Skip to content

Deploying VOR Stream Behind a Reverse Proxy

VOR Stream can be configured to operate behind a reverse proxy, exposing only the ports necessary for users to communicate with the system.

Info

An Application Load Balancer can be used to act as a reverse proxy. While the prerequisites below mention a reverse proxy, the requirements are the same if using an ALB as a reverse proxy.

Prerequisites

The following steps should be completed before executing a deployment:

  • The reverse proxy is deployed
  • The server that hosts VOR Stream can reach the reverse proxy

  • The reverse proxy can reach the services it proxies (the default ports are listed below)

    Service Port
    Consul 8500
    Django 8001
    Mid-Tier 1962
    RabbitMQ 15672
    Vault 8200
    Web 8081

  • TLS certificates are configured for the reverse proxy

  • The reverse proxy trusts TLS certificates for the backend services (if necessary)
  • The backend services trust the root CA for the reverse proxy certificates (these can be added to the root CA used for the deployment--see TLS options in the inventory file for more information)

Sample Ansible Inventory File Configuration

To configure VOR Stream to operate behind a reverse proxy, the following variables should be updated in the inventory file:

Warning

The following assumptions are made in this example:

  • All proxied components of the deployment are secured with TLS.
  • Standard ports are used for the deployment (if non-standard ports are used, the corresponding variables should be updated accordingly).
  • The deployment is deployed to a single host. 
[all:vars]
web_server_name="<REPLACE_WITH_LOAD_BALANCER_DNS_NAME>"
vault_issuer="https://<REPLACE_WITH_LOAD_BALANCER_DNS_NAME>:8200"
[web:vars]
django_endpoint=//<REPLACE_WITH_LOAD_BALANCER_DNS_NAME>:{{ hostvars[groups['django'][0]]['django_port'] }}
django_ssl_endpoint=//<REPLACE_WITH_LOAD_BALANCER_DNS_NAME>:{{ hostvars[groups['django'][0]]['django_ssl_port'] }}

vault_issuer Configuration

The vault_issuer must be set to the load balancer address because VOR Stream services use this endpoint for OIDC token verification. The VOR Stream host must be able to reach this address, so ensure the load balancer is accessible from the deployment host itself.

Example: AWS Application Load Balancer (ALB) Configuration

The following are tips for configuring an application load balancer (ALB) to work with VOR Stream in AWS.

  • Ensure that the cipher suite configured on the ALB listener matches the cipher suite used by Vault. The ALB’s security policy controls which cipher suites are supported.

    Based on Vault’s default cipher suites, the ELBSecurityPolicy-TLS13-1-2-Res-2021-06 security policy is recommended for the ALB listener.

  • The load balancer is configured to listen on the same ports as the VOR Stream deployment and forwards the requests to their respective ports.

  • While configuring the load balancer health checks is required, it should not impact normal operation. The following paths can be used for each service’s health check.

    Service Port Path
    Consul 8500 /v1/status/leader
    Django 8001 /health_check/
    Vault 8200 /v1/sys/health
    RabbitMQ 15672 /
    Web 8081 /
    Mid-Tier 1962 /rest/version

  • The load balancer must be resolvable and reachable from the VOR Stream host itself, as VOR Stream needs to access the Vault issuer (configured to point to the load balancer) for OIDC token verification.