Reverse proxy setup instructions
Last updated
Last updated
The following instructions walk you through setting up an Apache reverse proxy to establish an HTTP basic authentication layer before the application. These steps are specific to Ubuntu 14.04 or higher but are generic enough to apply to other reverse proxies.
The above diagram outlines the server layout for running Dash Enterprise behind a reverse proxy. The reverse proxy receives requests from the client intended for the host, then passes authenticated requests to the authentication server (dashauth) listening on the internal IP used by Docker.
A typical request works as follows:
1 - The user's machine performs a DNS lookup for plotly.your.domain
and gets the IP address of the server
plotly.your-company.com
is the Base Domain Name configured in the server settings
2 - The user's machine connects to this IP via client and reaches the reverse proxy
3 - The reverse proxy then sends an authenticated request to plotly.your.domain
4 - The request is forwarded to the Dash Enterprise instance
Step 4 typically requires adding an entry to the /etc/hosts file on the host server to allow the reverse proxy’s request for plotly.your.company to be directed to the internal IP used by Docker. This is further discussed in Proxy Configuration.
Once Dash Enterprise has been installed, enable Local Proxy Mode as follows:
1 - Browse to the Dash Enterprise Server Manager Settings page
2 - Check Enable Dash Customizations
3 - Check Enable Local Proxy Mode
4 - Click Save at the bottom of the screen, then click Restart Now to apply your changes
As a result of this change, Dash Enterprise will use Docker’s internal IP address, freeing up the host server’s IP address for use by the reverse proxy. The application will not respond to web requests until the reverse proxy is running.
After Dash Enterprise has been set to use Local Proxy Mode, install the proxy as follows:
1 - SSH into your server
2 - Install Apache (guide)
3 - Install the following Apache modules:
And, if using LDAP authentication, also install:
Modify the configuration files associated with the web server to establish the authentication layer and reverse proxy, as follows.
Replace the contents of the virtual host file (etc/apache2/sites-enabled/000-default.conf by default) with the following:
These instructions only cover local/LDAP HTTP basic authentication since the Plotly API clients (Python, R, or MATLAB) currently only support reverse proxies that require HTTP basic authentication. Other authentication implementations are also possible depending on your reverse proxy’s capabilities.
1 - Edit 000-default.conf
to add the following Location
directives in the <VirtualHost *:443>
section:
This allows access to two required Dash Enterprise endpoints: /clientresp
and/_internal/ping
000-default.conf
should look similar to the below example from the Plotly test site:
2 - Use the htpasswd
utility to create credentials for each new user you want to have access, which will be stored in /etc/users
:
3 - Confirm the IP address of your host server (the host_addr
parameter):
4 - Modify the Listen
directives in /etc/apache2/ports.conf
to allow the server to accept incoming requests only on the host_addr
address. The configuration file should look similar to:
5 - Next, find the internal IP address used by Docker (docker0_addr):
6 - Edit /etc/hosts
to include an entry for the docker_addr that maps to the Base Domain associated with your Dash Enterprise instance:
Replace 10.1.2.3
with the docker0_addr
you discovered in Step 4
Apache will now connect to the authentication server (using the Docker address) when it connects to plotly.your-company.com
Connections coming from outside the server will go to Apache as usual
7 - Restart the Apache service for the changes to take effect
1 - Bowse to the Base Domain URL you set (https://plotly.your-company.com)
You should see an authentication prompt similar to:
2 - Enter one of the sets of credentials that you configured using htpasswd to access the Dash app manager
3 - Proceed to create a new account using the Sign Up button in the top right
If using LDAP, skip this and use your existing LDAP credentials to log in