Using Engine Behind a Proxy or Load Balancer


If you have your Engine instances behind a load balancer or reverse-proxy, there are certain issues that can arise if it is not configured properly.

For example, you may be accessing the launch URL over https, but Engine's player loads some requests over http. You may also find that the player is sometimes using urls that have the internal name or ip address rather than the original domain name the launch request came in with.

Both of these issues stem from the fact that Engine must infer the root portion of the player URLs from the original launch request. In the case where your load balancer or proxy is doing TLS/SSL offloading, this means the request that actually reaches Engine is over http, and so it uses that for its urls. The same can happen when the proxy uses an internal name or ip to forward the request to Engine internally, and so Engine uses that instead of the external domain name.

Fortunately, there are some built-in mechanisms in Engine that try to infer the 'original' URL for the launch from other things, so that this will not happen. It requires certain behavior by the device that sits in front of Engine, though.

Engine tries to determine the original URL via the following steps:

  1. Engine first checks the "Forwarded" HTTP header for RFC7239-style reverse proxying. If it's present, Engine will check the "host" and "proto" segments in the value of that header to determine the original host and protocol.
  2. Engine then checks for either the "x-forwarded-proto" or "x-forwarded-host" HTTP headers (which were the industry standard way to solve this problem before RFC7239 adoption). If either header is present, it will use the given host and protocol for the original URL.
  3. Last, Engine checks for the IIS/ARR-specific header "x-arr-ssl", and will set the request to be https if it is found.

In short, one of the "Forwarded", "x-forwarded-proto", or "x-arr-ssl" HTTP headers can be added to the request that Engine finally processes in order for Engine to have the correct value used for generated URLs. 

If you are using Tomcat behind Apache using an AJP Connector, there are some attributes on the Connector that may also be relevant, specifically the 'proxyName', 'proxyPort' and 'scheme'.

Finally, if none of the above will work for you, Engine has two settings that can be used to hard-code behavior for this type of situation: ForwardedHost and ForwardedProtocol. These would override any values sent in headers, and Engine would always use these values when building URLs. Typically, it's better to handle this without these settings, as the hard-coded nature of them make it more difficult to move your settings file between environments.

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Submit a request
Powered by Zendesk