Deploying Behind a Proxy¶
The Binary Ninja Enterprise Server handles TLS termination out of the box, but handling TLS termination via proxy is supported via the --no-tls launch option.
If you are intentionally deploying behind a proxy, you probably know what to do from here. But, just in case, we've documented an example of using the Traefik edge router below.
Note
When configuring a proxy in front of the Binary Ninja Enterprise Server, ensure that large requests will be passed properly. For example, set client_max_body_size 0; when using Nginx.
Deploying Behind Traefik¶
Note
This guide assumes you do not already have a Traefik instance running. If you do, please adjust accordingly and skip steps you don't need.
Initial Setup¶
Before you can start Traefik, you will need to create two networks:
# This is the network that Traefik will use to communicate with the world:
docker network create traefik_public
# This is the network that Traefik will use to communicate with containers:
docker network create --internal traefik_internal
Warning
If you are doing a Docker Swarm deployment, both of these networks will need to be created with the --driver overlay flag.
Deploying Traefik¶
Create a docker-compose.traefik.yml file with the following contents:
version: "3.8"
services:
traefik:
image: "traefik:v2.9"
container_name: "traefik"
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entrypoints.websecure.address=:443"
- "--certificatesresolvers.myresolver.acme.tlschallenge=true"
- "--certificatesresolvers.myresolver.acme.email=postmaster@example.com"
- "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
ports:
- "443:443"
volumes:
- "./letsencrypt:/letsencrypt"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
networks:
- traefik_public
- traefik_internal
networks:
traefik_public:
external: true
name: traefik_public
traefik_internal:
external: true
name: traefik_internal
You will need to customize the certificatesresolvers lines above for your deployment. See the Let's Encrypt page in Traefik's documentation.
Or, if you have your own certificates already, see this page and edit the config accordingly.
When you're comfortable with your config, start Traefik:
docker-compose -f docker-compose.traefik.yml up -d
Warning
If you are deploying with Docker Swarm, you'll also need to make sure the ./letsencrypt file mount is a full path, not a relative path.
Deploying Binary Ninja Enterprise¶
To make the Binary Ninja Enterprise server route through Traefik, you'll need to make your docker-compose.override.yml file look something like this:
version: "3.8"
services:
nginx:
networks:
- traefik_internal
labels:
traefik.enable: true
traefik.docker.network: traefik_internal
traefik.http.routers.enterprise.service: binaryninja
traefik.http.routers.enterprise.rule: Host(`bn-enterprise.example.com`)
traefik.http.routers.enterprise.entrypoints: https
traefik.http.routers.enterprise.tls.certresolver: true
traefik.http.routers.enterprise.tls.certresolver: myresolver
traefik.http.services.binaryninja.loadbalancer.server.port: 1337
networks:
traefik_internal:
external: true
name: traefik_internal
Now, you should be able to bring the server up with:
./manage_server start --no-tls
Warning
Due to a bug that was not solved before our 3.4 stable release, the Enterprise server will still bind on port 3535 on the host even though the service will only be accessible over the standard HTTPS port (443).