Secure connection
Since License Server (FLS) doesn't support HTTPS, you can use a reverse proxy server to make connections secure. This section contains instructions on configuring the most popular web servers as a reverse proxy. To specify their reachability in the FLS configuration file, see Configuring reverse proxy.
Apache HTTP server
To use Apache HTTP Server as a reverse proxy, run the a2enmod
script and add relevant directives to the .conf file on your server:
Use the
a2enmod
script to enable theheaders
,rewrite
,proxy_http
,ssl
, andhttp2
modules:$ a2enmod headers $ a2enmod rewrite $ a2enmod proxy_http $ a2enmod ssl $ a2enmod http2Add the following directives to the VirtualHost section of the relevant .conf file:
Protocols h2 http/1.1 RequestHeader set X-Forwarded-Proto "https" RewriteEngine on AllowEncodedSlashes on ProxyRequests off ProxyPass / http://127.0.0.1:1111/ ProxyPassReverse / http://127.0.0.1:1111/ SSLEngine On SSLCertificateFile <path_to_certificate> SSLCertificateKeyFile <path_to_key>Set the following variables to match your configuration:
Replace
1111
with the actual port number that your FLS listens to.Set the value of the
SSLCertificateFile
directive to the location of the SSL/TLS certificate for your server.Set the value of the
SSLCertificateKeyFile
directive to the location of the PEM-encoded private key file for the server certificate.
Add the additional HSTS header to the HTTPS VirtualHost directive. Max-age is measured in seconds.
# Guarantee HTTPS for 1 Year including subdomains Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"Note that this header is only valid on a HTTPS VirtualHost.
For more information, see Apache Module mod_proxy.
IIS server
To run an IIS server as a reverse proxy, use the Application Request Routing (ARR) extension.
Download and install the Application Request Routing (ARR) extension from the Microsoft website.
In IIS Manager, connect to the IIS server (for example,
localhost
).Highlight the server in the Connection pane.
Double-click URL Rewrite.
Click View server variables in the right pane.
Add the following server variables to the list:
HTTP_X_FORWARDED_HOST HTTP_X_FORWARDED_SCHEME HTTP_X_FORWARDED_PROTOSet the response buffer threshold. For single web servers:
Double-click Application Request Routing Cache.
Click Server Proxy Settings under the Proxy heading in the Actions pane.
Select the Enable proxy checkbox, set the Response buffer threshold to 0, then click Apply. Leave the default values in place.
For server farms:
Select the FLS server farm in the Connections pane.
Double-click the Proxy icon.
In the Buffer Setting section of the form, set the Response buffer threshold to 0, then click Apply.
Clear the Reverse rewrite host in response headers checkbox and click Apply.
In the Connections pane, under Sites, select Default Web Site.
Double-click the URL Rewrite feature, then click Add Rule(s) in the Actions pane.
Add a reverse proxy rule with the FLS server address. For example:
localhost:1111
.Open the rule, check the rewrite URL, and add the following server variables:
Set the
HTTP_X_FORWARDED_HOST
variable to{HTTP_HOST}
.Set the
HTTP_X_FORWARDED_SCHEME
variable tohttps
.Set the
HTTP_X_FORWARDED_PROTO
tohttps
.
Clear the Include TCP port from client IP option.
Enable anonymous authentication:
In the Sites section of the Connections pane, select Default Web Site.
Double-click Authentication, select Anonymous, then click Enable in the right pane.
Make sure that Dynamic Content Compression is disabled. The location of this setting varies by operating system.
In the Connections pane, under Sites, select Default Web Site.
Double-click the Request Filtering feature, then click Edit Feature Settings in the Actions pane.
Increase the values for the following parameters:
"Maximum URL length" = 6144 "Maximum query string" = 4096Add a new SSL binding to the Default Web Site.
The address that the SSL binding listens to (Host URL) should match the base URL.
The certificate that you choose should correspond to the server DNS address.
For specific instructions, see IIS configuration.
NGINX server
To configure an NGINX server as a reverse proxy:
Update the values for the worker_rlimit_nofile and worker_connections directives.
Set the variables for the server_name directive.
Add the proxy_set_header and proxy_pass directives.
Configure NGINX reverse proxy headers
Open the configuration file for your NGINX server. By default, the configuration file is named nginx.conf. The default directory is either /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx.
You can find the exact location of the configuration file by running the
nginx -V
command.Increase the value of the
worker_rlimit_nofile
directive to a minimum value of 4096.In the Events section, increase the value of the
worker_connections
directive to a minimum value of 2048.Update the server directive and add the
proxy_set_header
andproxy_pass
directives in your configuration file. For example:server { listen 443 ssl; ssl_certificate <path_to_certificate>; ssl_certificate_key <path_to_key>; server_name localhost; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_pass http://license-server-domain:1111; proxy_http_version 1.1; } }Set the following variables to match your FLS configuration:
listen
is the port number that you specified in the--base-url
parameter.proxy_pass
is the path to your FLS with the port that you specified with the--listen-port
command.
Save and close your configuration file. You can use
nginx -t
to test the config syntax or reload the configuration with the following command:sudo nginx -s reload
Refer to the corresponding Nginx documentation pages for a description of server_name
, proxy_set_header
, proxy_pass
: Module ngx_http_proxy_module.