Skip to main content
Skip table of contents

Securing Seeq with TLS on Ubuntu

One way to run Seeq via HTTPS is by using a reverse proxy, such as Apache or Nginx. The reverse proxy handles the encryption and decryption of the connection, and passes plain HTTP requests to Seeq. The unencrypted connections are used only inside the server, so the security risk is minimized. This document explains how to set up such a reverse proxy in Apache.

Prerequisites

  1. Seeq is running, serving HTTP via Webserver on port 34216. If you use a different port, adjust the instructions accordingly.

  2. You have a trusted SSL certificate pair from a certificate authority. You should have a "full-chain" PEM file (the public part) and a "key" PEM file (the private part).

  3. Seeq is running on Ubuntu. These instructions were tested on 18.04 LTS, but other versions are likely to work with little or no modifications.

  4. If any firewall is being used (such as "Security Groups" on EC2 or "ufw" on Ubuntu), port 443 is open for inbound traffic, and not claimed by another program.

Installing Apache

Install the Apache webserver and the necessary modules.

CODE 
sudo apt update
sudo apt install apache2

sudo a2enmod headers proxy proxy_http ssl proxy_wstunnel rewrite

Disable the placeholder site that comes with Apache so it doesn't conflict with Seeq or expose unwanted files.

CODE 
sudo a2dissite 000-default.conf

Setting up Apache sites forwarding to Seeq

Create a file /etc/apache2/sites-available/001-seeq.conf with the following contents, replacing your.site.com with the DNS name of your site. This site will simply redirect all traffic from port 80 (HTTP) to port 443 (HTTPS).

CODE 
<VirtualHost *:80>
    ServerName your.site.com
    Redirect / https://your.site.com/
</VirtualHost>


Create a file /etc/apache2/sites-available/001-seeq-ssl.conf with the following contents, replacing your.site.com with the DNS name of your site and /path/to/your/ssl-keys/ with the path to your SSL keys. This site will listen on port 443 (HTTPS), decrypt the connection, and pass on the HTTP requests to Seeq.

CODE 
<IfModule mod_ssl.c>
<VirtualHost *:443>
  ServerName your.site.com

  ProxyRequests Off
  # Compatibility Note:
  # In Seeq versions before R22.0.49.00 this must be set to 
  # ProxyPreserveHost Off
  # In Seeq versions R22.0.49.00 and later this must be set to
  # ProxyPreserveHost On
  ProxyPreserveHost On

  SSLEngine On

  # Proxy Websocket requests
  AllowEncodedSlashes NoDecode
  RewriteEngine On
  RewriteCond %{HTTP:Connection} Upgrade [NC]
  RewriteCond %{HTTP:Upgrade} websocket [NC]
  RewriteRule /(.*) ws://localhost:34216/$1  [P,L]

  # Proxy HTTP requests
  ProxyPass / http://localhost:34216/ nocanon
  ProxyPassReverse / http://localhost:34216/

  SSLCertificateFile /path/to/your/ssl-keys/seeq-cert.pem
  SSLCertificateKeyFile /path/to/your/ssl-keys/seeq-key.pem

  # Compatibility Note:
  # In Seeq versions before R22.0.49.00 this line is required
  # RequestHeader Append x-sq-forwarded-url "https://your.site.com/api/"

  # Increase maximum header size and url size to match the default size supported by Seeq (80kb)
  LimitRequestFieldSize 81920
  LimitRequestLine 81920
</VirtualHost>
</IfModule>


Enable both of the new sites:

CODE 
sudo a2ensite 001-seeq.conf
sudo a2ensite 001-seeq-ssl.conf
sudo service apache2 restart


Finally, configure Seeq use the proxy as its url:

CODE 
./seeq-server/seeq config set Network/Webserver/Url https://your.site.com
# If Seeq is running, reload the configuration change
./seeq-server/seeq stop
./seeq-server/seeq start

Now you should be able to access Seeq at https://your.site.com (over HTTPS). If your firewall was previously allowing access to Seeq via port 34216, you can now close that port. Seeq only needs to expose one port to end-users - in this case, port 443.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close