Architecture

The Zuar Web Application Firewall (WAF)  architecture consists of a standard web server, an authentication micro service, and by default a PostgreSQL database.  The design is modular, with well defined interfaces among the components, so both the authentication service and PostgreSQL may be replaced with suitably similar technology.

Web Server

The web server is the industry-standard, open-source NGINX server with additional embedded modules to handle aspects of authorization. The entire authentication validation mechanism runs in the context of the web server itself, resulting in optimal performance.

Authentication Micro Service

The authentication micro service (auth service) only handles requests specifically for login and logout and is responsible validating the user and assigning user permissions.

Users can be authenticated in one of several ways:

  1. Against the local database
  2. Against an optionally configured Tableau Server/Online.
  3. Using a custom built authentication module.

If a given user is not found in the local database, then the configured Tableau Server is tried. A common deployment is to have no local users so that Tableau Server is used exclusively for authentication. To use the SAML terminology, the Tableau Server acts as an Identity Provider (IdP).

User information - including authorization information, but NOT their password - is stored in a JSON Web Token (JWT). The JWTs are digitally signed with the HMAC SHA256 encryption algorithm (HS256) and are validated both for time and originating IP address.

The default portal configuration proxies all requests to the /api URI directly to the configured Tableau Server / Tableau Online. This results in the Tableau REST API being accessible to the front-end in a secure fashion that is not possible without the portal. Front-end, JavaScript code may make calls directly to the Tableau REST API without having to build an intermediary API as is normally required.

Workflow

Here is the workflow when a user accesses a WAF for the first time, where the WAF has the default configuration using Tableau Server as the IdP.

  • User accesses the portal URL with a browser, say https://example.zuar.com
  • Since the user has never logged in, they don't yet have a JWT so they are automatically redirected to the login page at https://example.zuar.com/login.
  • This URL is proxied by the web server to the auth service which responds to the GET request with a standard login form.
  • The user inputs their username and password which is submitted back to https://example.zuar.com/login as a POST request.
  • The auth service takes the information and compares it against its local users.
    If the user is not found - the normal case - then the information is sent to Tableau Server/Online for validation.
  • Assuming the user information is valid, then Tableau Server responds to the auth request with general user information, e.g. display name, user id, email, etc.
  • Once a successful response from Tableau Server is received, the auth service generates a JWT and includes the information it received fromTableau Server in the payload. The payload information can be used by downstream services - for example, to display the full name of the logged in user.
  • The auth service responds with a redirect (302 Found) back to the original location with the JWT sent as a cookie in the response.
  • The user is automatically redirected back to https://example.zuar.com but now has a valid JWT so the web server validates the request handle and returns the default web application.

Deployment

The web server, auth server, and PostgreSQL database are all deployed using Docker.
Each component is a separate Docker container with all containers orchestrated by docker-compose.

There is one docker-compose.yaml file that controls all containers and
an environment file for sensitive information as per 12factor methodology.

The NGINX configuration are mounted as volumes so they may be customized as desired.

Security

  • Built using proven, open-source technology for base request handling.
  • Design follows all OWASP security guidelines
  • All passwords are stored using a PBKDF2 SHA512 one-way hash. At no point are passwords stored either in the clear or using reversible encryption.
  • Built-in ModSecurity.

The portal acts as a WAF/reverse proxy for Tableau Server as per Tableau guidelines. All external traffic to the application - including to Tableau Server / Tableau Online - can be logged and audited as desired to meet any security requirements. The

Configuration

The Zuar Web Application Firewall (WAF) handles all aspect of authentication and authorization so that the application developer only has to implement their business logic.

This methodology is particularly useful when building an application utilizing Tableau for embedded analytics.

Since the WAF is designed to be starting point for third-party applications, it is extensively configurable. All standard NGINX configuration is available and can be used by the application. The WAF automatically passes all user information from the JWT to downstream application via HTTP headers using a prefix X-Payload-.