SSL Termination

Owned by Ertan Tike
Last updated: Oct 17, 2023
2 min read

Emakin supports SSL-based connections via the host configuration panel but also supports NLB (network load balancer) or reverse proxy-based SSL terminations.

In this scenario, the browser connects the reverse proxy sits between the browser and the application server to perform encrypted connections.

Connections between reverse proxy and the application server optionally can be encrypted or plain HTTP connections.

SSL Termination

 

Emakin application server is by default configured to only allow the reverse proxies in local IP (127.0.0.1) address and must be explicitly configured to allow external IP addresses.

Forwarded Headers Support

The Emakin supports the following headers to recognize SSL connections;

X-Forwarded-Proto

The value of the originating scheme, HTTP or HTTPS. The value may also be a list of schemes if the request has traversed multiple proxies.

X-Forwarded-For

Holds information about the client that initiated the request and subsequent proxies in a chain of proxies.

This header is optional, if not configured audit logs will contain the reverse proxy IP address instead of real user IP address.

X-Forwarded-Host

The original value of the Host header field.

Enabling Forwarded Headers

By default forwarded headers support is only enabled for loopback addresses are configured for known proxies and known networks.

If the reverse proxy uses another IP address default configuration must updated to allow external reverse proxies.

To enable SSL termination please follow these steps;

  • Open the <installdir>/Configuration/appsettings.json file with any text editor.

  • Create a new section with the following content;

    { "Web": { "ForwardedHeaders": { "ClearProxies": true, "ClearKnownNetworks": true } } }

Diagnostics

Emakin provides a special page to inspect reverse proxy sent headers but this page requires enabling the development environment flag and by default disabled in the production environment.

Run Emakin In Development Environment

Stop the emakin service or daemon first before continuing these steps.

  • Open a new terminal window in application <installdir>

  • Set the environment variable

    // Linux export DOTNET_ENVIRONMENT=Development // Windows set export DOTNET_ENVIRONMENT=Development

  • Start emakin service with the following command

    <installdir>/AltiKare.Workflow.Agent web

After this command is executed emakin application will be started only in web mode and allow the open header diagnostics page.

Open the HTTP header diagnostics page from

This page echoes back all headers sent to the application server for easier diagnostics as follows;

Request Scheme
Specifies the original HTTP scheme protocol and must be “https” for SSL connections.

Host
Specifies the requested hostname. Emakin resolves the tenants by this header value and must be set correctly.

Request RemoteIp
Specifies the user’s IP address if the X-Forwarded-Host header is configured.

Copyright © 2010 - 2023 Emakin. All rights reserved.