Securing the Remote Connection Server

Version: Deadline 10

Introduction

The Remote Connection Server (RCS) is an application that enables the Deadline Client applications (ie: Deadline Monitor) to connect to a Deadline Database and Repository over HTTP, as an alternative to the normal direct connection. The main benefit we gain from using the RCS is an increase in performance and reliability when connecting to a remote Database/Repository.

While the connection between the RCS and the Database/Repository is typically secured, the connections between the Client applications and the RCS are still unsecured. We can remedy this by setting up a middleman forwarding server which will setup a pass-through connection to our RCS, and to which we can connect securely using SSL. In our example we will use NGINX ®, which is a free, open-source, high-performance HTTP server and reverse proxy, as well as an IMAP/POP3 proxy server.

The diagram below shows how NGINX fits into the Deadline ecosystem, and how it can securely control the traffic routed to your Remote Connection Server.

connection_servers_https_overview.png

Security should always be taken very seriously, and enabling SSL wherever possible in Deadline is always recommended. By following the steps below you can secure your Deadline setup even more.

Read about what SSL is, and the reasons for using it in last week’s blog post: SSL and Deadline.

Setup Remote Connection Server

For optimal performance, we recommend installing the RCS on an always/highly available dedicated machine (ie: not a machine already functioning as a workstation or render node). Note that if you’d like to install the RCS and the NGINX server on the same machine, then you should install the RCS on a Linux machine as the NGINX server is not recommended for use on Windows at this time.

Once you’ve chosen your machine, setup for the RCS is simple. Simply run the Deadline Client installer, and during the installation, check the Deadline Remote Connection Setup box and click Next.

rcs_setup_checkbox.png

The next page of the installation will then ask you to choose a listening port for incoming connections to the RCS, and to indicate which User or User Group will be running the RCS. The port you choose is the port the RCS will be listening for incoming connections on, so in this case our NGINX server will need to connect to this port. You can choose whatever port number you like, so long as the port is not already in use on your machine. The User/Group name is the name used for the HTTP namespace reservation of your specified port on your machine. Either leave this as Everyone or choose the User/Group name of the User/Group that will be running the RCS.

rcs_setup_options.png

Now you can launch the Remote Connection Server application from your Deadline installation bin or from the Deadline Launcher context menu.

Setup NGINX Server

SSL Certificates

First you need to generate or obtain the Server and Client SSL certificates, which will be used to secure the connection between the Client applications and NGINX. As mentioned in last week’s blog entry, if you want to generate your own SSL certificates, we have a Python ® script on the Thinkbox GitHub ® page. It uses OpenSSL ® to generate the server and client certificates. After generating your server certificates, you should now have the following files, which we can use for the server and client authentication respectively:

  • server.crt
  • server.key
  • client.crt
  • and client.key

Alternatively, you can purchase SSL certificates from a variety of Certificate Authorities for a fee.

Now that you have your certificates, you can proceed with the installation.

Installation

NGINX is available on both Windows and Linux. However, the Windows version is not fully featured and is not recommend (by NGINX) for use in production. Like the RCS, you should ideally install the NGINX server on a machine that is always/highly available (ie: again, not a workstation or a render node). As mentioned above, one option is to install NGINX on the same machine as your RCS.

For installation steps on Linux, take a look at the official NGINX documentation on how to install the correct version of NGINX on your machine. Or for a more straightforward example, take a look at this documentation for installing NGINX on Ubuntu ® 14.10.

Setup

Now that NGINX is installed, you need to configure it to work as a forwarding connection to your Remote Connection Server(s). In-depth NGINX configuration details can be found here, but here we’ll show you a minimized version of that setup.

Start by following the NGINX configuration step to locate your nginx.conf file, and create your deadline.conf file. Then add the following to your deadline.conf file to set up the forwarding instructions on your NGINX server’s HTTP and HTTPS ports:

map $request_uri $upstreamserver {
default deadline;
~transactionID.*deadline2;
}

upstream deadline2 {
hash $binary_remote_addr$request_uri$args;

server <RCS_HOSTNAME>:<RCS_PORT>;
}

upstream deadline {
server <RCS_HOSTNAME>:<RCS_PORT>;
}

server {
listen 80;
return 301 https://$host$request_uri;
}

server {
listen 443 ssl;
server_name <HOSTNAME>;

ssl_certificate <PATH TO YOUR SERVER CREDENTIALS>/server.crt;
ssl_certificate_key <PATH TO YOUR SERVER CREDENTIALS>/server.key;

ssl on;
ssl_session_cache builtin:1000 shared:SSL:10m;
ssl_protocolsTLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
ssl_prefer_server_ciphers on;

location / {
proxy_set_headerHost $host;
proxy_set_headerX-Real-IP $remote_addr;
proxy_set_headerX-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_headerX-Forwarded-Proto $scheme;

# Fix the "It appears that your reverse proxy set up is broken" error.
proxy_passhttp://$upstreamserver;
proxy_read_timeout90;

proxy_redirecthttp://deadline <HOSTNAME>;
}
}

Note that you will need to replace the <RCS_HOSTNAME>:<RCS_PORT> entries in the above deadline/deadline2 declaratives with the Hostname (or IP Address) and port that your RCS is running on.

You will also need to replace the <HOSTNAME> entries in the above server declarative with the Hostname (or IP Address) that your NGINX server is running on, and you’ll need to set the path for your server.crt and server.key files as well.

Now you should be able to start NGINX by running the following command in a Terminal:

nginx

You can confirm the NGINX server is up and running by hitting the server endpoint from a web browser. For example, from the machine that is running the NGINX server, you can go to https://localhost and see a page showing something like the screenshot below.

nginx_browser_connection.png

Setup for On Machine Start Up

The above setup was good for launching the NGINX server one time, but it’s more likely that you will want to set up the machine once and forget it. So to accomplish that, let’s setup our NGINX machine to launch the server on startup.

First let’s create the startup script. Create a new shell script file called nginx_on_startup.sh in your /etc/init.d folder, and copy and paste the following contents in that file:

#!/bin/bash

# start the NGINX server
sudo /opt/nginx/sbin/nginx

Then you will need to make your newly created file executable by running the following command in the terminal:

sudo chmod +x /etc/init.d/nginx_on_startup.sh

Then you need to add your startup script to the systems default scripts, by running the following command in the terminal:

sudo update-rc.d nginx_on_startup.sh defaults

Now whenever you reboot your machine, your NGINX server should automatically be started up as well.

Connect Client to Remote Connection Server

Now that we’ve set up the RCS and the NGINX server, we can launch the Deadline Monitor and connect to our RCS through the NGINX server. If this is the first time you’ve launched the Monitor on a machine, you’ll be prompted with the Select Repository window. If you’re already connected to an existing Repository, simply select File -> Change Repository to bring up this window.

monitor_remote_connection.png

Set your Connection Type to be a Remote Connection. Then under Connection Settings, set the Remote Server address to the NGINX server address, and set the Port to 443. Also make sure Use TLS/SSL is enabled, and use your generated client.crt file (from the NGINX Server Setupsection above) as your Client Certificate.

After enabling the remote connection, it may take a minute or two for the Monitor to connect through to the RCS (depending on the network connection between your machine and NGINX). You’ll be able to confirm the RCS connection is complete either when your Monitor displays the expected data from your RCS connection, or you can check the output of the deadlinercs application to see if the NGINX server has made any connection requests (as in the screenshot below).

rcs_incoming_connections.png

Conclusion

After following the above steps, you now have a highly available and secure Remote Connection setup for your Deadline workspace.

Again, for more information about what SSL is and the reasons for using it, read last week’s blog post: SSL and Deadline.

NGINX is a registered trademark of NGINX Inc.

Ubuntu is a registered trademark of Canonical Ltd.

Python is a registered trademark of the Python Software Foundation.

GITHUB is a trademark of GitHub, Inc.

OPENSSL is a trademark of The OpenSSL Software Foundation, Inc.