Dundas BI and reverse proxies

Contents[Hide]

1. Overview

This article provides information about Dundas BI and reverse proxies used on Linux servers.

Dundas BI for Linux uses the built-in Kestrel web server. Kestrel is a cross-platform web server for ASP.NET Core. Dundas BI will work with or without a reverse proxy server.

For more information, see Kestrel web server implementation in ASP.NET Core.

Important
If your reverse proxy, load balancer, or other network gateway is remote (on a different machine), its IP address must be set in the advanced Dundas BI configuration setting Trusted Proxy IP Addresses, otherwise proxy-related request headers such as X-Forwarded-For will not be trusted and issues may occur.

2. Why use a reverse proxy

Some common reasons for using a reverse proxy:

  • Security - limit the exposure of the server, and provide an additional layer of defense.
  • Integration - might integrate better with existing infrastructure.
  • Load Balancing - simplified HTTPS configuration as only the reverse proxy will require a X509 certificate and the application server can just run as HTTP.

3. NGINX example

As described in the Installing Dundas BI on Linux article, the Dundas BI wizard will set up an NGINX reverse proxy. The following is a typical example of how Dundas BI would be set up on Ubuntu without the Dundas BI wizard:

First install NGINX by running the following command:

sudo apt-get update
sudo apt-get install nginx

After it is installed, you can create a site definition by creating a file at the following path, for example:

/etc/nginx/sites-available/dundas-bi-website-InstanceName.conf

The content will typically look like the following:

# falling back to $scheme if no X-Forwarded-Proto header is received
map $http_x_forwarded_proto $client_scheme {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

server {
    listen 443;
    listen [::]:443;
    server_name somedomain.com;

    ssl on;
    ssl_certificate /etc/nginx/ssl/somedomaincom/cert.crt;
    ssl_certificate_key /etc/nginx/ssl/somedomain/cert.key;

    location / {
        proxy_pass http://localhost:8008;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $client_scheme;
        proxy_connect_timeout       86400;
        proxy_send_timeout          86400;
        proxy_read_timeout          86400;
        send_timeout                86400;
        client_max_body_size        500M;

    }
}

Note
In the case above, the Dundas BI Kestrel website is located at http://localhost:8008. It is handling requests for somedomain.com, and has defined certificates for that domain.

This sample is using a sites-available folder, which is the location on Ubuntu for the NGINX site definition files. This location will be different on RHEL. For more information, see: NGINX Wiki. Also be aware of restrictions from SELinux on RHEL.

3.1. Including the federated authentication bridge and gateway hub

If you are using federated authentication, the Dundas BI AuthBridge website needs to be accessible as a subpath under the Dundas BI website. If the Dundas BI website is accessed at http://somesite/, then the AuthBridge website should exist at http://somesite/AuthBridge/. Similarly, if you are using a gateway, the Dundas BI gateway hub needs to be accessible as the subpath /GatewayHub/ under the main Dundas BI website.

The following is an extension to the sample in the previous section, which adds configuration for redirecting the federated authentication traffic to the AuthBridge Kestrel website.

# falling back to $scheme if no X-Forwarded-Proto header is received
map $http_x_forwarded_proto $client_scheme {
  default $http_x_forwarded_proto;
  ''      $scheme;
}

server {
    listen 443;
    listen [::]:443;
    server_name somedomain.com;

    ssl on;
    ssl_certificate /etc/nginx/ssl/somedomaincom/cert.crt;
    ssl_certificate_key /etc/nginx/ssl/somedomain/cert.key;

    location /AuthBridge/ {
        proxy_pass http://localhost:8009/;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $http_host;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $client_scheme;
        proxy_cache_bypass $http_upgrade;

        proxy_set_header   X-Proxy-BasePath /AuthBridge;

        proxy_buffer_size  128k;
        proxy_buffers      4 256k;
        proxy_busy_buffers_size    256k;

        proxy_connect_timeout       86400;
        proxy_send_timeout          86400;
        proxy_read_timeout          86400;
        send_timeout                86400;
        client_max_body_size        500M;
    }

    location / {
        proxy_pass http://localhost:8008;
        proxy_http_version 1.1;
        proxy_set_header   Upgrade $http_upgrade;
        proxy_set_header   Connection keep-alive;
        proxy_set_header   Host $http_host;
        proxy_cache_bypass $http_upgrade;
        proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header   X-Forwarded-Proto $client_scheme;
        proxy_connect_timeout       86400;
        proxy_send_timeout          86400;
        proxy_read_timeout          86400;
        send_timeout                86400;
        client_max_body_size        500M;
    }
}

Note
For Dundas BI version 9 and earlier, you need to change X-Proxy-BasePath above to X-Proxy-BaseUri for specifying the /AuthBridge path. This older header name will also work in newer versions.

In the case above, the Dundas BI Kestrel website is located at http://localhost:8008 and the Dundas BI AuthBridge Kestrel website is located at http://localhost:8009.

3.2. Accessing Dundas BI via a path

Starting with Dundas BI version 10, you can set up NGINX or your other reverse proxy to make Dundas BI accessible under a path in the URL rather than at the root of the site when running on Linux - for example, at http://somesite/dundasbi/ rather than http://somesite/.

The configuration for doing so is the same as shown in the previous section for the /AuthBridge/ location: add a line to the configuration that sets the X-Proxy-BasePath header value to the same path to Dundas BI you've specified as the location without a trailing slash. For example:

proxy_set_header   X-Proxy-BasePath /DundasBI;

If you are using federated authentication, the AuthBridge website must now be accessible as an /AuthBridge/ subdirectory under the Dundas BI path, so the example in the previous section would need to be modified accordingly to set this header value to /DundasBI/AuthBridge.

4. Other reverse proxies

It is possible to use other reverse proxies with Dundas BI on Linux. Some other popular options are:

  • Apache
  • NGINX Plus
  • HAProxy

5. See also

Dundas Data Visualization, Inc.
400-15 Gervais Drive
Toronto, ON, Canada
M3C 1Y8

North America: 1.800.463.1492
International: 1.416.467.5100

Dundas Support Hours:
Phone: 9am-6pm, ET, Mon-Fri
Email: 7am-6pm, ET, Mon-Fri