Docker image for RapidMiner Reverse Proxy - Altair RapidMiner Documentation

You are viewing the RapidMiner Hub documentation for version 10.2 - Check here for latest version

Docker image for RapidMiner Reverse Proxy

The documentation below describes RapidMiner Reverse Proxy, which is a generic reverse proxy for the following components:

  • RapidMiner Server
  • JupyterHub
  • Dashboards
  • Platform Admin

With this proxy:

  • you have to open only a single HTTPS (or HTTP, but it is not recommended) port, and access different services under different suffixes (e.g. https://domain.name/grafana), the root suffix is used for the RapidMiner Platform landing page.
  • suffix names can be customized
  • backends can be configured, and in case you do not have a particular service, you can set the backend empty (in this case, the RapidMiner Server backend will be used). If the backend is not accessible, you will receive a "502 bad gateway" error page.
  • you can easily configure HTTPS transport security.
  • you will have improved security settings

For available versions, please see the tags on Docker Hub.

Configuration

  • Volumes:
    • platform-admin-uploaded-vol: docker volume to persist basic authentication credentials, maps internally to /rapidminer/platform-admin/uploaded/.
  • Ports: 80 and 443 are mapped to the same internal ports, so that both HTTP and HTTPS traffic terminates in this container.
  • Environment variables:
    • RMSERVER_BACKEND: sets the URL of the RapidMiner Server backend on the internal network. Default: http://rm-server-svc:8080.
    • JUPYTER_BACKEND: sets the URL of the JupyterHub backend on the internal network. Default: http://rm-jupyterhub-svc:8000.
    • JUPYTER_URL_SUFFIX: sets the external URL suffix where the JupyterHub service will be accessible. Default: /jupyter.
    • GRAFANA_BACKEND: sets the URL of the Dashboards backend on the internal network. Default: http://rm-grafana-svc:3000.
    • GRAFANA_URL_SUFFIX: sets the external URL suffix where the Dashboards service will be accessible. Default: /grafana.
    • RTS_SCORING_BACKEND: sets the URL of the Real-Time Scoring Agent backend on the internal network. Default: http://rts-agent-svc:8090/.
    • RTS_SCORING_URL_SUFFIX: sets the external URL suffix where the Real-Time Scoring Agent service will be accessible. Default: /rts.
    • PA_BACKEND: sets the URL of the Platform Admin service on the internal network. Default: http://platform-admin-webui-svc:82/.
    • PA_URL_SUFFIX: sets the external URL suffix where the Platform Admin service will be accessible. Default: /platform-admin.
    • TOKEN_BACKEND: sets the URL of the Token Generator service on the internal network. Default: http://rm-token-tool-svc.
    • TOKEN_URL_SUFFIX: sets the external URL suffix where the Token Generator service will be accessible. Default: /get-token.
    • LANDING_BACKEND: sets the URL of the Landing Page service on the internal network. Default: http://landing-page.
    • SSO_PUBLIC_URL: external public URL where the RapidMiner Platform will be accessible.
    • SSO_IDP_REALM: SSO realm used for identity and access configuration. Default: master. Should not be changed.
    • HTTPS_CRT_PATH, HTTPS_KEY_PATH, HTTPS_DH_PATH: paths to files needed for HTTPS transport security. Filled automatically by RapidMiner init. Should not be changed.

Data persistence

Some services are using Basic Auth for access control, this accesses are stored encrypted in .htpasswd files. The proxy needs read access to this files to provide the access control, this can be achived with volume mounts:

volumes:
- pem-uploaded-vol:/rapidminer/pem/uploaded/:ro
- rts-uploaded-vol:/rapidminer/rts/uploaded/:ro

If you don't have RapidMiner Python Environment Manager, or Rapidminer Real-Time Scoring, you can forsake the particular volume.

The complete volume definition is like:

volumes:
- ./ssl:/etc/nginx/ssl:ro
- pem-uploaded-vol:/rapidminer/pem/uploaded/:ro
- rts-uploaded-vol:/rapidminer/rts/uploaded/:ro

Access and error logs

The proxy container forwards all logs to the container log, wich can be handled as in any container based deployment, this is out of scope for this document.