Cloudera Docs

Configuring the Reverse Proxy Server

To install the reverse proxy server, you need to manipulate the DNS configurations to support the reverse proxy.

  1. Enable the following modules to enable Apache2 to act as a reverse proxy for CDSW installations.
    For example:
    sudo a2enmod proxy 
sudo a2enmod proxy_http 
sudo a2enmod proxy_balancer 
sudo a2enmod lbmethod_byrequests 
sudo a2enmod proxy_wstunnel 
sudo a2enmod ssl 
sudo a2enmod proxy_ajp 
sudo a2enmod rewrite 
sudo a2enmod deflate 
sudo a2enmod headers 
sudo a2enmod proxy_connect 
sudo a2enmod proxy_html 
sudo a2enmod proxy_http2
  2. Create the configuration file /etc/apache2/sites-enabled/000-deafult.conf and add the following to enable reverse proxy for CDSW.
    For example:
    <VirtualHost *:443>
   ServerName company.cdsw.cloudera.com
   ServerAlias *.company.cdsw.cloudera.com

   SSLEngine on
   SSLProxyEngine on

   RewriteEngine On
   RewriteCond %{HTTP:Connection} Upgrade [NC]
   RewriteCond %{HTTP:Upgrade} websocket [NC]
   RewriteRule /(.*) wss://backend-company.cdsw.cloudera.com/$1 [P,L]

   ProxyPass / https://backend-company.cdsw.cloudera.com/ nocanon
   ProxyPassReverse / https://backend-company.cdsw.cloudera.com/ nocanon


   SSLCertificateFile /root/ca/cdsw/company.cdsw.cloudera.com.crt
   SSLCertificateKeyFile /root/ca/cdsw/private.key
   SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem

   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   Header always set Access-Control-Allow-Origin "*"
   Header always set Access-Control-Max-Age "1000"
   Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

   ProxyPreserveHost On
   ProxyRequests Off

   RewriteEngine On
   RewriteRule ^(.*) - [E=CLIENT_IP:%{REMOTE_ADDR},L]

   RequestHeader set X-Forwarded-For %{CLIENT_IP}e
   RequestHeader set X-Forwarded-Proto https
   RequestHeader set X-Forwarded-SSL on
   RequestHeader set X-Forwarded-Port 443

   AllowEncodedSlashes On
</VirtualHost>
  3. Ensure that port 443 is associated with the host company.cdsw.cloudera.com and is listed first in the default SSL configuration, /etc/apache2/sites-enabled/000-default-ssl.conf. 
    root@ip-10-80-161-148:/etc/apache2/sites-enabled# apachectl -S 
VirtualHost configuration: *:443 company.cdsw.cloudera.com (/etc/apache2/sites-enabled/000-default.conf:1) 
ServerRoot: "/etc/apache2" 
Main DocumentRoot: "/var/www/html" 
Main ErrorLog: "/var/log/apache2/error.log" 
Mutex proxy-balancer-shm: using_defaults 
Mutex rewrite-map: using_defaults 
Mutex ssl-stapling-refresh: using_defaults 
Mutex ssl-stapling: using_defaults 
Mutex proxy: using_defaults 
Mutex ssl-cache: using_defaults 
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex watchdog-callback: using_defaults 
PidFile: "/var/run/apache2/apache2.pid" 
Define: DUMP_VHOSTS 
Define: DUMP_RUN_CFG 
User: name="www-data" id=33 
Group: name="www-data" id=33
    You need to ensure this configuration because there is a default SSL configuration that listens to port 443 and the Apache HTTP server serves the request in the order it is defined in the configuration.