Versions Compared

Old Version 2

changes.mady.by.user Chris Welford

Saved on

compared with

New Version Current

changes.mady.by.user Chris Welford

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Figure 1  Dual Server High Level Architecture

Example network topology

...

: reverse proxy

The diagram below shows Illustration of common network topology for PhixFlow deployments using a reverse proxy.

Benefits of using a reverse proxy

Using a reverse proxy has several benefits:

  1. It can act as the point of SSL termination, i.e. it will serve the certificate for the service and decrypt the traffic that arrives from users via HTTPS. Many reverse proxies included useful helper functions for managing certificates.

  2. It can further simplify certificate management if you have several installations of PhixFlow; they can be set up to be available at the same FQDN (using a single certificate), at different directories; e.g. phixflow.mycomany.com/production , phixflow.mycompany.com/test , phixflow.mycompany.com/dev.

  3. They can be used to help manage the load on the system, providing an earlier point of failure for users rather than letting all requests on an overloaded system reach the back end servers.

  4. They can be patched more aggressively than back end servers, for which stability is usually crucial. This is true for the reverse proxy and the server it sits on. This is important because this is the point which faces out to a wider network (your corporate network or the public internet), so is a potental point of attack for bad actors. There is no direct entry via HTTPS to the back end servers (administrative access must be allowed, but each infrastrucutre provides it own ways of doing this securely.)

Using a reverse proxy on a single server

You can install a reverse proxy on the same server as Tomcat; or indeed have a reverse proxy on a single server with Tomcat and the database. This is not recommended for production loads, but can be suitable for short term test instances. Even in this case, you get most of the benefits listed above.

Choice of reverse proxy

Any reverse proxy can be used providing that the Minimum system requirements for PhixFlow are met. However, we recommend:

  • IIS on Windows

  • NGINX on linux. Example instructions for installation of NGINX, and installation of certificates provided by Let’s Encrpyt, is given here: Install NGINX

Illustration for a single instance of PhixFlow

A common set up using a reverse proxy is illustrated below, on Azure. This can be applied in a similar to any virtualised environment. Key symbols

In brief, in this scheme, connections terminate SSL on a reverse proxy, these connections are passed on to application server within private network

Key components are:

SymbolComponents

Description

Image RemovedImage Added

Azure Network Security Group (NSG) - this can be any Layer 3/4 firewall

Image RemovedImage Added

MariaDB database - this can be any of the supported database

Image Added

Server - linux or Windows

Azure VNet

This could be any private network.

Reverse Proxy

Often NGINX on linux or IIS on Windows, but any reverse proxy could be used. In this example, the reverse proxy terminates the SSL and passes on unencryted connections safely through a private network the application server.

...

Illustration for multiple instances of PhixFlow

Using this scheme you can provide access to the instances of PhixFlow under a single FQDN, e.g. phixflow.mycomany.com/production, phixflow.mycompany.com/test, phixflow.mycompany.com/dev.

The example installation of NGINX explains how to do this: Install NGINX.

...