Guide: running instant3Dhub with Proxy#

Read First#

This section contains a configuration examples for instant3Dhub with a proxy aswell as an example configuration for nginx. Use the nginx configuration at your own risk. This nginx configuration has no security. We support SSO mechanisms via cookie passthrough. Our backends authenticate to data backends via cookies or other custom HTTP headers.

instant3Dhub Configuration#

Our deploys require a small set of variables which must be set for minimal deployments. This is done by adjusting the entrypoints variable either in our helmcharts or docker-compose variants to the external address under which the installation should run.

As an example, if the installation should run under a different path on a proxy server the entrypoints should be set as the full URL: https://example-proxy-server/extra/path/ This way internal components which deliver our webfrontend already know how to deliver addresses to get back to the the backend.

# entrypoints in values.yaml
entrypoints: [ "https://example-proxy-server/extra/path/" ]

For convenience we provide a nginx configuration as a reference below. It assumes the installation is running on 146.140.211.12:30101 and proxies anything under /hubproxy/ to the instance.

user nginx;
worker_processes  3;
error_log  /var/log/nginx/error.log info;
events {
  worker_connections  10240;
}

http {
  access_log  /var/log/nginx/access.log;
  server {
  client_max_body_size 100M;
  listen  80;
  proxy_read_timeout 7d;
  proxy_http_version 1.1;
  location ~ /hubproxy/(.*) {
    proxy_pass http://146.140.211.12:30101/$1$is_args$args;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";
  }
  client_body_temp_path      /var/cache/nginx/client_body_temp;
  proxy_temp_path            /var/cache/nginx/proxy_temp;
  fastcgi_temp_path          /var/cache/nginx/fastcgi_temp;
  uwsgi_temp_path            /var/cache/nginx/uwsgi_temp;
  scgi_temp_path             /var/cache/nginx/scgi_temp;
  }
}

Origin Policy#

By default instant3Dhub allows all origins meaning that any application that is accessible on a different domain can connect to it if there is no additional settings limiting such behaviour. This is done on purpose since instant3Dhub is meant to be used as a central component that can be used by different applications.

In order to prevent access from all origins on the proxy level one has to configure a proxy/load balancer (depending on a use case and requirements) which rewrite headers making possible to send required values for them.

For example to configure nginx to allow access only from the origin https://app.example.com, the following directive can be used

add_header 'Access-Control-Allow-Origin' "${scheme}://app.example.com" always;