Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Emakin supports SSL-based connections via the host configuration panel but also supports NLB (network load balancer) or reverse proxy-based SSL terminations.

In this scenario, the browser connects the reverse proxy sits between the browser and the application server to perform encrypted connections.

Connections between reverse proxy and the application server optionally can be encrypted or plain HTTP connections.

Emakin application server is by default configured to only allow the reverse proxies in local IP (127.0.0.1) address and must be explicitly configured to allow external IP addresses.

Forwarded Headers Support

The Emakin supports the following headers to recognize SSL connections;

X-Forwarded-Proto

The value of the originating scheme, HTTP or HTTPS. The value may also be a list of schemes if the request has traversed multiple proxies.

X-Forwarded-For

Holds information about the client that initiated the request and subsequent proxies in a chain of proxies.

Note

This header is optional, if not configured audit logs will contain the reverse proxy IP address instead of real user IP address.

X-Forwarded-Host

The original value of the Host header field.

Enabling Forwarded Headers

By default forwarded headers support is only enabled for loopback addresses are configured for known proxies and known networks.

If the reverse proxy uses another IP address default configuration must updated to allow external reverse proxies.

To enable SSL termination please follow these steps;

  • Open the <installdir>/Configuration/appsettings.json file with any text editor.

  • Create a new section with the following content;

    Code Block
    {
    	"Web": {
    		"ForwardedHeaders": {
    	      "ClearProxies": true,
    	      "ClearKnownNetworks": true
    	    }
    	}
    }

Diagnostics

Emakin provides a special page to inspect reverse proxy sent headers but this page requires enabling the development environment flag and by default disabled in the production environment.

Run Emakin In Development Environment

Stop the emakin service or daemon first before continuing these steps.

  • Open a new terminal window in application <installdir>

  • Set the environment variable

    Code Block
    // Linux
    export DOTNET_ENVIRONMENT=Development
    // Windows
    set export DOTNET_ENVIRONMENT=Development
  • Start emakin service with the following command

    Code Block
    <installdir>/AltiKare.Workflow.Agent web

After this command is executed emakin application will be started only in web mode and allow the open header diagnostics page.

Open the HTTP header diagnostics page from

Code Block
http://my.emakin.com/httpheaders

This page echoes back all headers sent to the application server for easier diagnostics as follows;

Code Block
Request Method: GET
Request Scheme: https
Accept: text/html,application/xhtml+xml
Connection: keep-alive
Host: my.emakin.com
User-Agent: Mozilla/5.0

Request RemoteIp: 35.129.81.210

Request Scheme
Specifies the original HTTP scheme protocol and must be “https” for SSL connections.

Host
Specifies the requested hostname. Emakin resolves the tenants by this header value and must be set correctly.

Request RemoteIp
Specifies the user’s IP address if the X-Forwarded-Host header is configured.