Is it possible to put a reverse proxy in front of the ODBC and Flight ports?
I want to have all public traffic go through that reverse proxy so I can manage TLS and implement something like a remote client allow list.
I am already doing this for the web interface, and it works great, but when I try to point an ODBC client at the reverse proxy that’s configured to terminate TLS and forward the traffic to Dremio’s ODBC port, the client reports “handshake” errors or “TLS/SSL didn’t work”.
I am aware of a number of questions related to this (searching the forums here), but I wanted to ask if there is something about Dremio or the ODBC/Flight drivers that precludes the opportunity to route all traffic through a reverse proxy.
@capnjosh Yes reverse proxy like nginx should work for flight. For Flight ODBC, what is the client example Tableau and is the connection SSL=true?
I’ve tried with PowerBI, just using the default built-in connector. I realize there is some bug that Microsoft released recently with that connector, but it seems to be independent of any TLS-related stuff.
So, Flight should “just work” with a reverse proxy in front of Dremio that handles TLS.
ODBC should also “just work” with a reverse proxy in front of Dremio that handles TLS. Is that correct?
@capnjosh Yes, the latest power BI version should not have the bug
Flight works now when I put Traefik in front of it. Specifically, I have Traefik listening on 32010/tcp, routing to a load balancer service that points to a server url of “h2c://127.0.0.1”. This results in a python flight client being able to connect and execute queries as expected.
I’ve not been able to get ODBC to work. At least with PowerBI, I’m getting this error when I point at a TLS-encrypted http endpoint and select “Enabled” for the Encryption field:
Details: "ODBC: ERROR [08S01] [Microsoft][Drill] (20) Failure occurred while trying to connect to local=my-dremio-server-dns:31010. (Details: [30004]Connection failed with error: Cannot decode handshake.)"
I have traefik listening on 31010 (I’ve tried both tcp and http) and forwarding to the dremio docker container, which is listening on the host port 31011 and forwarding to Dremio inside the container at 31010. If I point PowerBI directly at port 31011 and set the Encryption field to “Disabled”, then it connects just fine, so I know Dremio is operating correctly.
I suspect I’m missing something relatively simple here. I have it working fine with Flight connections, but when I try to do it the same way for ODBC the client is not happy.
I’ve seen a few discussions about putting a load balancer that offloads TLS in front of the ODBC port for Dremio, but they have seemed to reach the point of a solution:
This one concluded by going back to insecure ODBC: Issues with Power BI Connector
This one mentioned the same error I’m seeing, but it never commented on it: Connecting from Power BI - #3 by Joe
Ok, I got this working with Traefik v3.1.
Some breadcrumbs for anyone wanting to use Traefik as a reverse proxy that offloads TLS for Dremio web UI, Flight, and ODBC.
For Web UI:
- In Traefik, you need an http entryp9oint listening on 443
- In Traefik, you need a router
- In Traefik, you need a loadBalancer service with a url value of "http://127.0.0.1:9047 and a healthcheck with path: /health
For Flight:
- In Traefik, you need a TCP entrypoint listening on 32010
- change your docker-compose.yml file to forward host port 32011 to the dremio container’s port 32010
- In Traefik, you need just a regular http router
- In Traefik, you need a loadBalancer service with a “url” value of “h2c://127.0.0.1:32011”, with a healthcheck that uses scheme: http, port: 9047, path: /health
- note that if you are running Traefik v2 you may need to add a “contentType” middleware with autoDetect: false. Regression with grpc 1.46.2 for unimplemented error · Issue #29706 · grpc/grpc · GitHub
For ODBC:
- In Traefik, you need a TCP entrypoint listening on 31010
- change your docker-compose.yml file to forward host port 31011 to the dremio container’s port 31010
- In Traefik, you need a tcp router with a rule of “HostSNI(
my-dremio.com)”
- In Traefik, you need a loadBalancer service with an “address” value of “127.0.0.1:31011”