If HTTPS is enabled on the Spotfire Server, then this results in a number of behavior changes, including that HTTP session cookies are marked as secure. However, it is also possible to configure a load balancer or reverse-proxy with HTTPS, and use plain HTTP between the load balancer and the Spotfire Server.
In these cases, the Spotfire Server will not automatically know that the connection is secure (from the client's point of view) and it will take some additional steps to set the secure attribute on cookies. There are 2 options available:
Option 1: Using the SpotfireRemoteIpValve to configure Spotfire Server with a load balancer or reverse-proxy
The recommended way to use a load balancer or reverse proxy in front of the Spotfire Server is to enable and configure SpotfireRemoteIpValve
.
Using SpotfireRemoteIpValve
, you can configure the standard Tomcat RemoteIpValve through the Spotfire Server configuration, for all servers in your clustered Spotfire environment. The properties described in the Tomcat documentation are configured as attributes using the set-config-map-prop
as shown in the steps below.
Procedure:
Option 2: Setting the Server attributes to secure by modifying configuration files for each server
As an alternative to using the SpotfireRemoteIpValve
to configure Spotfire Server with a load balancer or reverse-proxy, you can also make the server behave as if it uses HTTPS (e.g., set secure cookies etc.) by providing some parameters in the HTTP Tomcat connector, present in server.xml. Note, however, that this method requires changes on all servers in the cluster, whereas the filter configuration only needs to be done once.
Procedure:
Example:
<Connector port="80"
protocol="org.apache.coyote.http11.Http11NioProtocol"
maxHttpHeaderSize="65536"
connectionTimeout="30000"
enableLookups="false"
URIEncoding="UTF-8"
disableUploadTimeout="true"
server="Spotfire Server"
compression="on"
compressibleMimeType="text/html,text/xml,text/plain,text/css,application/json,application/javascript,image/svg+xml,application/xml"
keepAliveTimeout="30000"
maxKeepAliveRequests="-1"
maxThreads="2000"
scheme="https"
secure="true"
proxyPort="443"
proxyName="example.com"/>
Documentation reference: https://docs.tibco.com/pub/spotfire_server/14.0.6/doc/html/TIB_sfire_server_tsas_admin_help/server/topics/terminating_tls_in_a_load_balancer_or_reverse_proxy.html
Comments
0 comments
Article is closed for comments.