Difference between revisions of "Reverse proxy"

From NComputing Knowledge Base
Jump to: navigation, search
 
Line 1: Line 1:
[[NComputing Virtual Appliance]] includes a so-called "reverse proxy" that will forward all NoTouch-Center-URLs (''/easyadmin/*'') to NoTouch Center. That sounds trivial but please keep in mind that NoTouch Center is a separate application and distinct from the Apache web server that runs the Virtual Appliance web console.
+
[[NComputing Virtual Appliance]] uses runs two distinct software modules:
  
Historically, NoTouch Center, being a standalone application used its own ports, 8080 and 8443. Now, with the reverse proxy, it can use 80 and 443 without any extra configuration. At least ncomputingva 1.0-65 and NoTouch Center 4.1.27.35 or later are necessary for this to work.
+
* '''NoTouch Center''', an enterprise Java-servlet software stack, using the `/easyadmin/*` URLs,
 +
* '''VA Console''', a PHP-based system administration toolset, using the `/va-admin/` URLs,
 +
Both modules are web applications, however based on different platforms, each one suited well for its job. For user convenience we don't run them on separate port numbers, but instead everything is behind the normal HTTPS (port 443) webservice. Obviously, one of these modules must act as a "reverse-proxy" then to route requests for the other module accordingly. Which one acts as the front-end can be selected with the "Front-end service" parameter in the VA Configuration.
  
[[Image:VA-en-ReverseProxy-BlockDiagram.jpg|None|600px]]
+
For production NTC deployments and larger numbers we suggest using NTC as the front-end-service. Only if an appliance is used for PXE boot, you must use Apache as front-end service.
  
Internally NoTouch Center still runs on 8080 and 8443 and we ask you to not change that. You should rather use the [[Firewall configuration (VA)]] to cut access to 8080 and 8443 from outside. Actually, new VAs from 20140912 onwards will have this restrictive setting by default.
+
The benefits of all that are obvious:
  
Thus, there should be no need for you to change the NoTouch Center port numbers unless you really want it to run on your own non-standard port. In that case, please be aware that this is possible but unsupported, and read on here: [[Change port number]]
+
* No need to expose a second port number, like 8080 or 8443
 
 
The benefits of all that are:
 
* Externally the port numbers 8080 and 8443 are not necessary any more
 
 
** Less firewall configuration, less thinking about one more port
 
** Less firewall configuration, less thinking about one more port
* "Hiding" NoTouch Center behind Apache means one service less visible on the Virtual Appliance.
+
* "Hiding" one service behind the other means one service less visible on the Virtual Appliance.
 
* Easy-to-use access control via [[Firewall configuration (VA)]]
 
* Easy-to-use access control via [[Firewall configuration (VA)]]
 
* No more need to change port numbers on your own (unless you really want to use a strange port number - most people simply wanted it to run on 443)
 
* No more need to change port numbers on your own (unless you really want to use a strange port number - most people simply wanted it to run on 443)
  
With the [[Firewall configuration (VA)]] you can also easily cut off unencrypted traffic altogether. Simply block port 80.
+
=Best practices=
 +
==Larger, production NTC appliance==
 +
Use NoTouch Center as front-end service to eliminate the Apache (it can become a bottleneck, especially with a larger number of websocket connections).
 +
 
 +
==PXE boot==
 +
PXE boot requires Apache as the front-end service.
 +
 
 +
==Large number of clients and PXE boot==
 +
Split it into two appliances for best performance.
 +
 
 +
=Up-to-date notice=
 +
To properly use either of these scenarios, your appliance must be up-to-date. If your appliance was set up before fall 2018 and you want to use NTC as front-end, you will need to log in via SSH login, become root, and run apt-get install php-fpm. Your appliance needs Internet connection and access to Ubuntu repositories (*.ubuntu.com).
 +
 
 +
Appliances set up after fall 2018 will not need that installation step.
 +
 
 +
=Configuration=
 +
To switch between the two scenarios,
 +
 
 +
# Enter the VA Console (NOT NoTouch Center)
 +
# Navigate to the VA Configuration area using the sidebar
 +
# Switch the "Front-end-service" parameter
 +
# Save and reboot the appliance
 +
Note: If you appliance says that either NTC is too old, or php-fpm is not installed, then please update NoTouch Center or install php-fpm as described above.
 +
 
 +
==Shell-based configuration==
 +
In order to configure this manually from a shell-prompt, or if you think something went wrong, please log in via [[SSH_login|SSH login]], become root, and use the <code>/opt/bin/setproxy</code> command.
  
 +
To make NoTouch Center the front-end service, run <code>/opt/bin/setproxy center</code>. To make Apache the front-end service, run <code>/opt/bin/setproxy apache</code>
  
Note: The reverse proxy is available from NComputing VA software version 1.0-65 or build 20140912 '''and''' NoTouch Center 4.1.27.35 or higher. If you use NComputing VA with reverse proxy capability together with an old NoTouch Center without reverse proxy capability, you can not use this functionality. If you try to connect to <nowiki>http://my-va/easyadmin</nowiki> or its HTTPS equivalent (such as the link under "Management"), style sheets may be messed up and you might be redirected to localhost-links. It is ok to use such a combination if you connect directly to <nowiki>http://my-va:8080/easyadmin</nowiki> or <nowiki>https://my-va:8443/easyadmin</nowiki>
 
  
 
[[Category:NTC]] [[Category:Virtual Appliance]]
 
[[Category:NTC]] [[Category:Virtual Appliance]]

Latest revision as of 07:23, 17 December 2019

NComputing Virtual Appliance uses runs two distinct software modules:

  • NoTouch Center, an enterprise Java-servlet software stack, using the `/easyadmin/*` URLs,
  • VA Console, a PHP-based system administration toolset, using the `/va-admin/` URLs,

Both modules are web applications, however based on different platforms, each one suited well for its job. For user convenience we don't run them on separate port numbers, but instead everything is behind the normal HTTPS (port 443) webservice. Obviously, one of these modules must act as a "reverse-proxy" then to route requests for the other module accordingly. Which one acts as the front-end can be selected with the "Front-end service" parameter in the VA Configuration.

For production NTC deployments and larger numbers we suggest using NTC as the front-end-service. Only if an appliance is used for PXE boot, you must use Apache as front-end service.

The benefits of all that are obvious:

  • No need to expose a second port number, like 8080 or 8443
    • Less firewall configuration, less thinking about one more port
  • "Hiding" one service behind the other means one service less visible on the Virtual Appliance.
  • Easy-to-use access control via Firewall configuration (VA)
  • No more need to change port numbers on your own (unless you really want to use a strange port number - most people simply wanted it to run on 443)

Best practices

Larger, production NTC appliance

Use NoTouch Center as front-end service to eliminate the Apache (it can become a bottleneck, especially with a larger number of websocket connections).

PXE boot

PXE boot requires Apache as the front-end service.

Large number of clients and PXE boot

Split it into two appliances for best performance.

Up-to-date notice

To properly use either of these scenarios, your appliance must be up-to-date. If your appliance was set up before fall 2018 and you want to use NTC as front-end, you will need to log in via SSH login, become root, and run apt-get install php-fpm. Your appliance needs Internet connection and access to Ubuntu repositories (*.ubuntu.com).

Appliances set up after fall 2018 will not need that installation step.

Configuration

To switch between the two scenarios,

  1. Enter the VA Console (NOT NoTouch Center)
  2. Navigate to the VA Configuration area using the sidebar
  3. Switch the "Front-end-service" parameter
  4. Save and reboot the appliance

Note: If you appliance says that either NTC is too old, or php-fpm is not installed, then please update NoTouch Center or install php-fpm as described above.

Shell-based configuration

In order to configure this manually from a shell-prompt, or if you think something went wrong, please log in via SSH login, become root, and use the /opt/bin/setproxy command.

To make NoTouch Center the front-end service, run /opt/bin/setproxy center. To make Apache the front-end service, run /opt/bin/setproxy apache