How to Run Oxygen Feedback Over HTTPS
- By using a reverse proxy.
- By using the built-in SSL support in Oxygen Feedback Enterprise.
Reverse Proxy Method (Recommended)
It is strongly recommend to use a reverse proxy infrastructure to set up Oxygen Feedback Enterprise. This will allow you to have more control over security parameters. For example, you can use Nginx.
Using Nginx
- [Prerequisite] Nginx must be installed and Oxygen Feedback Enterprise must be up and running on
http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}. - Configure Nginx as a reverse proxy or a reverse proxy
with SSL:Sample configuration for Nginx as a reverse proxy:
server { listen 80; server_name ${your_server_name}; location / { proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 0; } }For more information, see: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/.
Sample configuration for Nginx as a reverse proxy with SSL:# Redirects trafic from http to https. server { listen 80 default_server; server_name ${your_server_name}; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name ${your_server_name}; ssl_certificate ${path_to_your_certificate_file}; ssl_certificate_key ${path_to_your_certificate_key_file}; location / { proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 0; } }There are other SSL configuration parameters that you may want to configure, depending on your needs. It is strongly advised to read more about this at: https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/.
An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.
- Restart Nginx.
Using Apache httpd
- [Prerequisite] Apache httpd must be installed and Oxygen Feedback Enterprise must be up and running on
http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}. - Configure Apache httpd as a reverse proxy or a
reverse proxy with SSL:Sample configuration for Apache httpd as a reverse proxy:
<VirtualHost *:443> [..............] SSLEngine on SSLCertificateFile /path/to/cert.pem SSLCertificateChainFile /path/to/cert.pem SSLCertificateKeyFile /etc/ssl/private/privkey.pem ProxyRequests Off SSLProxyEngine on ProxyPreserveHost On SSLProxyVerify none SSLProxyCheckPeerExpire off SSLProxyCheckPeerName off AllowEncodedSlashes NoDecode <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/ nocanon ProxyPassReverse / http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/ RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" </VirtualHost>
For more information, see: https://httpd.apache.org/docs/current/howto/reverse_proxy.html.
An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.
- Restart Apache httpd.
Built-in SSL Support
- Generate a certificate or use an existing one.
[Optional] If you do not have a certificate, use the following procedure to generate a self-signed certificate on a Ubuntu machine. This should be used for testing purposes.
- Generate the private
key:
openssl genrsa -out private.pem 2048 - Generate the public
key:
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
- Create a CSR (Certificate Signing
Request):
openssl req -new -key private.pem -out certificate.csr
Note: After running this command, you will be prompted to enter some values. Follow the instructions on the screen and enter the corresponding values. - Create a self-signed
certificate:
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt - Generate a PKCS12
file:
openssl pkcs12 -export -in certificate.crt -inkey private.pem -out feedback.p12 -name feedback -CAfile certificate.crt -chain
The path of this file will be used for
server.ssl.key-store.The name attribute value will be used for
server.ssl.key-alias.The export password value you entered will be used for
server.ssl.key-store-password.
- Generate the private
key:
- Go to
{oxygen-feedback-user-home-dir}/configand open the feedback-server.properties file. - Set the value for
server.ssl.enabledto be true:server.ssl.enabled = true
- [Optional] Change the
http.portandhttps.portwith according to your needs. The default values are 8080 for http and 8443 for https.Note: If you want to use ports 80 and 443, you need to have root permission to open them on a Linux machine. - Set the type of keystore file to be used for the server certificate. If you followed
the instructions to generate a self-signed SSL certificate, you will need to set this
property to
PKCS12:server.ssl.key-store-type=${certificate_key_store_type} - Set the path name of the keystore file where you have stored the server certificate to
be
loaded:
server.ssl.key-store=${certificate_file_path} - Set the password used to access the specified keystore file. If you followed the
instructions to generate a self-signed SSL certificate, you will need to use the
password set when you generated the PKCS12
file:
server.ssl.key-store-password=${password} - Set the alias that identifies the key in the key
store:
server.ssl.key-alias=${alias}