Floating License Server Help

Secure connection

For added security, you can configure Floating License Server to work behind a reverse proxy server.

FLS configuration

  1. Stop FLS
  2. Configure the base URL that will be used to access your server instance:

    <fls_home>\bin\license-server.sh configure \ --port 1111
    • where 1111 is the port FLS will listen to

  3. Run in the command line:

    <fls_home>\bin\license-server.sh configure \ --jetty.virtualHosts.names=proxy-server.mydomain.com,other-proxy-server.mydomain.com
    • where proxy-server.mydomain.com,other-proxy-server.mydomain.com are comma-separated list of host names for use by proxy server.

  4. Start FLS

  1. Stop FLS
  2. Configure the base URL that will be used to access your server instance:

    <fls_home>\bin\license-server.bat configure \ --listen-port 1111 \ --base-url https://license-server.mydomain.com:XXXX

    • where 1111 is the port FLS will listen to

    • https://license-server.mydomain.com proxy server address

    • XXXX is the port number your proxy server listens to

  3. Run in the command line:

    <fls_home>\bin\license-server.bat configure \ --virtual-hosts=proxy-server.mydomain.com,other-proxy-server.mydomain.com
    • where proxy-server.mydomain.com,other-proxy-server.mydomain.com comma-separated list of host names for use by proxy server

  4. Start FLS

Configure Proxy Server Headers

Apache HTTP Server Configuration

To use an Apache HTTP Server as a reverse proxy, you need to run an a2enmod script and add directives to a .conf file on your server. Requires Apache httpd version 2.4.17 or later.

To set up an Apache HTTP Server as a reverse proxy:

  1. Use the following a2enmod script to enable the headers, rewrite, proxy_http, ssl, and http2 modules:

    $ a2enmod headers $ a2enmod rewrite $ a2enmod proxy_http $ a2enmod ssl $ a2enmod http2

  2. Add the following directives to the VirtualHost section of a relevant .conf file:

    Protocols h2 http/1.1 RequestHeader set X-Forwarded-Proto "https" RewriteEngine on AllowEncodedSlashes on ProxyRequests off ProxyPass / http://127.0.0.1:1111/ ProxyPassReverse / http://127.0.0.1:1111/ SSLEngine On SSLCertificateFile <path_to_certificate> SSLCertificateKeyFile <path_to_key>

  3. Set the following variables to match your configuration:
    • Replace 1111 with the actual port number that your Floating License Server listens to.

    • Set the value for the <path_to_certificate> to the location of the SSL/TLS certificate for your server.

    • Set the value for the <path_to_key> to the location of the PEM-encoded private key file for the server certificate.

  4. Add the additional HSTS header to the HTTPS VirtualHost directive. Max-age is measured in seconds.

    # Guarantee HTTPS for 1 Year including subdomains Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
    Note that this header is only valid on a HTTPS VirtualHost.

For more information, refer to the documentation for Apache Module mod_proxy.

IIS Server Configuration

To use an IIS server as a reverse proxy, you need to use the Application Request Routing (ARR) extension. Requires IIS version 10.0 version 1709 or later.

To set up an IIS server as a reverse proxy:

  1. Download and install the Application Request Routing (ARR) extension from the Microsoft website.

  2. In IIS Manager, connect to the IIS server - in this case, localhost

  3. Highlight the server in the Connection pane.

  4. Double-click URL Rewrite.

  5. Click View server variables in the right pane.

  6. Add the following server variables to the list:

    HTTP_X_FORWARDED_HOST HTTP_X_FORWARDED_SCHEME HTTP_X_FORWARDED_PROTO

  7. Set the response buffer threshold. For single web servers:

    • Double-click Application Request Routing Cache

    • Click Server Proxy Settings under the Proxy heading in the Actions pane

    • Select the Enable proxy checkbox, set the Response buffer threshold to 0, then click Apply. Leave the default values in place.

    For server farms:
    • Select the FLS server farm in the Connections pane.

    • Double-click the Proxy icon.

    • In the Buffer Setting section of the form, set the Response buffer threshold to 0, then click Apply.

  8. Deselect the Reverse rewrite host in response headers checkbox and click Apply

  9. In the Connections pane, under Sites, select Default Web Site.

  10. Double-click the URL Rewrite feature, then click Add Rule(s) in the Actions pane.

  11. Add a reverse proxy rule with the server name: localhost:1111 (replace with the real location and port of your FLS).

  12. Open the rule, check the rewrite URL, and add the following server variables:
    • Set the HTTP_X_FORWARDED_HOST variable to {HTTP_HOST}.

    • Set the HTTP_X_FORWARDED_SCHEME variable to https.

    • Set the HTTP_X_FORWARDED_PROTO to https.

  13. Deselect option Include TCP port from client IP (if not yet)

  14. Make sure that anonymous authentication is enabled:
    • In the Sites section of the Connections pane, select Default Web Site.

    • Double-click Authentication, select Anonymous, then click Enable in the right pane.

  15. Make sure that Dynamic Content Compression is disabled. The location of this setting varies by operating system.

  16. In the Connections pane, under Sites, select Default Web Site.

  17. Double-click the Request Filtering feature, then click Edit Feature Settings in the Actions pane.

  18. Increase the values for the following parameters:

    "Maximum URL length" = 6144 "Maximum query string" = 4096

  19. Add a new SSL binding to the Default Web Site.
    • The address that the SSL binding listens to (Host URL) should match the base URL.

    • The certificate that you choose should correspond to the server DNS address.

For specific instructions, refer to the IIS configuration

NGINX Server Configuration

The basic requirements for configuring an NGINX server as a reverse proxy consists of the following steps (requires NGINX version 1.11.7 or later):

To configure NGINX reverse proxy headers:

  1. Open the configuration file for your NGINX server. By default, the configuration file is named nginx.conf. The default directory is either /usr/local/nginx/conf, /etc/nginx, or /usr/local/etc/nginx.

    You can find the exact location of the configuration file by entering nginx -V in a command line interface.

  2. Increase the value for the worker_rlimit_nofile directive to a minimum value of 4096.

  3. In the events section, increase the value for the worker_connections directive to a minimum value of 2048.

  4. Update the server directive and add the proxy_set_header and proxy_pass directives in your configuration file. Use the following sample as a guide:

    server { listen 443 ssl; ssl_certificate <path_to_certificate>; ssl_certificate_key <path_to_key>; server_name localhost; ssl_session_cache shared:SSL:1m; ssl_session_timeout 5m; ssl_ciphers HIGH:!aNULL:!MD5; ssl_prefer_server_ciphers on; location / { proxy_set_header X-Forwarded-Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $remote_addr; proxy_set_header X-Forwarded-Proto https; proxy_pass http://license-server-domain:1111; proxy_http_version 1.1; } }

  5. Set the following variables to match your license server configuration:
    • listen is the port number that you specified in the --base-url parameter

    • proxy_pass is the path to your FLS with the port that you specified with the --listen-port command

  6. Save and close your configuration file. You can use nginx -t to test the config syntax or reload the configuration with

    sudo nginx -s reload

Refer to the corresponding Nginx documentation pages for a description of server_name, proxy_set_header, proxy_pass: Module ngx_http_proxy_module.

Last modified: 26 April 2019