10. Reverse Proxy & SSL
More than likely, you'll be exposing Hyperglass to the internet, therefore it is recommended practice to run most web applications behind a reverse proxy, such as Nginx, Apache, Caddy, etc. Additionally, the hyperglass WSGI server, Gunicorn, requires the use of a reverse proxy. This example uses NGINX, but can easily be adapted to other reverse proxy applications if you prefer.
Examples¶
NGINX (HTTP)
geo $not_prometheus_hosts {
default 1;
192.0.2.1/32 0;
}
server {
listen 80;
listen [::]:80 ipv6only=on;
client_max_body_size 1024;
server_name lg.domain.tld;
location /metrics {
if ($not_prometheus_hosts) {
rewrite /metrics /getyourownmetrics;
}
try_files $uri @proxy_to_app;
}
location /static/ {
alias /opt/hyperglass/hyperglass/static/;
}
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://[::1]:8001;
}
}
NGINX (HTTPS)
This configuration, in combination with the default Gunicorn configuration, makes the hyperglass front-end dual stack IPv4/IPv6 capable. To add SSL support, Nginx can be easily adjusted to terminate front-end SSL connections:
geo $not_prometheus_hosts {
default 1;
192.0.2.1/32 0;
}
server {
listen 80;
listen [::]:80;
server_name lg.domain.tld;
return 301 https://$host$request_uri;
}
server {
listen [::]:443 ssl ipv6only=on;
listen 443 ssl;
ssl_certificate <path to certificate>;
ssl_certificate_key <path to private key>;
client_max_body_size 1024;
server_name lg.domain.tld;
location /metrics {
if ($not_prometheus_hosts) {
rewrite /metrics /getyourownmetrics;
}
try_files $uri @proxy_to_app;
}
location /static/ {
alias /opt/hyperglass/hyperglass/static/;
}
location / {
try_files $uri @proxy_to_app;
}
location @proxy_to_app {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $http_host;
proxy_redirect off;
proxy_pass http://[::1]:8001;
}
}
SSL¶
Let's Encrypt provides automatic (and free) SSL certificate generation and renewal. There are a number of guides available on how to integrate Let's Encrypt with Nginx (or your reverse proxy of choice). Some examples:
- Digital Ocean: How To Secure Nginx with Let's Encrypt on Ubuntu 18.04
- NGINX: Using Free Let’s Encrypt SSL/TLS Certificates with NGINX
Prometheus Metrics¶
The /metrics
block will ensure that hosts defined in the geo $not_prometheus_hosts
directive are allowed to reach the /metrics
URI, which exposes Prometheus metrics, but that any other hosts will have the a request for /metrics
rewritten to /getyourownmetrics
, which will render the 404 error page.