Requirements for Configuring Alteryx Server with a Load Balancer (or Reverse Proxy)
This article covers the various configurations for Gallery behind a load balancer/reverse proxy. The configuration will depend on what authentication mechanism you are setting up, as well as if SSL is used.
**Please note that all Base Addresses when referred to are appending /gallery to the hostname/FQDN:
http(s)://hostname.domain.tld/gallery
All Web API Addresses when referred to are appending /webapi to the hostname/FQDN:
http(s)://hostname.domain.tld/webapi
Web API Address and Canonical Web API Address are only available from Server 2021.4 onwards.
**Please note some load balancers use health probes (sometimes call health checks) to validate gallery responses and can often fail or show a 307 temporary redirect error. If this happens try specifying the following:
- /gallery/api/status/ping/
Key for flowcharts
- Green = SSL/TLS
- Purple = no SSL/TLS
Built-in Authentication
SSL/TLS - End to End
- Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine (https)
- Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias (https) by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
- From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
- Certificates must be installed on the load balancer, and all Gallery nodes
image.png
SSL/TLS - Terminating at the Load Balancer* (only available for Built-in Auth)
In this case the connections between the load balancer and the Gallery nodes communicate over http.
*When SSL terminates at the load balancer, users will not be able to use the Gallery API through the load balancer. If this is a requirement for your use case, you must have SSL go through to the Gallery nodes.
- Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine
- Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias (https) by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
- From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
- Certificate must be installed on the load balancer
image.png
No SSL/TLS
- Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine
- Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
- From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
image.png
Windows Authentication
Please note that for Windows Authentication a classic or network load balancer must be used. Application load balancers will not work with Windows Authentication.
SSL/TLS - End to End
- Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine (https)
- Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias (https) by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
- From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
- Certificates must be installed on the load balancer and all Gallery nodes
image.png
No SSL/TLS
- Set the Base Address and Web API Address on the Gallery nodes to the hostname/FQDN of the machine
- Set the Canonical Base Address and Canonical Web API Address in RuntimeSettings.xml to the load balancer alias by adding corresponding XML tags "<CanonicalBaseAddress></CanonicalBaseAddress>, <WebApiCanonicalBaseAddress></WebApiCanonicalBaseAddress>"
- From Server 2022.2 onwards, the Canonical Base Address and Canonical Web API Address can be configured in Alteryx System Settings > Server UI > General, along with the Base Address and Web API Address
image.png
SAML Authentication
SSL/TLS - End to End
- Set the Base Address on the Gallery nodes (as well as in your IDP) to the FQDN/DNS alias of the load balancer
- Set the Web API Address on the Gallery nodes to the FQDN/DNS alias of the load balancer
- Certificates must be installed on the load balancer and all Gallery nodes
- Edit the hosts file to route the FQDN of the load balancer to the loopback adapter:
127.0.0.1 alias.domain.tld
image.png
No SSL/TLS
- Set the Base Address on the Gallery nodes (as well as in your IDP) to the FQDN/DNS alias of the load balancer
- Set the Web API Address on the Gallery nodes to the FQDN/DNS alias of the load balancer
- Edit the hosts file to route the FQDN of the load balancer to the loopback adapter:
127.0.0.1 alias.domain.tld
image.png
Additional Resources