HomeTamr Core GuidesTamr Core API Reference
Tamr Core GuidesTamr Core API ReferenceTamr Core TutorialsEnrichment API ReferenceSupport Help CenterLog In

Configuring HTTPS

Configure a reverse proxy to allow clients to access Tamr securely over HTTPS.

Configure the NGINX reverse server proxy to allow clients to access Tamr securely over HTTPS. NGINX configuration establishes a proxy between the default Tamr port 9100 on HTTP and port 443 on HTTPS, which allows:

  • The client and NGINX proxy to communicate over HTTPS.
  • NGINX proxy and Tamr server to communicate over HTTP.

Note: If you plan to forward HTTP traffic to HTTPS, also open port 80.

To access Tamr securely over HTTPS, use a reverse proxy.To access Tamr securely over HTTPS, use a reverse proxy.

To access Tamr securely over HTTPS, use a reverse proxy.

Tamr requires only one port to be reachable from the client. By default this port is 9100.

For a list of additional ports that Tamr and its dependencies use, see Included Services and Ports. These ports are used for internal communications and do not need to be served to the client.

Checklist before proceeding:

NGINX Default Limits

NGINX has default limits for uploading files and header size.

  • The default file size limit for uploading files through NGINX is 1MB. If the default is left unchanged, you can only upload files to Tamr via HTTPS that are up to 1MB in size. This limit does not apply to clients uploading files via HTTP, such as clients acting locally on the Tamr server.
    In the examples that follow, client_max_body_size is set to 0 to allow for uploading large datasets. If you need to place a limit on file sizes, remove that line from the configuration or set it to a value such as 10M.
  • If using SPNEGO and Kerberos authentication, the default limits on the header buffer number and size, 4 8k , are too small to allow the keytab value to pass, and a 414 (Request-URI Too Large) exception will be thrown.
    Configure the property large_client_header_buffers to set the maximum number and size of buffers used for reading large client request headers, such as 4 16k.

Configuring an NGINX server proxy for HTTPS

Configuring an NGINX server proxy for HTTPS allows you to have a secure access to Tamr over HTTPS. This topic describes the following approaches for configuring the server proxy for HTTPS:

  • Using a certificate and optional pass phrase.
  • Using a certificate signing request and privacy-enhanced mail.

Before you begin, make sure you have the following:

  • a signed certificate, .crt or .pem.
  • the signed certificate's private key file, .key.
  • (optional) pass phrase.

Configure an NGINX Server Proxy for HTTPS Using a Certificate and (Optional) Pass Phrase

  1. Copy the certificate, .crt or .pem, and private key .key files into a directory, such as /etc/nginx/keys.
sudo mkdir /etc/nginx/keys
cd /etc/nginx/keys
sudo cp <signed-certificate>.crt .
sudo cp <signed-certificate-private-key>.key .
  1. (Optional) Create a pass phrase file to store the private key's pass phrase.
cd /etc/nginx/keys
sudo vi global.pass
  1. In the NGINX configuration directory /etc/nginx/conf.d, create the configuration file tamr.conf.
cd /etc/nginx/conf.d
vi tamr.conf
  1. In the tamr.conf file, add the following configuration. If you are not using a pass phrase, omit ssl_password_file /etc/nginx/keys/global.pass;.
server {
 
    # Full path to the file containing the PEM pass phrase.
    ssl_password_file /etc/nginx/keys/global.pass;
 
    # SSL configuration
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    ssl_certificate /etc/nginx/keys/<signed-certificate>.crt;
    ssl_certificate_key /etc/nginx/keys/<signed-certificate-private-key>.key;
 
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols  TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    
    # do not limit file upload size
    client_max_body_size 0;
 
    location / {
 
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
 
      proxy_pass          http://localhost:9100;
      proxy_read_timeout  3600;
      proxy_redirect      http://localhost:9100 https://localhost:443;
    }
}
  1. Restart the NGINX service.
sudo systemctl restart nginx.service
  1. Confirm that Tamr is now available by browsing directly to https://<hostname>:443, such as https://tamr.<mydomain>.com.

Configure an NGINX Server Proxy for HTTPS Using a Certificate Signing Request and Privacy-Enhanced Mail

  1. Generate a certificate signing request, .csr and private key, .key, and enter the required domain details when prompted.
openssl req -new -newkey rsa:2048 -nodes -keyout <domain-name>.key -out <domain-name>.csr
  1. Send the .csr file to the security team in charge of the server, who will be able to provide the privacy-enhanced mail file, .pem.
  2. Copy the certificate signing request, privacy-enhanced mail and private key files, .csr, .pem, and .key respectively, into a directory, such as /etc/nginx/keys.
sudo mkdir /etc/nginx/keys
cd /etc/nginx/keys
sudo cp <certificate-signing-request>.csr .
sudo cp <privacy-enhanced-mail>.pem .
sudo cp <certificate-private-key>.key .
  1. In the NGINX configuration directory /etc/nginx/conf.d, create the configuration file tamr.conf.
cd /etc/nginx/conf.d
vi tamr.conf
  1. In the tamr.conf file, add the following configuration.
server {
 
    # SSL configuration
    listen 443 ssl default_server;
    listen [::]:443 ssl default_server;
 
    root /var/www/html;
 
    # Add index.php to the list if you are using PHP
    index index.html index.htm index.nginx-debian.html;
 
    server_name _;
 
    ssl_certificate /etc/nginx/keys/<signed-certificate>.crt;
    ssl_certificate_key /etc/nginx/keys/<signed-certificate-private-key>.key;
 
    ssl_session_cache  builtin:1000  shared:SSL:10m;
    ssl_protocols TLSv1.2;
    ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
    ssl_prefer_server_ciphers on;
    
    # do not limit file upload size
    client_max_body_size 0;
 
    location / {
 
      proxy_set_header        Host $host;
      proxy_set_header        X-Real-IP $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        X-Forwarded-Proto $scheme;
 
      proxy_pass          http://localhost:9100;
      proxy_read_timeout  3600;
      proxy_redirect      http://localhost:9100 https://localhost:443;
    }
}
  1. Restart the NGINX service.
sudo systemctl restart nginx.service
  1. Confirm that Tamr is now available by browsing directly to https://<hostname>:443, such as https://tamr.<mydomain>.com.

Did this page help you?