Applies to: COMSOL Model Manager server Versions: 6.0

Problem Description

In some cases it is advantageous to use a reverse proxy server as an intermediary between Model Manager server and its users. Use cases of a reverse proxy server include:

  • Offloading TLS encryption onto the reverse proxy server, either for using hardware-accelerated encryption or simply to not have to configure encryption for each web service separately.
  • Firewall features that protect the web service from attacks.
  • Integration with single sign-on systems for authentication.

Solution

Setting up a reverse proxy

Any reverse proxy that supports HTTP can be used with Model Manager server. Two common reverse proxy softwares are Apache mod_proxy and Nginx. See the documentation of the reverse proxy software for how to set it up to forward requests.

Note: Model Manager server currently only supports being served on the root path of a host, i.e. not under a custom URI path prefix like example.com/modelmanager. To distinguish the Model Manager server from other intranet services you can use a hostname prefix, e.g. modelmanager.example.com.

TLS encryption

By configuring the reverse proxy to serve HTTPS, the integrity and confidentiality of the communication between the client and the reverse proxy is protected by the TLS protocol. This is the recommended way to host the Model Manager server on any networks where cleartext traffic could be intercepted. To connect to a Model Manager server using HTTPS, check the Require secure connection checkbox in COMSOL Multiphyiscs.

Single sign on integration

Model Manager server supports authenticating user accounts with the Basic HTTP authentication scheme, using the Authorization HTTP header. This allows to integrate single sign on in a reverse proxy, for user accounts present on a Model Manager server. To do this, configure the reverse proxy for authenticating clients, using any authentication scheme you want, then set it up to authenticate itself to the Model Manager server using Basic HTTP authentication, with the username of the externally authenticated client and a dummy secret password for the corresponding user account on the Model Manager server.

Support

Please let us know if you would like to know more about any of these topics by contacting the support! We will help to the best of our abilities to explain how Model Manager server works, but cannot in general give specific support on the setup of reverse proxy software.