Deploying Scale-up Suite web apps securely over https / TLS
Althought the Streamlit tool is designed for local use on individual PCs and does not support secure connections over HTTPS (TLS) but it is possible to make Streamlit-published models and utilities avialable over secure HTTPS (TLS) connections using a Reverse Proxy. This short note describes the process used to securely publish DynoChem models using Streamlit and the Microsoft IIS Application Request Routing and URL Rewrite tools.
This short note describes a basic setup that will allow a DynoChem model or utility published using Streamlit and running on Windows Server 2016 (or later) to be published securely. The principles demonstrated here could be extended to allow multiple models to be securely published from a single server. It could equally be extended or modified to allow multiple models running on different servers to be securely presented via a common entry point in situations where scaling or performance issue are a concern.
For users who are not familiar with the installation and configuration of Microsoft IIS, a detailed procedure document with extensive screenshots can be downloaded from DynoChem Resources (Scale-up Account required):
IIS Setup for Streamlit Reverse Proxy
Assumptions / Pre-Requisites
This procedure note assumes that you already have the following up and running
- Windows Server 2016 (or later)
- Python and Streamlit installed
- SSL Certificate matching the server URL
- Firewall configured to allow access via ports 443 (HTTPS) and 8501 (Streamlit default)
- DynoChem model or utility published using the default Streamlist settings (Port 8501)
Procedure
- Install the Microsoft Internet Information Services (IIS) feature on your server
- Install the IIS WebSockets Protocol (part of the IIS Application Development infrastructre)
- Install the SSL Certificate and bind it to the Default Web Site
- Check that the IIS default web site is being published and is visible at the desire URL
- Install the Application Request Routing (ARR) 3.0 feature for IIS using the Web Platform Installer
- Enable the ARR Reverse Proxy functionality
- Create the following Server Variables for the Default Web Site:
HTTP_ACCEPT_ENCODING
HTTP_X_ORIGINAL_ACCEPT_ENCODING
- Replace (or update) the IIS Web Config template for the Default Web Site (usually found in C:\inetpub\wwwroot) with the following:
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="(.*)" />
<action type="Rewrite" url="http://localhost:8501/{R:1}" logRewrittenUrl="true" />
<serverVariables>
<set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
<set name="HTTP_ACCEPT_ENCODING" value="" />
</serverVariables>
</rule>
</rules>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml" stopProcessing="false">
<match filterByTags="None" pattern="^http(s)?://http://localhost:8501/(.*)" />
<action type="Rewrite" value="http{R:1}://[CUSTOM URL]/{R:2}" />
</rule>
<rule name="RestoreAcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
<match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
<action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
</rule>
<rule name="CustomAnchorHref" preCondition="ResponseIsTextAnything">
<match pattern="href=(.*?)http://localhost:8501/(.*?)\s" />
<action type="Rewrite" value="href={R:1}https://[CUSTOM URL]/{R:2} " />
</rule>
<rule name="CustomFormAction" preCondition="ResponseIsTextAnything">
<match pattern="action=(.*?)http://localhost:8501/(.*?)\\" />
<action type="Rewrite" value="action={R:1}https://[CUSTOM URL]/{R:2}\" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
<preCondition name="ResponseIsTextAnything">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
</preCondition>
<preCondition name="NeedsRestoringAcceptEncoding">
<add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".*" />
</preCondition>
</preConditions>
</outboundRules>
</rewrite>
</system.webServer>
</configuration>
- Replace the [CUSTOM URL] text where it appears in the above sample with your URL (matched to the SSL certificate you are using).
- Create a folder called .streamlit in the same folder as the DynoChem model or utility you are publishing
- In the .streamlit folder, create a file called config.toml and add the following to it:
[server]
enableXsrfProtection=false
enableCORS=false
enableWebsocketCompression=false
- Re-start the IIS service
- Restart your model publishing script
- Check that the the model/utility is being published at the http://localhost:8501 URL
Your Dynochem model or utility will now be available over a secure SSL connection.
Disclaimer
The process described here assumes that IIS and the Reverse Proxy are running on the same server as the web models (using Dynochem, Python and Streamlit). This configuration is adequate for internal/intranet publishing or for simple demonstrations, but it is not recommended for publishing confidential models via the internet.
Where DynoChem models and utilities are to be made available via the public internet, it is strongly recommended that the IIS Reverse Proxy service be run on a separate server, that appropriate firewalling is configured and that user/access authentication processes are put in place to maximise security.
References
- Model Publishing with IIS Reverse Proxy - https://documents.scale-up.com/Open.aspx?file=5014&lid=-1&c=sus
- Web Model Publishing with Streamlit - https://scale-up.github.io/RunScriptWebModel/