Skip to main content
When installing Curator, you may wish to place Curator behind a reverse proxy or load balanced solution.

Health Checks

Health checks should be run against the /ping route instead of simply the base / route. The base / route will often return a 302 redirect, which many load balancers view as a “down” response. The /ping route will always return a 200 response.

Headers

When your users access Curator over the reverse proxy, specific “headers” are used to tell Curator how to process the request. X-FORWARDED-FOR : The IP address of the end user. X-FORWARDED-HOST : The host name of the request. Note: A “Forced Domain” in Portal Settings->Security overrides this value. X-FORWARDED-PROTO : Whether to use HTTPS or HTTP for routes.

Unable to adjust headers

Often, reverse proxy solutions are missing some or all of these headers. To help configure a reverse proxy with Curator, Apache configuration files can be used. On Windows, the curator.conf file is a great place for this configuration. On Linux, /var/www/html/.htaccess, or any of the httpd.conf files can also be utilized. 
SetEnv HOST "example.curator.interworks.com"
SetEnv HTTP_X_FORWARDED_HOST "example.curator.interworks.com"

SetEnv HTTPS "on"
SetEnv HTTP_X_FORWARDED_PROTO "https"
In addition to these settings, the security settings in Settings > Curator > Portal Settings > General can be used. In particular, Forced Domain and Force SSL should be utilized to specify the domain of Curator and to use SSL.

Forced Domain and SSL

When Curator is behind a reverse proxy or load balancer, the server may not know the public domain name or protocol that users access it through. This can cause Curator to generate links using the server’s internal IP address or server name (e.g., 10.40.243.235/dashboard/...) instead of your domain name, or use http:// instead of https://. The Forced Curator Domain setting overrides whatever host Curator detects, including the X-Forwarded-Host header, and ensures all generated URLs use the specified domain. The Force SSL setting ensures all generated URLs use https:// instead of http://.

Configuring Forced Domain and Force SSL

  1. Navigate to Settings > Curator > Portal Settings > General and scroll to the Security section.
  2. Enter your domain in the Forced Curator Domain field (e.g., curator.example.com). Do not include https://.
  3. Enable Force SSL to ensure all URLs use HTTPS.
  4. Save your changes.
This setting also prevents Host Header Injection attacks. Even if your proxy is sending the correct X-Forwarded-Host header today, setting a Forced Domain is recommended as an additional security measure.

Disabling via Command Line

If you lose access to the Curator UI after enabling these settings (for example, due to a DNS or SSL misconfiguration), you can disable them from the server’s command line: 
# Disable Force SSL
php artisan portal:setforcessl 0

# Clear the Forced Domain
php artisan portal:setdomain ""