Secure connection

1. Use the a2enmod script to enable the headers, rewrite, proxy_http, ssl, and http2 modules:

   $ a2enmod headers $ a2enmod rewrite $ a2enmod proxy_http $ a2enmod ssl $ a2enmod http2

2. Add the following directives to the VirtualHost section of the relevant .conf file:

   Protocols h2 http/1.1 RequestHeader set X-Forwarded-Proto "https" RewriteEngine on AllowEncodedSlashes on ProxyRequests off ProxyPass / http://127.0.0.1:1111/ ProxyPassReverse / http://127.0.0.1:1111/ SSLEngine On SSLCertificateFile <path_to_certificate> SSLCertificateKeyFile <path_to_key>

   Set the following variables to match your configuration:

   • Replace 1111 with the actual port number that your FLS listens to.

   • Set the value of the SSLCertificateFile directive to the location of the SSL/TLS certificate for your server.

   • Set the value of the SSLCertificateKeyFile directive to the location of the PEM-encoded private key file for the server certificate.

3. Add the additional HSTS header to the HTTPS VirtualHost directive. Max-age is measured in seconds.

   # Guarantee HTTPS for 1 Year including subdomains Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

   Note that this header is only valid on a HTTPS VirtualHost.

1. Download and install the Application Request Routing (ARR) extension from the Microsoft website.

2. In IIS Manager, connect to the IIS server (for example, localhost).

3. Highlight the server in the Connection pane.

4. Double-click URL Rewrite.

5. Click View server variables in the right pane.

6. Add the following server variables to the list:

   HTTP_X_FORWARDED_HOST HTTP_X_FORWARDED_SCHEME HTTP_X_FORWARDED_PROTO

7. Set the response buffer threshold. For single web servers:

   • Double-click Application Request Routing Cache.

   • Click Server Proxy Settings under the Proxy heading in the Actions pane.

   • Select the Enable proxy checkbox, set the Response buffer threshold to 0, then click Apply. Leave the default values in place.

   For server farms:

   • Select the FLS server farm in the Connections pane.

   • Double-click the Proxy icon.

   • In the Buffer Setting section of the form, set the Response buffer threshold to 0, then click Apply.

8. Clear the Reverse rewrite host in response headers checkbox and click Apply.

9. In the Connections pane, under Sites, select Default Web Site.

10. Double-click the URL Rewrite feature, then click Add Rule(s) in the Actions pane.

11. Add a reverse proxy rule with the FLS server address. For example: localhost:1111.

12. Open the rule, check the rewrite URL, and add the following server variables:

    • Set the HTTP_X_FORWARDED_HOST variable to {HTTP_HOST}.

    • Set the HTTP_X_FORWARDED_SCHEME variable to https.

    • Set the HTTP_X_FORWARDED_PROTO to https.

13. Clear the Include TCP port from client IP option.

14. Enable anonymous authentication:

    1. In the Sites section of the Connections pane, select Default Web Site.

    2. Double-click Authentication, select Anonymous, then click Enable in the right pane.

15. Make sure that Dynamic Content Compression is disabled. The location of this setting varies by operating system.

16. In the Connections pane, under Sites, select Default Web Site.

17. Double-click the Request Filtering feature, then click Edit Feature Settings in the Actions pane.

18. Increase the values for the following parameters:

    "Maximum URL length" = 6144 "Maximum query string" = 4096

19. Add a new SSL binding to the Default Web Site.

    • The address that the SSL binding listens to (Host URL) should match the base URL.

    • The certificate that you choose should correspond to the server DNS address.

For specific instructions, see IIS configuration.

Configure NGINX reverse proxy headers

1. Open the configuration file for your NGINX server. By default, the configuration file is named nginx.conf. The default directory is either /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx.

   You can find the exact location of the configuration file by running the nginx -V command.

2. Increase the value of the worker_rlimit_nofile directive to a minimum value of 4096.

3. In the Events section, increase the value of the worker_connections directive to a minimum value of 2048.

4. Update the server directive and add the proxy_set_header and proxy_pass directives in your configuration file. For example:

   server { listen 443 ssl; ssl_certificate <path_to_certificate>; ssl_certificate_key <path_to_key>; server_name localhost; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_pass http://license-server-domain:1111; proxy_http_version 1.1; } }

5. Set the following variables to match your FLS configuration:

   • listen is the port number that you specified in the --base-url parameter.

   • proxy_pass is the path to your FLS with the port that you specified with the --listen-port command.

6. Save and close your configuration file. You can use nginx -t to test the config syntax or reload the configuration with the following command:

   sudo nginx -s reload