Data Observability platform Help

Reverse proxy

There are two options when setting up DQM on premise. You can either use application provided HTTPS mode or set up a reverse proxy of your choice. We recommend using a 3rd party reverse proxy as it simplifies certificate management.

Required headers

Header

Explanation

X-Forwarded-For

Originating IP address for a client connecting through reverse proxy

X-Forwarded-Proto

Protocol the client is using to connect to reverse proxy

Host

Originating host name (example.com) which responds to proxy, used for CSP policy

Samples

your.host.name { reverse_proxy 127.0.0.1:8090; }
server { listen 443 ssl http2; server_name yourdomain.com; ssl_certificate /etc/nginx/certs/yourdomain.crt; ssl_certificate_key /etc/nginx/certs/yourdomain.key; # Strong TLS settings ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_pass http://127.0.0.1:8090; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; client_max_body_size 200M; proxy_redirect off; } } # Optional: redirect HTTP to HTTPS server { listen 80; server_name yourdomain.com; return 301 https://$host$request_uri; }
<VirtualHost *:443> ServerName yourdomain.com SSLEngine on SSLCertificateFile /etc/apache2/ssl/yourdomain.crt SSLCertificateKeyFile /etc/apache2/ssl/yourdomain.key SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1 SSLCipherSuite HIGH:!aNULL:!MD5 SSLHonorCipherOrder on ProxyPreserveHost On ProxyPass / http://127.0.0.1:8090/ ProxyPassReverse / http://127.0.0.1:8090/ RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s" RequestHeader set X-Forwarded-Proto "https" RequestHeader set Host "%{HTTP_HOST}s" LimitRequestBody 209715200 </VirtualHost> # Optional: redirect HTTP to HTTPS <VirtualHost *:80> ServerName yourdomain.com Redirect "/" "https://yourdomain.com/" </VirtualHost>

Host headers

To prevent host header injection and related attacks, production deployments should restrict allowed Host headers at reverse proxy level.

# Reject all unknown HTTP requests — no redirect fallback http:// { respond "No redirect" 400 } # Handle only the allowed domain over HTTPS your.host.name { @valid_host host your.host.name handle @valid_host { reverse_proxy selectzero:8090 } handle { respond "Invalid Host Header" 400 } }
server { listen 443 ssl; server_name your.host.name; ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privkey.pem; if ($host != "your.host.name") { return 400 "Invalid Host Header"; } location / { proxy_pass http://selectzero:8090; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
<VirtualHost *:443> ServerName your.host.name SSLEngine on SSLCertificateFile /etc/letsencrypt/live/your.host.name/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/your.host.name/privkey.pem # Block if Host header doesn't match ServerName <If "%{HTTP_HOST} != 'your.host.name'"> Redirect 400 / </If> ProxyPass / http://localhost:8090/ ProxyPassReverse / http://localhost:8090/ </VirtualHost>
07 May 2025