Emakin supports SSL-based connections via the host configuration panel but also supports NLB (network load balancer) or reverse proxy-based SSL terminations.
In this scenario, the browser connects the reverse proxy sits between the browser and the application server to perform encrypted connections.
Connections between reverse proxy and the application server optionally can be encrypted or plain HTTP connections.
Emakin application server is by default configured to only allow the reverse proxies in local IP (127.0.0.1) address and must be explicitly configured to allow external IP addresses.
Forwarded Headers Support
The Emakin supports the following headers to recognize SSL connections;
X-Forwarded-Proto
The value of the originating scheme, HTTP or HTTPS. The value may also be a list of schemes if the request has traversed multiple proxies.
X-Forwarded-For
Holds information about the client that initiated the request and subsequent proxies in a chain of proxies.
Note |
---|
This header is optional, if not configured audit logs will contain the reverse proxy IP address instead of real user IP address. |
X-Forwarded-Host
The original value of the Host header field.
Enabling Forwarded Headers
By default forwarded headers support is only enabled for loopback addresses are configured for known proxies and known networks.
If the reverse proxy uses another IP address default configuration must updated to allow external reverse proxies.
To enable SSL termination please follow these steps;
Open the
<installdir>/Configuration/appsettings.json
file with any text editor.Create a new section with the following content;
Code Block { "Web": { "ForwardedHeaders": { "ClearProxies": true, "ClearKnownNetworks": true } } }
Diagnostics
Emakin provides a special page to inspect reverse proxy sent headers but this page requires enabling the development environment flag and by default disabled in the production environment.
Run Emakin In Development Environment
Stop the emakin service or daemon first before continuing these steps.
Open a new terminal window in application
<installdir>
Set the environment variable
Code Block // Linux export DOTNET_ENVIRONMENT=Development // Windows set export DOTNET_ENVIRONMENT=Development
Start emakin service with the following command
Code Block <installdir>/AltiKare.Workflow.Agent web
After this command is executed emakin application will be started only in web mode and allow the open header diagnostics page.
Open the HTTP header diagnostics page from
Code Block |
---|
http://my.emakin.com/httpheaders |
This page echoes back all headers sent to the application server for easier diagnostics as follows;
Code Block |
---|
Request Method: GET Request Scheme: https Accept: text/html,application/xhtml+xml Connection: keep-alive Host: my.emakin.com User-Agent: Mozilla/5.0 Request RemoteIp: 35.129.81.210 |
Request Scheme
Specifies the original HTTP scheme protocol and must be “https” for SSL connections.
Host
Specifies the requested hostname. Emakin resolves the tenants by this header value and must be set correctly.
Request RemoteIp
Specifies the user’s IP address if the X-Forwarded-Host header is configured.