Install SSL Certificate
You may optionally configure an SSL certificate to secure connections to the web application of the Designer Cloud Powered by Trifacta platform.
Note
For security reasons, a self-signed certificate is considered an insecure origin by most browsers, which do not cache results from these origins. As a result, each user visit to the Trifacta Application requires re-downloading of static assets from the application. For better performance, you should consider deploying a signed certificate. Low-cost solutions such as Let's Encrypt can be deployed to manage your certificates on the Trifacta node.
Prerequisites
A valid SSL certificate for the FQDN where the Trifacta Application is hosted
Tip
Your certificate should be created using 2047-bit or larger keys. In some environments, such as RHEL 8.x, 1024-bit encryption is no longer accepted per default cryptographic policies.
Root access to the Alteryx server
Designer Cloud Powered by Trifacta platform is up and running
Configure nginx
There are two separate Nginx services on the server: one service for internal application use, and one service that functions as a proxy between users and the Trifacta Application. To install the SSL certificate, all configuration are applied to the proxy process only.
Note
Do not apply these configuration changes to the nginx files in /opt/trifacta/conf. Those files apply to the internal nginx server, which is not covered by SSL.
Steps:
Log into the Alteryx server as the centos user. Switch to the root user:
sudo su
Enable the proxy nginx service so that it starts on boot:
systemctl enable nginx
Create a folder for the private key and limit access to it:
sudo mkdir /etc/ssl/private/ && sudo chmod 700 /etc/ssl/private
Copy the following files to the server. If you copy and paste the content, please ensure that you do not miss characters or insert unwanted characters.
The
.keyfile should go into the/etc/ssl/private/directory.The .crt file and the CA bundle/intermediate certificate bundle should go into the
/etc/ssl/certs/directory.Note
The delivery name and format of these files varies by provider. Please verify with your provider's documentation if this is unclear.
Your certificate and the intermediate/authority certificate must be combined into one file for nginx. Here is an example of how to combine them together:
cat example_com.crt bundle.crt >> ssl-bundle.crt
Update the permissions on these files. Modify the following filenames as necessary:
sudo chmod 600 /etc/ssl/certs/ssl-bundle.crt sudo chmod 600 /etc/ssl/private/your-private-cert.key
Use the following commands to deploy the example SSL configuration file provided on the server:
Note
Below, some values are too long for a single line. Single lines that overflow to additional lines are marked with a
\. The backslash should not be included if the line is used as input.cp /opt/trifacta/conf/ssl-nginx.conf.sample /etc/nginx/conf.d/trifacta.conf && \ rm /etc/nginx/conf.d/default.conf
Edit the following file:
/etc/nginx/conf.d/trifacta.conf
Please modify the following key directives at least:
Directive
Description
server_name
FQDN of the host, which must match the SSL certificate's Common Name
ssl_certificate
Path to the file of the certificate bundle that you created on the server. This value may not require modification.
ssl_certificate_key
Path to the .key file on the server.
Example file:
server { listen 443; ssl on; server_name EXAMPLE.CUSTOMER.COM; # Don't limit the size of client uploads. client_max_body_size 0; access_log /var/log/nginx/ssl-access.log; error_log /var/log/nginx/ssl-error.log; ssl_certificate /etc/ssl/certs/ssl-bundle.crt; ssl_certificate_key /etc/ssl/certs/EXAMPLE-NAME.key; ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers RC4:HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; keepalive_timeout 60; ssl_session_cache shared:SSL:10m; ssl_session_timeout 10m; location / { proxy_pass http://localhost:3005; proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504; proxy_set_header Accept-Encoding ""; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; add_header Front-End-Https on; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; } proxy_connect_timeout 6000; proxy_send_timeout 6000; proxy_read_timeout 6000; send_timeout 6000; } server { listen 80; return 301 https://$host$request_uri; }Save the file.
To apply the new configuration, start or restart the nginx service:
service nginx restart
Modify listening port for Designer Cloud Powered by Trifacta platform
If you have changed the listening port as part of the above configuration change, then the proxy.port setting in Designer Cloud Powered by Trifacta platform configuration must be updated. See Change Listening Port.
Add secure HTTP headers
If you have enabled SSL on the platform, you can optionally insert the following additional headers to all requests to the Trifacta node:
Header | Protocol | Required Parameters |
|---|---|---|
X-XSS-Protection | HTTP and HTTPS |
|
X-Frame-Options | HTTP and HTTPS |
|
Strict-Transport-Security | HTTPS |
|
Note
SSL must be enabled to apply these security headers.
Steps:
To add these headers to all requests, please apply the following change:
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.Locate the following setting and change its value to
true:"proxy.securityHeaders.httpsHeaders": false,
Save your changes and restart the platform.
Enable secure cookies
If you have enabled SSL on the platform, you can optionally enable the use of secure cookies.
Note
SSL must be enabled.
Steps:
You can apply this change through the Admin Settings Page (recommended) or
trifacta-conf.json. For more information, see Platform Configuration Methods.Locate the following setting and change its value to
true:"webapp.session.cookieSecureFlag": false,
Save your changes and restart the platform.
Disable default port
If you wish to access through the default port (3005), you must do so external to the platform and through the node itself.
Note
The Designer Cloud Powered by Trifacta platform requires access to the default port internally. You cannot disable external access to this port through the platform. You must disable through the operating system.
For more information, please see the documentation provided with your operating system distribution.
Update certificates
To replace a certificate with an updated one, please do the following.
Steps:
Copy in the new certificate to the Trifacta node.
Edit the nginx configuration file:
/etc/nginx/conf.d/trifacta.conf
In the configuration file, replace the values for the following settings to point to the new certificate:
ssl_certificatessl_certificate_keyFor more information, see "Configure nginx" above.
Save the file, and restart the platform.
Troubleshooting
Problem - SELinux blocks proxy service from communicating with internal app service
If the Designer Cloud Powered by Trifacta platform is installed on SELinux, the operating system blocks communications between the service that manages the proxy between users and the application and the service that manages internal application communications.
To determine if this problem is present, execute the following command:
sudo cat /var/log/audit/audit.log | grep nginx | grep denied
The problem is present if an error similar to the following is returned:
type=AVC msg=audit(1555533990.045:1826142): avc: denied { name_connect } for pid=25516 comm="nginx" dest=3005 scontext=system_u:system_r:httpd_t:s0 For more information on this issue, see https://www.nginx.com/blog/using-nginx-plus-with-selinux.
Solution:
The solution is to enable the following network connection through the operating system:
sudo setsebool -P httpd_can_network_connect 1
Restart the platform.