Cloudera Docs

Configuring the Reverse Proxy Server

To install the reverse proxy server, you need to manipulate the DNS configurations to support the reverse proxy.

  • *** What should I use as the OS? The POC uses Ubuntu. Is this the logical OS to use in the examples?
  1. Enable the following modules to enable Apache2 to act as a reverse proxy for CDSW installations: 
    sudo a2enmod proxy 
sudo a2enmod proxy_http 
sudo a2enmod proxy_balancer 
sudo a2enmod lbmethod_byrequests 
sudo a2enmod proxy_wstunnel 
sudo a2enmod ssl 
sudo a2enmod proxy_ajp 
sudo a2enmod rewrite 
sudo a2enmod deflate 
sudo a2enmod headers 
sudo a2enmod proxy_connect 
sudo a2enmod proxy_html 
sudo a2enmod proxy_http2
  2. Create the configuration file /etc/apache2/sites-enabled/000-deafult.conf and add the following to enable reverse proxy for CDSW: 
    <VirtualHost *:443>
   ServerName company.cdsw.cloudera.com
   ServerAlias *.company.cdsw.cloudera.com

   SSLEngine on
   SSLProxyEngine on

   RewriteEngine On
   RewriteCond %{HTTP:Connection} Upgrade [NC]
   RewriteCond %{HTTP:Upgrade} websocket [NC]
   RewriteRule /(.*) wss://backend-company.cdsw.cloudera.com/$1 [P,L]

   ProxyPass / https://backend-company.cdsw.cloudera.com/ nocanon
   ProxyPassReverse / https://backend-company.cdsw.cloudera.com/ nocanon


   SSLCertificateFile /root/ca/cdsw/company.cdsw.cloudera.com.crt
   SSLCertificateKeyFile /root/ca/cdsw/private.key
   SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem

   Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
   Header always set Access-Control-Allow-Origin "*"
   Header always set Access-Control-Max-Age "1000"
   Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"

   ProxyPreserveHost On
   ProxyRequests Off

   RewriteEngine On
   RewriteRule ^(.*) - [E=CLIENT_IP:%{REMOTE_ADDR},L]

   RequestHeader set X-Forwarded-For %{CLIENT_IP}e
   RequestHeader set X-Forwarded-Proto https
   RequestHeader set X-Forwarded-SSL on
   RequestHeader set X-Forwarded-Port 443

   AllowEncodedSlashes On
</VirtualHost>
  3. Ensure that port 443 is associated with the host company.cdsw.cloudera.com and is listed first in the default SSL configuration, /etc/apache2/sites-enabled/000-default-ssl.conf. 
    root@ip-10-80-161-148:/etc/apache2/sites-enabled# apachectl -S 
VirtualHost configuration: *:443 company.cdsw.cloudera.com (/etc/apache2/sites-enabled/000-default.conf:1) 
ServerRoot: "/etc/apache2" 
Main DocumentRoot: "/var/www/html" 
Main ErrorLog: "/var/log/apache2/error.log" 
Mutex proxy-balancer-shm: using_defaults 
Mutex rewrite-map: using_defaults 
Mutex ssl-stapling-refresh: using_defaults 
Mutex ssl-stapling: using_defaults 
Mutex proxy: using_defaults 
Mutex ssl-cache: using_defaults 
Mutex default: dir="/var/run/apache2/" mechanism=default 
Mutex watchdog-callback: using_defaults 
PidFile: "/var/run/apache2/apache2.pid" 
Define: DUMP_VHOSTS 
Define: DUMP_RUN_CFG 
User: name="www-data" id=33 
Group: name="www-data" id=33
    You need to ensure this configuration because there is a default SSL configuration that listens to port 443 and the Apache HTTP server serves the request in the order it is defined in the configuration.