Skip to main content
Version: Next

OIDC Proxy Configuration

Authored on 22/08/2023

The datahub-frontend-react server can be configured to use an http proxy when retrieving the openid-configuration. This can be needed if your infrastructure is locked down and disallows connectivity by default, using proxies for fine-grained egress control.

Configure http proxy and non proxy hosts

To do this, you will need to pass a set of environment variables to the datahub-frontend-react container (e.g. in the docker-compose.yml file or your kubernetes manifest).

HTTP_PROXY_HOST=host of your http proxy
HTTP_PROXY_PORT=port of your http proxy
HTTPS_PROXY_HOST=host of your http(s) proxy used for https connections (often the same as the http proxy)
HTTPS_PROXY_PORT=port of your http(s) proxy used for https connections (often the same as the http proxy)
HTTP_NON_PROXY_HOSTS=localhost|datahub-gms (or any other hosts that you would like to bypass the proxy for, delimited by pipe)

Optional: provide custom truststore

If your upstream proxy performs SSL termination to inspect traffic, this will result in different (self-signed) certificates for HTTPS connections. The default truststore used in the datahub-frontend-react docker image will not trust these kinds of connections. To address this, you can copy or mount your own truststore (provided by the proxy or network administrators) into the docker container.

Depending on your setup, you have a few options to achieve this:

Make truststore available in the frontend

Option a) Build frontend docker image with your own truststore included

To build a custom image for your frontend, with the certificates built-in, you can use the official frontend image as a base, then copy in your required files.

Example Dockerfile:

FROM linkedin/datahub-frontend-react:<version>
COPY /truststore-directory /certificates

Building this Dockerfile will result in your own custom docker image on your local machine. You will then be able to tag it, publish it to your own registry, etc.

Option b) Mount truststore from your host machine using a docker volume

Adapt your docker-compose.yml to include a new volume mount in the datahub-frontend-react container

  datahub-frontend-react:
# ...
volumes:
# ...
- /truststore-directory:/certificates

Reference new truststore

Add the following environment values to the datahub-frontend-react container:

SSL_TRUSTSTORE_FILE=path/to/truststore.jks (e.g. /certificates)
SSL_TRUSTSTORE_TYPE=jks
SSL_TRUSTSTORE_PASSWORD=MyTruststorePassword

Once these steps are done, your frontend container will use the new truststore when validating SSL/HTTPS connections.