com SSLEngine on SSLProxyEngine on RewriteEngine On RewriteCond %{HTTP:Connection} Upgrade [NC] RewriteCond %{HTTP:Upgrade} websocket [NC] RewriteRule /(.*) wss://backend-company.cdsw.cloudera.com/$1 [P,L] ProxyPass / https://backend-company.cdsw.cloudera.com/ nocanon ProxyPassReverse / https://backend-company.cdsw.cloudera.com/ nocanon SSLCertificateFile /root/ca/cdsw/company.cdsw.cloudera.com.crt SSLCertificateKeyFile /root/ca/cdsw/private.key SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" Header always set Access-Control-Allow-Origin "*" Header always set Access-Control-Max-Age "1000" Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token" ProxyPreserveHost On ProxyRequests Off RewriteEngine On RewriteRule ^(.*) - [E=CLIENT_IP:%{REMOTE_ADDR},L] RequestHeader set X-Forwarded-For %{CLIENT_IP}e RequestHeader set X-Forwarded-Proto https RequestHeader set X-Forwarded-SSL on RequestHeader set X-Forwarded-Port 443 AllowEncodedSlashes On </VirtualHost>
-
Ensure that port 443 is associated with the host
company.cdsw.cloudera.com
and is listed first in the default SSL configuration, /etc/apache2/sites-enabled/000-default-ssl.conf.root@ip-10-80-161-148:/etc/apache2/sites-enabled# apachectl -S VirtualHost configuration: *:443 company.cdsw.cloudera.com (/etc/apache2/sites-enabled/000-default.conf:1) ServerRoot: "/etc/apache2" Main DocumentRoot: "/var/www/html" Main ErrorLog: "/var/log/apache2/error.log" Mutex proxy-balancer-shm: using_defaults Mutex rewrite-map: using_defaults Mutex ssl-stapling-refresh: using_defaults Mutex ssl-stapling: using_defaults Mutex proxy: using_defaults Mutex ssl-cache: using_defaults Mutex default: dir="/var/run/apache2/" mechanism=default Mutex watchdog-callback: using_defaults PidFile: "/var/run/apache2/apache2.pid" Define: DUMP_VHOSTS Define: DUMP_RUN_CFG User: name="www-data" id=33 Group: name="www-data" id=33
You need to ensure this configuration because there is a default SSL configuration that listens to port 443 and the Apache HTTP server serves the request in the order it is defined in the configuration.