Page tree

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Excerpt

To enable SSL connections, you must make changes to the configuration for Nginx, a proxy server packaged with the platform. You must apply changes to the 

D s item
configuration
configuration
 to reference the generated SSL certificate.  

  1. You must generate a valid SSL certificate for the 

    D s platform
    . The certificate must match the domain where the 
    D s item
    itemnode
     is installed. 

    1. The SSL certificate and the private key must be installed on the node in an accessible location.
    2. The steps to do so exceed the scope of this document.
  2. Login to the 

    D s platform
     as the root user.
     

  3. An example SSL configuration file is located in the 

    D s item
    deployment
    deployment
    :

    Code Block
    /opt/trifacta/conf/ssl-nginx.conf.sample

     

  4. Create a copy of the above file, and rename it to trifacta.conf:

    Code Block
    server {
      listen          443;
      ssl             on;
      server_name     *.cloud.trifacta.com;
      # Don't limit the size of client uploads.
      client_max_body_size 0;
      access_log      /var/log/nginx/ssl-access.log;
      error_log       /var/log/nginx/ssl-error.log;
      ssl_certificate      /usr/share/nginx/ssl/trifacta.cer;
      ssl_certificate_key  /usr/share/nginx/ssl/trifacta.key;
      ssl_protocols        SSLv3 TLSv1 TLSv1.1 TLSv1.2;
      ssl_ciphers RC4:HIGH:!aNULL:!MD5;
      ssl_prefer_server_ciphers on;
      keepalive_timeout    60;
      ssl_session_cache    shared:SSL:10m;
      ssl_session_timeout  10m;
      location / {
        proxy_pass  http://localhost:3005;
        proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;
        proxy_set_header        Accept-Encoding   "";
        proxy_set_header        Host            $host;
        proxy_set_header        X-Real-IP       $remote_addr;
        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header        X-Forwarded-Proto $scheme;
        add_header              Front-End-Https   on;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Host $host;
        proxy_redirect     off;
      }
      proxy_connect_timeout       6000;
      proxy_send_timeout          6000;
      proxy_read_timeout          6000;
      send_timeout                6000;
    }
    server {
      listen          80;
      return 301 https://$host$request_uri;
    }
  5. Remove the generic default.conf from /etc/nginx/conf.d, and copy the sample that you modified above into /etc/nginx/conf.d:

    Code Block
    cd /etc/nginx/conf.d
    rm /etc/nginx/conf.d/default.conf
    cp ~/trifacta.conf /etc/nginx/conf.d/

     

    Tip

    Tip: You can also use vi to create a trifacta.conf. Copy the above content into the file using the following command:

    Code Block
    vi /etc/nginx/conf.d/trifacta.conf
  6. Modify the server_name value to match the domain name created for the SSL certificate:

    Code Block
    server {
      listen          443;
      ssl             on;
      server_name     *.customer.com;
    ...

     

  7. Modify the ssl_certificate and ssl_certificate_key values to point to the certificate and private key installed on the 

    D s item
    node
    node
    :

    Code Block
    ...
      ssl_certificate      /usr/share/nginx/ssl/customerSSL.cer;
      ssl_certificate_key  /usr/share/nginx/ssl/customerSSL.key;
    ...

     

  8. Save the file. Then, set the proper read permission for all necessary files. For example:

    Code Block
    chmod 644 /etc/nginx/conf.d/trifacta.conf
    chmod 644 /usr/share/nginx/ssl/customerSSL.cer
    chmod 644 /usr/share/nginx/ssl/customerSSL.key

     

  9. Restart the nginx service to pick up the new configuration:

    Code Block
    service nginx restart
     

Modify listening port for
D s platform

If you have changed the listening port as part of the above configuration change, then the

D s platform
configuration must be updated.

Steps:

  1. D s config
  2. Locate the following parameter:

    Code Block
    "proxy.port": 3005,
  3. Set the value to the port number that you configured in the nginx configuration file. Typically, this port number is 443.
  4. Save your changes and restart the platform.

Add secure HTTP headers

If you have enabled SSL on the platform, you can optionally insert the following additional headers to all requests to the

D s item
itemnode
:

HeaderProtocolRequired Parameters
X-XSS-ProtectionHTTP and HTTPS proxy.securityHeaders.enabled=true
X-Frame-OptionsHTTP and HTTPSproxy.securityHeaders.enabled=true
Strict-Transport-SecurityHTTPS

proxy.securityHeaders.enabled=true and

proxy.securityHeaders.httpsHeaders=true

Info

NOTE: SSL must be enabled to apply these security headers.

Steps:

To add these headers to all requests, please apply the following change:

  1. D s config
  2. Locate the following setting and change its value to true:

    Code Block
    "proxy.securityHeaders.httpsHeaders": false,
  3. Save the file. Restart the platform. See Start and Stop the Platform.

Enable secure cookies

If you have enabled SSL on the platform, you can optionally enable the use of secure cookies.

Info

NOTE: SSL must be enabled to apply these security headers.

Steps:

  1. D s config
  2. Locate the following setting and change its value to true:

    Code Block
    "webapp.session.cookieSecureFlag": false,
  3. Save the file. Restart the platform. See Start and Stop the Platform.