Proxying CUE Zipline
Since CUE Zipline exposes both public and private web-service end-points, it is strongly advised to install a reverse proxy in front of it, for use by the CUE editor.
The reverse proxy can also function as an SSL/TLS termination point, allowing communication between the CUE editor and CUE Zipline to be secure.
Internal requests, e.g. from
CUE Print and
trusted enrichment services would still use the direct connection to the
server address configured in zipline.yaml
, which
allows access to all web-service end-points.
The reverse proxy should pass through requests to
/index.xml
, escenic/text/*
, and
escenic/convert/default
(or
escenic/convert/*
if custom conversions have been
configured).
The reverse proxy also needs to set the
X-Forwarded-For
,
X-Forwarded-Proto
, and X-Real-IP
headers on the request to
CUE Print.
Alternatively, the reverse proxy can set the
Forwarded
header, which combines the information of
the other headers.
As an example, if using nginx
as the reverse proxy,
add the following snippet in the server
configuration:
location ~ ^/cue-print-zipline/(index.xml|escenic/text|escenic/convert/default) { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $http_host; proxy_pass http://localhost:12791; proxy_pass_header Set-Cookie; proxy_read_timeout 185s; proxy_set_header Connection ''; proxy_http_version 1.1; chunked_transfer_encoding off; } location /cue-print-zipline { deny all; }
This example proxies request for the public end-points to port 12791 on the local host (assuming CUE Zipline runs on the same server) and denies access to all other end-points.