Running Behind a Load Balancer or Reverse Proxy
Starting with MarkLogic 11.1.0, the Admin UI, Query Console, Monitoring Dashboard, and History can be run behind a reverse proxy or load balancer and accessed via path-based routing. Additionally, the MarkLogic clients (Java, Node.js, XCC) and MarkLogic Content Pump (mlcp) can connect to a MarkLogic cluster through a load balancer or reverse proxy configured with path-based routing to MarkLogic app servers.
Accessing a MarkLogic cluster running behind a reverse proxy or load balancer does not require any configuration on the MarkLogic side. However, the MarkLogic UIs now support HTTP headers that can be used to specify the paths that are used to access each of them.
Header |
Value |
---|---|
X-ML-ADM-Path |
Path for accessing the Admin UI |
X-ML-QC-Path |
Path for accessing Query Console |
X-ML-MNG-Path |
Path for accessing the monitoring and management applications |
When configuring a reverse proxy or load balancer, listener ports and paths are configured to map those ports and paths to target hosts and ports in the MarkLogic cluster. For example, a reverse proxy could be configured to map the following paths to ports:
Port |
Path |
Target Port |
---|---|---|
443 |
/ml_8000 |
8000 |
443 |
/ml_8001 |
8001 |
443 |
/ml_8002 |
8002 |
443 |
/my_app |
8010 |
To access the MarkLogic UIs, the reverse proxy needs to be configured to add the following HTTP headers to the requests sent to MarkLogic:
X-ML-ADM-Path "/ml_8001"; X-ML-QC-Path "/ml_8000"; X-ML-MNG-Path "/ml_8002";
Additionally, to prevent CSRF issues when accessing the MarkLogic UIs, the reverse proxy or load balancer needs to be configured to add the following HTTP headers to the requests sent to the MarkLogic UI ports (8000, 8001, 8002 by default):
Header |
Value |
---|---|
Host |
<proxy_server_host>:<proxy_server_port> |
Referer |
<proxy_server_protocol>://<proxy_server_host>:<proxy_server_port> |
Origin |
empty |
Where proxy_server_host
is the hostname of the reverse proxy or load balancer, proxy_server_port
is the external port of the reverse proxy or load balancer (e.g. 80, 443, etc.) and proxy_server_protocol
is the protocol that is used to access the reverse proxy or load balancer (e.g. http or https).
The clients libraries and tools support specification of an optional basepath connection option that would be used when accessing MarkLogic app servers running behind the reverse proxy or load balancer. See the documentation for each client library or tool for details.
Limitations
HTTPS is supported with path-based routing. HTTP is not.
Digest auth is not supported.
Certificate-based authentication cannot be used when terminating TLS at the load balancer/proxy.