Deploying Behind a Proxy¶
The Binary Ninja Enterprise Server handles TLS termination out of the box, but you can offload TLS to an external proxy. To disable the built-in TLS listener, pass --no-tls to install (or set ENTERPRISE_PROXY_NO_TLS=true in config.env if you've already installed). You can also do this temporarily by passing --no-tls to start when testing. Clients still require HTTPS; ensure your proxy presents a trusted certificate.
If you are intentionally deploying behind a proxy, you probably know what to do from here. But, just in case, we've documented an example of using the Traefik edge router below.
Note
When configuring a proxy in front of the Binary Ninja Enterprise Server, ensure that large requests will be passed properly. For example, set client_max_body_size 0; when using Nginx.
If your proxy rewrites the Host header, the server's host-header validation may block requests. Pass --allowed-host <host list> to install or start (or set the ENTERPRISE_SERVER_ALLOWED_HOSTS environment variable in config.env) to allow this. <host list> is comma-separated.
Deploying Behind Traefik¶
Note
This guide assumes you do not already have a Traefik instance running. If you do, please adjust accordingly and skip steps you don't need.
Initial Setup¶
Before you can start Traefik, you will need to create two networks:
# This is the network that Traefik will use to communicate with the world:
docker network create traefik_public
# This is the network that Traefik will use to communicate with containers:
docker network create --internal traefik_internal
Warning
If you are doing a Docker Swarm deployment, both of these networks will need to be created with the --driver overlay flag.
Deploying Traefik¶
Create a docker-compose.traefik.yml file with the following contents:
services:
traefik:
image: "traefik:v3.1"
container_name: "traefik"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_public
- traefik_internal
networks:
traefik_public:
external: true
name: traefik_public
traefik_internal:
external: true
name: traefik_internal
You will need to customize the certificatesresolvers lines above for your deployment. See the Let's Encrypt page in Traefik's documentation.
Or, if you have your own certificates already, see this page and edit the config accordingly.
When you're comfortable with your config, start Traefik:
docker-compose -f docker-compose.traefik.yml up -d
Warning
If you are deploying with Docker Swarm, you'll also need to make sure the ./letsencrypt file mount is a full path, not a relative path.
Deploying Binary Ninja Enterprise¶
To route the Enterprise server through Traefik, add labels and network wiring in docker-compose.override.yml:
services:
nginx:
networks:
- traefik_internal
labels:
traefik.enable: true
traefik.docker.network: traefik_internal
traefik.http.routers.enterprise.service: binaryninja
traefik.http.routers.enterprise.rule: Host(`bn-enterprise.example.com`)
traefik.http.routers.enterprise.entrypoints: websecure
traefik.http.routers.enterprise.tls.certresolver: myresolver
# Match this to the nginx service listen port inside the stack (3535 by default)
traefik.http.services.binaryninja.loadbalancer.server.port: 3535
networks:
traefik_internal:
external: true
name: traefik_internal
Then bring the server up with TLS disabled in the built-in proxy (set once in config.env, or pass on the CLI to test):
./manage_server start --no-tls