User GuidesAPI ReferenceRelease Notes
Doc HomeHelp CenterLog In
User Guides

Configuring HTTPS

Configure a reverse proxy to allow clients to access Tamr Core securely over HTTPS.

Configure the NGINX reverse proxy server to allow clients to access Tamr Core securely over HTTPS. Tamr Core requires only one port to be reachable from the client. By default this port is 9100. NGINX configuration establishes a proxy between the default Tamr Core port 9100 on HTTP and port 443 on HTTPS. The proxy allows:

  • The client and NGINX proxy to communicate over HTTPS.
  • NGINX proxy and Tamr Core server to communicate over HTTP.

Note: If you plan to forward HTTP traffic to HTTPS, also open port 80.

When configuring NGINX, you further secure your deployment by configuring secure cookies and disabling caching.

764

To access Tamr Core securely over HTTPS, use a reverse proxy.

For a list of additional ports that Tamr Core and its dependencies use, see Included Services and Ports. These ports are used for internal communications and do not need to be served to the client.

Before You Begin:

NGINX Default Limits

NGINX has the following default limits for uploading files and header size:

  • The default file size limit for uploading files through NGINX is 1MB. If the default is left unchanged, you can only upload files to Tamr Core via HTTPS that are up to 1MB in size. This limit does not apply to clients uploading files via HTTP, such as clients acting locally on the Tamr Core server.
    In the examples that follow, client_max_body_size is set to 0 to allow for uploading large datasets. If you need to place a limit on file sizes, remove that line from the configuration or set it to a value such as 10M.
  • If using SPNEGO and Kerberos authentication, the default limits on the header buffer number and size, 4 8k , are too small to allow the keytab value to pass, and a 414 (Request-URI Too Large) exception will be thrown.
    Configure the property large_client_header_buffers to set the maximum number and size of buffers used for reading large client request headers, such as 4 16k.

Configuring an NGINX server proxy for HTTPS

Configuring an NGINX server proxy for HTTPS allows you to have a secure access to Tamr Core over HTTPS. This topic describes the following approaches for configuring the server proxy for HTTPS:

  • Using a certificate and optional passphrase.
  • Using a certificate signing request and privacy-enhanced mail.

Before You Begin:

Plan to work with your IT team to generate a certificate and key from a valid certification authority (CA). Self-signed certificates might not work in your environment, and your browser might not trust them.

  • Obtain a signed certificate .crt file.
  • Obtain the signed certificate's private key .key file.
  • (Optional) Obtain the passphrase.

Configuring an NGINX Server Proxy for HTTPS Using a Certificate and (Optional) Pass Phrase

Follow the steps in this procedure to configure HTTPS, configure secure cookies, and disable caching.

To configure NGINX for HTTPS using a certificate and passphrase:

  1. Copy the certificate .crt and private key .key files into a directory, such as /etc/nginx/keys:
sudo mkdir /etc/nginx/keys
cd /etc/nginx/keys
sudo cp <signed-certificate>.crt .
sudo cp <signed-certificate-private-key>.key .
  1. (Optional) Create a passphrase file to store the private key's passphrase:
cd /etc/nginx/keys
sudo vi global.pass
  1. In the NGINX configuration directory /etc/nginx/conf.d, create the configuration file tamr.conf:
cd /etc/nginx/conf.d
vi tamr.conf
  1. In the tamr.conf file, add the following configuration. If you are not using a passphrase, omit ssl_password_file /etc/nginx/keys/global.pass;.

Note: The following example includes a setting for proxy_cookie_flags. To use this feature, v1.19.3 or later of NGINX is required.

server {
 
    # Full path to the file containing the passphrase.
    ssl_password_file /etc/nginx/keys/global.pass;
 
    # SSL configuration
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    ssl_certificate /etc/nginx/keys/<signed-certificate>.crt;
    ssl_certificate_key /etc/nginx/keys/<signed-certificate-private-key>.key;
 
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    
    # do not limit file upload size
    client_max_body_size 0;
 
    location / {
 
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
 
      proxy_pass          http://localhost:9100;
      proxy_read_timeout  3600;
      proxy_redirect      http://localhost:9100 https://localhost:443;

    # Disable caching
    proxy_hide_header Cache-Control;
    add_header Cache-Control "no-store";
       
    # Mark cookies as secure
    proxy_cookie_flags ~ secure samesite=strict;

    }
}
  1. Restart the NGINX service:
sudo systemctl restart nginx.service
  1. Confirm that Tamr Core is now available by browsing directly to https://<hostname>:443, such as https://tamr.<mydomain>.com.

Configuring an NGINX Server Proxy for HTTPS Using a Certificate Signing Request and Privacy-Enhanced Mail

Follow the steps in this procedure to configure HTTPS, configure secure cookies, and disable caching.

To configure NGINX for HTTPS using a certificate signing request and privacy-enhanced mail:

  1. Generate a certificate signing request, .csr and private key, .key, and enter the required domain details when prompted:
openssl req -new -newkey rsa:2048 -nodes -keyout <domain-name>.key -out <domain-name>.csr
  1. Send the .csr file to the security team in charge of the server, who will be able to provide the privacy-enhanced mail file, .crt.
  2. Copy the certificate signing request, privacy-enhanced mail and private key files, .csr, .crt, and .key respectively, into a directory, such as /etc/nginx/keys:
sudo mkdir /etc/nginx/keys
cd /etc/nginx/keys
sudo cp <certificate-signing-request>.csr .
sudo cp <privacy-enhanced-mail>.crt .
sudo cp <certificate-private-key>.key .
  1. In the NGINX configuration directory /etc/nginx/conf.d, create the configuration file tamr.conf:
cd /etc/nginx/conf.d
vi tamr.conf
  1. In the tamr.conf file, add the following configuration:
server {
 
    # SSL configuration
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    ssl_certificate /etc/nginx/keys/<signed-certificate>.crt;
    ssl_certificate_key /etc/nginx/keys/<signed-certificate-private-key>.key;
 
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    
    # do not limit file upload size
    client_max_body_size 0;
 
    location / {
 
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
 
      proxy_pass          http://localhost:9100;
      proxy_read_timeout  3600;
      proxy_redirect      http://localhost:9100 https://localhost:443;

    # Disable caching
    proxy_hide_header Cache-Control;
    add_header Cache-Control "no-store";
       
    # Mark cookies as secure
    proxy_cookie_flags ~ secure samesite=strict;

    }
}
  1. Restart the NGINX service:
sudo systemctl restart nginx.service
  1. Confirm that Tamr Core is now available by browsing directly to https://<hostname>:443, such as https://tamr.<mydomain>.com.

Optional: Set NGINX X-Content-Type-Options to “nosniff”

MIME type sniffing is a standard functionality in browsers to identify an appropriate way to render data when the HTTP headers sent by the server are either inconclusive or missing.

You can configure NGINX to instruct the browser to trust that the site has sent the appropriate content-type, and block MIME-sniffing on the response body.

In the NGINX configuration file at /etc/nginx/nginx.conf file, add the following configuration:
add_header X-Content-Type-Options nosniff;.