Shop

Your Notifications (0)

There are currently no notifications. You're all set!

Demos Trials
Knowledge Base
ChemDraw and ChemOffice+ Products Signals Notebook E-Notebook and ChemBioOffice Enterprise Spotfire and Signals Spotfire Products Columbus Signals Image Artist
Downloads
Downloads
Community
Support Forums Ideas Portal Product Basics
About Support
Legal Resources Support and Maintenance Plans Product Life Cycle Support News
Contact Support

Spotfire Server: How to terminate TLS in a load balancer or reverse proxy

Kisiel, Pawel
  • Updated

If HTTPS is enabled on the Spotfire Server, then this results in a number of behavior changes, including that HTTP session cookies are marked as secure. However, it is also possible to configure a load balancer or reverse-proxy with HTTPS, and use plain HTTP between the load balancer and the Spotfire Server.

In these cases, the Spotfire Server will not automatically know that the connection is secure (from the client's point of view) and it will take some additional steps to set the secure attribute on cookies. There are 2 options available:

 

Option 1: Using the SpotfireRemoteIpValve to configure Spotfire Server with a load balancer or reverse-proxy

The recommended way to use a load balancer or reverse proxy in front of the Spotfire Server is to enable and configure SpotfireRemoteIpValve.

Using SpotfireRemoteIpValve, you can configure the standard Tomcat RemoteIpValve through the Spotfire Server configuration, for all servers in your clustered Spotfire environment. The properties described in the Tomcat documentation are configured as attributes using the set-config-map-prop as shown in the steps below.

Procedure:

  1. Open a command-line interface and export the active configuration (the configuration.xml file) by using the export-config command. (For details on using the Spotfire command line, see Executing commands on the command line.)
  2. On the command line, enter the following commands: 
    config set-config-prop --name=tomcat.remote-ip-valve.enabled --value=true
    and 
    config set-config-map-prop --name="tomcat.remote-ip-valve.attributes" --item-name="attribute" -VprotocolHeader=X-Forwarded-Proto
  3. Import the configuration file back to the Spotfire database by using the import-config command.
  4. Restart the Spotfire Server.

 

Option 2: Setting the Server attributes to secure by modifying configuration files for each server

As an alternative to using the SpotfireRemoteIpValve to configure Spotfire Server with a load balancer or reverse-proxy, you can also make the server behave as if it uses HTTPS (e.g., set secure cookies etc.) by providing some parameters in the HTTP Tomcat connector, present in server.xml. Note, however, that this method requires changes on all servers in the cluster, whereas the filter configuration only needs to be done once.

To indicate that the connection should be seen as secure, even though the Spotfire Server uses HTTP, follow the instructions below.
Note: These steps must be performed on all servers in a cluster.

Procedure:

  1. Open the following file in an XML editor or a text editor: <server installation dir>/tomcat/conf/server.xml
  2. Locate the information about the HTTP connector (at the top of the file).
  3. Add the following attributes to the list:
    scheme="https"
    secure="true"
    proxyPort="443" (or the port that your load balancer uses)
    proxyName="example.com" (the host name of your load balancer)
    The most important attribute here is secure – the other attributes are used only in some special cases (normally, the configured public address is used instead).
  4. Save and close the file.
  5. Restart the Spotfire Server.

Example:

<Connector port="80"
  protocol="org.apache.coyote.http11.Http11NioProtocol"
	maxHttpHeaderSize="65536"
	connectionTimeout="30000"
	enableLookups="false"
	URIEncoding="UTF-8"
	disableUploadTimeout="true"
	server="Spotfire Server"
	compression="on"
	compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
	keepAliveTimeout="30000"
	maxKeepAliveRequests="-1"
	maxThreads="2000"
	scheme="https"
	secure="true"
	proxyPort="443" 
	proxyName="example.com"/>

 

Documentation reference: https://docs.tibco.com/pub/spotfire_server/14.0.6/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/terminating_tls_in_a_load_balancer_or_reverse_proxy.html

 

 

Related articles