Deploying Behind a Proxy¶
The Binary Ninja Enterprise Server handles TLS termination out of the box, but handling TLS termination via proxy is supported via the
--no-tls launch option.
If you are intentionally deploying behind a proxy, you probably know what to do from here. But, just in case, we've documented an example of using the Traefik edge router below.
When configuring a proxy in front of the Binary Ninja Enterprise Server, ensure that large requests will be passed properly. For example, set
client_max_body_size 0; when using Nginx.
Deploying Behind Traefik¶
This guide assumes you do not already have a Traefik instance running. If you do, please adjust accordingly and skip steps you don't need.
Before you can start Traefik, you will need to create two networks:
# This is the network that Traefik will use to communicate with the world: docker network create traefik_public # This is the network that Traefik will use to communicate with containers: docker network create --internal traefik_internal
If you are doing a Docker Swarm deployment, both of these networks will need to be created with the
--driver overlay flag.
docker-compose.traefik.yml file with the following contents:
version: "3.8" services: traefik: image: "traefik:v2.9" container_name: "traefik" command: - "--providers.docker=true" - "--providers.docker.exposedbydefault=false" - "--entrypoints.websecure.address=:443" - "--certificatesresolvers.myresolver.acme.tlschallenge=true" - "--firstname.lastname@example.org" - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json" ports: - "443:443" volumes: - "./letsencrypt:/letsencrypt" - "/var/run/docker.sock:/var/run/docker.sock:ro" networks: - traefik_public - traefik_internal networks: traefik_public: external: true name: traefik_public traefik_internal: external: true name: traefik_internal
You will need to customize the
certificatesresolvers lines above for your deployment. See the Let's Encrypt page in Traefik's documentation.
Or, if you have your own certificates already, see this page and edit the config accordingly.
When you're comfortable with your config, start Traefik:
docker-compose -f docker-compose.traefik.yml up -d
If you are deploying with Docker Swarm, you'll also need to make sure the
./letsencrypt file mount is a full path, not a relative path.
Deploying Binary Ninja Enterprise¶
To make the Binary Ninja Enterprise server route through Traefik, you'll need to make your
docker-compose.override.yml file look something like this:
version: "3.8" services: nginx: networks: - traefik_internal labels: traefik.enable: true traefik.docker.network: traefik_internal traefik.http.routers.enterprise.service: binaryninja traefik.http.routers.enterprise.rule: Host(`bn-enterprise.example.com`) traefik.http.routers.enterprise.entrypoints: https traefik.http.routers.enterprise.tls.certresolver: true traefik.http.routers.enterprise.tls.certresolver: myresolver traefik.http.services.binaryninja.loadbalancer.server.port: 1337 networks: traefik_internal: external: true name: traefik_internal
Now, you should be able to bring the server up with:
./manage_server start --no-tls
Due to a bug that was not solved before our 3.4 stable release, the Enterprise server will still bind on port 3535 on the host even though the service will only be accessible over the standard HTTPS port (443).