Proxying CUE Zipline

Since CUE Zipline exposes both public and private web-service end-points, it is strongly advised to install a reverse proxy in front of it, for use by the CUE editor.

The reverse proxy can also function as an SSL/TLS termination point, allowing communication between the CUE editor and CUE Zipline to be secure.

Internal requests, e.g. from CUE Print and trusted enrichment services would still use the direct connection to the server address configured in zipline.yaml, which allows access to all web-service end-points.

The reverse proxy should pass through requests to /index.xml, escenic/text/*, and escenic/convert/default (or escenic/convert/* if custom conversions have been configured).

The reverse proxy also needs to set the X-Forwarded-For, X-Forwarded-Proto, and X-Real-IP headers on the request to CUE Print.

Alternatively, the reverse proxy can set the Forwarded header, which combines the information of the other headers.

As an example, if using nginx as the reverse proxy, add the following snippet in the server configuration:

location ~ ^/cue-print-zipline/(index.xml|escenic/text|escenic/convert/default) {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $http_host;
        proxy_pass http://localhost:12791;
        proxy_pass_header Set-Cookie;
        proxy_read_timeout 185s;
        proxy_set_header Connection '';
        proxy_http_version 1.1;
        chunked_transfer_encoding off;
}
location /cue-print-zipline {
        deny all;
}

This example proxies request for the public end-points to port 12791 on the local host (assuming CUE Zipline runs on the same server) and denies access to all other end-points.