Dear Prefect Community, Is it possible to run Prefect Orion (2.0) UI using https:// instead of http://. For example instead of running http://server_host:4200 can we run https://sever_host:4443. If so, what kind of configuration I have to do? Please provide instructions. Thanks, Xavier Babu

Hi Xavier, interesting question. I'm not sure if that is possible at the moment. Would you mind describing your use case and why you'd need this capability?

We have a web-based application platform and we show Prefect Orion UI within that platform. Since we use Okta SSO, we should support https (SSL/TLS) in the application platform security. That part is done. But, since Prefect UI supports only http, now I can't show the UI within the platform. Browser is raising an exception. If Prefect Orion UI supports https and if we run it using SSL, then we don't come across this issue.

Hi Xavier, In a typical web app deployment, you want to separate SSL to a separate side car / load-balancer, which serves as a reverse proxy for your app, the most common being nginx. Client ---> reverse proxy ----> your app or Client -> load balancer --> your app Your certificates then live within this container and function separate of your application logic. If you’re deployed on GCP or AWS, you can have the load balancer provide this functionality, and bind your SSL cert to the load balancer. You can read more here: https://docs.aws.amazon.com/elasticloadbalancing/latest/application/create-https-listener.html https://docs.aws.amazon.com/elasticloadbalancing/latest/classic/ssl-server-cert.html https://en.wikipedia.org/wiki/TLS_termination_proxy

Thanks, Cole. I am not using AWS. PREFECT ORION is running in our on-premise Linux servers. When I start PREFECT ORION UI, how can I make it run as https using SSL. In Tomcat web server I know how to configure and support both http and https. You meant to say I can have a HTTPS web application which can reverse proxy the request to http://prefect_orion:4200?

Yes, rather than having the orion server supporting HTTPS, you’ll have a proxy server in front of it, responsible for handling the encrypt/decrypt for TLS. Client ---- (HTTPS) ---> nginx reverse proxy --(HTTP)--> orion