Accesing server interface from company web address

SGolbert

Hi RMners!

 

I am trying to give external access to a RM Server located on a VM in the intranet. I have asked IT and they asked me to allow HTTPS, which I did. However, they said that the local URL is "not unique" and they cannot forward the path.

 

They are trying to set the following external address with an Apache server:

https://support.XYZ.com/faces/login.xhtml

 

They have asked me if RM server can be set up behind a "apache Reverse Proxy".

 

Sincerely it's all chinese to me, do you have an idea of how to set it up or if they are doing something wrong?

 

Thanks!

Sebastian

 

Telcontar120

In this example, I am assuming xyz.com is the company's main website?

So are they asking whether RapidMiner Server can be set to run at the subdomain support.xyz.com (and have nothing else running on that subdomain)?

Or are they trying to direct only the specified link to the RapidMiner Server, which is otherwise running on an internal URL not accessible or addressable from the outside world?  Because if it is former, then I think you should be able to set it up (although it is a bit manual), whereas if it is the latter, then I have no idea how it would be done.

rfuentealba

Hi @SGolbert!

 

Let's go back to the basics (with schematics!):

 

You have an Apache server serving stuff from port :80 and port :443. That server should typically be configured for one or two addresses (like example.org and www.example.org). Normally, if you want to share stuff that is in another server (let's say: 8080), you have (at least) three choices:

 

1.- Set a new VirtualHost on port :443 and configure it to redirect every request internally to the port :8080. That is usually a good thing to do since you can log, intercept and do anything you want from Apache. That's what called a "reverse proxy".

 

[ Cloud ] --> [ Apache ] --> [ vhost1:80, vhost1:443 ]--> [ Hard Disk ]

                         \-> [ vhost2:443            ]--> [ RM Server ]

 

2.- Set a location (such as /rapidminer) to do the same reverse proxying trick. That involves ancient magic, but it is doable. Certainly it becomes much more manageable if you have several servers and Apache is used as a load balancer. (This is a typical Rails setup. Ruby: I miss you badly :smileysad:)

 

[ Cloud ] --> [ Apache ] --> [ Location /           ]--> [ Hard Disk ]

                         \-> [ Location /rapidminer ]--> [ RM Server ]

 

3.- Configure another address on your server using port :443. Since this is a public host it's not doable. But if you have another address available (that's the case when you buy a subnet instead of a simple connection from your ISP), you can. I'll save you from the pain: don't. It involves tricks on firewalls, coordination of interfaces and ports, and stuff I promised I would never do again, and I have followed my own advice for the past 12 years. (Gosh, I'm getting old!).

 

[ Cloud ] --> [ A Huge Mess In Between ] --> [ RM Server ]

 

I can prepare a configuration for you that can do the first two as an example, but I need your version of Apache, because between 2.2 and 2.4 there is a substantial backwards-incompatible change. I'll post it here for others to know how to do such a thing.

 

Beware that the setup I'll post is just a PoC as I don't know what's going on in your Apache server, if you have mod_php, mod_perl, mod_fcgi or something else activated. If you need help, drop me a line! We are following each other on LinkedIn already. 

 

Edit: forgot the schematics.

 

¡Saludos!

rfuentealba

Hi, all

 

This is a stripped down version of Apache. Please, DON'T USE IT WITHOUT READING! I stripped bits of information that are crucial for Apache to work properly. This will help having an idea on where to look at if you want to reverse proxy RapidMiner through Apache.

 

# Simplified Apache Setup: DON'T USE IN PRODUCTION!

ServerRoot "/usr"
Listen 80

# Typically you'll find LoadModule directives here.
# Make sure you uncomment vhost_alias_module, log_config_module,
# proxy_module and proxy_http_module.

ServerAdmin rfuentealba@pegasus.cl

# Notice that we block access to every single directory here.
# Then we will open directories to be accessed by Apache, as a
# security measure. You don't want /etc/passwd to be read, do you?
<Directory />
    AllowOverride none
    Require all denied
</Directory>

# Delete the DocumentRoot.
# Also, delete the <Directory> section that corresponds the DocumentRoot.
# That, unless you want to serve stuff straight from Apache.
# (Hint: bad idea, harder to quickly deploy changes)
# I deleted everything else but a little kitten will be killed if you do it.
# No, seriously, your Apache won't work.

<VirtualHost www.example.org:80>
    ServerAdmin webmaster
    DocumentRoot "/var/www/www.example.org/"
    ServerName example.org
    ServerAlias www.example.org
    <Directory "/var/www/www.example.org/">
        AllowOverride all
        Require all granted
    </Directory>

    # Location-based proxy.
    # If you want this, please do yourself a favor and use nginx instead.
    <Location /rapidminer>
        ProxyPass http://127.0.0.1:8080/
        ProxyPassReverse http://127.0.0.1:8080/
        Order allow, deny
        Allow from all
    </Location>

    # I couldn't make this work. See? use nginx. :P
    ProxyHTMLStripComments on
    ProxyRequests off
    SetOutputFilter proxy-html
    ProxyHTMLDoctype XHTML
</VirtualHost>

# See that I define a vhost for rapidminer.example.org?
# That is, every request to that address will be proxied to
# RapidMiner on http://127.0.0.1:8080 and back.
<VirtualHost rapidminer.example.org:80>
    ServerAdmin webmaster
    ServerName rapidminer.example.org
    ServerAlias rapidminerserver.example.org
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>

I don't use Apache anymore because there are better alternatives for this kind of setup: nginx is very popular and there are plenty of examples on how to perform reverse proxying and load balancing. However, as I said, the important bits of the configuration are here for you to look and modify accordingly.

 

All the best,

 

SGolbert

Hi Brian, Rodrigo,

 

Thank you for the answer. I'm afraid it is the second situation Brian described, and also the second from Rodrigo. I will forward this information to IT, maybe they can come up with something.

 

We are considering other solutions anyway, like installing a RM Server on our client or putting a VM on the cloud. I keep you updated, thanks!

rfuentealba

Hi @SGolbert,

 

I would advice you to go this route (your IT department will know what to do):

 

• On the DNS Server, add an A-record on example.org to your Apache server's IP address. Let's say you chose the domain rapidminermcrapidminerface.example.org to expose your server.
• On your Apache server, enable virtual hosts. Usually you should uncomment mod_vhost_alias in the LoadModule section.
• Depending on what server you use, you may have a directory to put virtual host configurations. Just create a new rapidminermcrapidminerface.conf file with the following content:

<VirtualHost rapidminermcrapidminerface.example.org:80>
    ServerAdmin webmaster
    ServerName rapidminermcrapidminerface.example.org
    ProxyPreserveHost On
    ProxyPass / http://127.0.0.1:8080/
    ProxyPassReverse / http://127.0.0.1:8080/
</VirtualHost>

• Make sure you include that file in the configuration.
• Restart the Apache server.

Notice that you can have your RapidMiner server in a different machine on your local (192.168.x.x) network: as long as you can ping your RapidMiner server from your Apache server, you can serve that from a different location, without the need for having to install everything in one machine (which is good from the point of view of maintenance).

 

All the best,