Analyzers
Support for Analyzers (Intel VTune™ Profiler, Intel Advisor, Intel Inspector)
Announcements
This community is designed for sharing of public information. Please do not share Intel or third-party confidential information here.
4659 Discussions

Can vtune-backend run through reverse proxy?

mpi_new_user
New Contributor I
726 Views

Hi,

I have two nodes, one is login node and another is compute node.Two nodes have installed Vtune Profile 2021 in a shared directory.

I run the command in the compute node:

vtune-backend --allow-remote-ui --enable-server-profiling --web-port=12030

Log is:

No TLS certificate was provided as a --tls-certificate command-line argument thus a self-signed certificate is generated to enable secure HTTPS transport for the web server: /home/user1/.intel/vtune/settings/certificates/middleware.crt. 
Serving GUI at https://c1:12030

Serving GUI at https://<compute node ip>:12030

 

I want to use the url  https://<login node ip>:8080/  to open the vtune-backend web interface which is run on the compute node. And the url in the browser will not be changed.

I try to use nginx and add the settings in login node ,but failed.

map $http_upgrade $connection_upgrade {
        default          keep-alive;  
        'websocket'      upgrade;     
    }

server {
        listen 8080 ssl http2;
        server_name login;

        sendfile        on;
        tcp_nopush      on;
        tcp_nodelay     on;

        keepalive_timeout  65;
        proxy_connect_timeout 60;
        proxy_send_timeout 3600;
        proxy_read_timeout 3600;

        http2_max_concurrent_streams    512;
        http2_max_requests              10000;
        http2_chunk_size                16k;
        http2_recv_timeout              3600;
        http2_body_preread_size         256k;

        ssl_certificate             /etc/nginx/ssl/server.crt;
        ssl_certificate_key         /etc/nginx/ssl/server.key;
        ssl_session_timeout         1d;
        ssl_session_cache           shared:MozSSL:10m;  # about 40000 sessions
        ssl_session_tickets         off;
        ssl_early_data              on;

        ssl_dhparam                 /etc/nginx/ssl/dhparam.pem;

        ssl_protocols               TLSv1.1 TLSv1.2 TLSv1.3;
        ssl_ciphers                 ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
        ssl_prefer_server_ciphers   off;

        add_header      Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
        add_header      X-Content-Type-Options nosniff;
        add_header      X-XSS-Protection '1; mode=block';
        add_header      X-Frame-Options SAMEORIGIN;

        ssl_stapling on;
        ssl_stapling_verify on;

        location / {
            proxy_buffering off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Port $server_port;
            proxy_set_header X-Forwarded-Proto $scheme;
            proxy_redirect off;

            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $connection_upgrade;
            proxy_set_header Host $host:8080;
            proxy_cache_bypass $http_upgrade;
            proxy_set_header Origin '';
            proxy_pass https://<compute ip>:12030/;
            root /opt/intel/oneapi/vtune/latest/frontend;
        }

 

After I open the url : https://<login node ip>:8080/

I got the error : 

error: Too many WebSocket handshakes from address <login node ip>
error: [
  'error connecting socket, sessionId: undefined',
  { isTrusted: true }
]

The page is blank and the websocket connection is failed with the error code 429.

 

Anyone can help me?

Please let me know if I'm missing something.Thanks.

Or there are any alternative methods in Vtune?

 

 

 
Labels (1)
0 Kudos
1 Solution
mpi_new_user
New Contributor I
591 Views

I have get the answer about the question.

If you want to use reverse proxy with vtune-backend, you must to use "Reverse proxy authentication" in /opt/intel/oneapi/vtune/latest/backend/config.yaml.

 

 

View solution in original post

5 Replies
AthiraM_Intel
Moderator
689 Views

Hi,


Thanks for reaching out to us.


We are checking on it internally, will get back to you soon.


Thanks


mpi_new_user
New Contributor I
660 Views

I have tested the reverse proxy in other nodes,and the same error still occurs.

Do you have any useful information?

Stas-Neverov-Intel
632 Views

Hi,

Yes, the VTune server does support deployments behind a reverse proxy.

You just need to add NGINX configuration for WebSockets:

 

proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 36000s;

 

You could also move user authentication to the reverse proxy and enable client certificate authentication to limit access to the VTune server only to the reverse proxy and block direct access. See online documentation:

https://software.intel.com/content/www/us/en/develop/documentation/vtune-help/top/installation/insta...

-Stas

mpi_new_user
New Contributor I
592 Views

I have get the answer about the question.

If you want to use reverse proxy with vtune-backend, you must to use "Reverse proxy authentication" in /opt/intel/oneapi/vtune/latest/backend/config.yaml.

 

 

AthiraM_Intel
Moderator
574 Views

Hi,


Glad to know that your issue is resolved. If you need any additional information, please submit a new question as this thread will no longer be monitored.


Thanks.


Reply