Tableau Server behind SSL-Proxy (nginx)

Version 1

    There are a couple of questions regarding reverse proxies on the forums. Here is my working solution for reference, and to adapt to your situation. Hope this helps. No guarantee that this works in your environment. Feedback welcome.

     

    Abstract

    Installation of Tableau Server 9.0 for external access. SSL-encryption provided by reverse proxy (nginx); Reverse Proxy and Tableau Server communicate using plain HTTP (as do clients from the internal network).

     

    Step-by-step Instructions

     

    Prerequisites

    • SSL certificate for Reverse Proxy. In this case a wildcard certificate for mydomain.tld.
    • Firewall rules controlling access to Tableau Server. In this case implemented using shorewall.
    • Windows 7 Professional as runtime environment for Tableau Server (designed as lab system for development of demo scenarios)
    • Proper DNS setup and working bi-directional http communication between reverse proxy and Tableau server

     

    We use a proxmox virtualization server (Debian based) to operate our dev lab. Our reverse proxy lives inside an OpenVZ container, the Tableau Server inside a KVM virtual machine (for real fast I/O you're probably better off using a physical server - for our dev lab it's o.k.).

     

    Steps

     

    1. Configure Win 7 Pro to allow incoming HTTP traffic from proxy server and outgoing SMTP for status mails
    2. Configure nginx to proxy SSL requests for server tableau.mydomain.tld to Tableau Server
    3. Configure Tableau Server using tabadmin for operation behind reverse proxy

     

    Ad 1.

    Both Win 7 Pro firewall and external firewall need to allow HTTP (bi-directional) and SMTP (outgoing).

     

    These shorewall rules were used (HTTPS rule is strictly speaking not required - adapt this to your firewall). Zone "net" refers to external IP's, and "dmz" to subnet 192.168.123.0/24 in this setup.

     

    /etc/shorewall/rules:

    ################################################################################

    # Name: tableau.domain.tld

    # IP:   192.168.123.123

    ################################################################################

    HTTP/ACCEPT             net             dmz:192.168.123.123

    HTTPS/ACCEPT            net             dmz:192.168.123.123

     

    # Tableau server sends status mails via SMTP (TLS)

    ACCEPT          dmz:192.168.123.123     net     tcp     587

     

    Ad 2.

    In my case nginx needed specifically X-Forwarded-Proto. Without that external requests never got a proper response, but rather an empty page.

     

    CAVEAT: tableau.mydomain.tld resolves to the same address as mydomain.tld for external requests, but internally (i.e. both on the nginx, and on the Tableau machine) to 192.168.123.123. So all https requests to the external IP aaa.bbb.ccc.ddd on port 443 are forwarded to port 443 of the reverse proxy 192.168.123.10 which then dispatches them to the proper internal servers.

     

    This nginx config uses a virtual host to redirect all https request for tableau.mydomain.tld to the internal IP 192.168.123.123. Having tableau.mydomain.tld internally to this IP address was achieved using dnsmasq. While the "official" DNS records point tableau.mydomain.tld to the same external IP as to mydomain.tld (say aaa.bbb.ccc.ddd), dnsmasq internally does a dead simple /etc/hosts lookup to find the correct internal IP address 192.168.123.123.

     

    /etc/nginx/conf.d/default.conf:

    ssl_certificate      /etc/ssl/private/mydomain.tld.ssl/mydomain.tld.bundle.crt; ssl_certificate_key  /etc/ssl/private/mydomain.tld.ssl/mydomain.tld.key;

    ssl_session_timeout  5m;

    ssl_protocols  SSLv2 SSLv3 TLSv1;

    ssl_ciphers  HIGH:!aNULL:!MD5;

    ssl_prefer_server_ciphers   on;

     

    server {

             listen       443;

             server_name  tableau.mydomain.tld;

             ssl                  on;

             location / {

                   proxy_set_header X-Forwarded-Host $host;

                   proxy_set_header X-Forwarded-Server $host;

                   proxy_set_header X-Forwarded-Proto "https";

                   proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                   proxy_pass http://tableau.mydomain.tld/;

                   proxy_redirect off;

             }

         }

     

    Ad 3.

    Please refer to

    http://onlinehelp.tableau.com/current/server/en-us/proxy_config.htm (for German http://onlinehelp.tableau.com/current/server/de-de/proxy_config.htm).

    Further http://onlinehelp.tableau.com/current/server/en-us/tabadmin_cmd.htm#set for tabadmin reference.

    X-Forward-Proto gotcha from http://kb.tableau.com/articles/issue/cannot-connect-via-ssl-proxy.