How to Run Oxygen Feedback Over HTTPS
- By using a reverse proxy.
- By using the built-in SSL support in Oxygen Feedback Enterprise.
Reverse Proxy Method (Recommended)
It is strongly recommend to use a reverse proxy infrastructure to set up Oxygen Feedback Enterprise. This will allow you to have more control over security parameters. For example, you can use Nginx.
Using Nginx
- [Prerequisite] Nginx must be installed and Oxygen Feedback Enterprise must be up and running on
http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}
. - Configure Nginx as a reverse proxy or a reverse proxy
with SSL:Sample configuration for Nginx as a reverse proxy:
server { listen 80; server_name ${your_server_name}; location / { proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 0; } }
For more information, see: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/.
Sample configuration for Nginx as a reverse proxy with SSL:# Redirects trafic from http to https. server { listen 80 default_server; server_name ${your_server_name}; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name ${your_server_name}; ssl_certificate ${path_to_your_certificate_file}; ssl_certificate_key ${path_to_your_certificate_key_file}; location / { proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; client_max_body_size 0; } }
There are other SSL configuration parameters that you may want to configure, depending on your needs. It is strongly advised to read more about this at: https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/.
An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.
- [Optional] To allow HTTP/2, add
http2
to thelisten
directive:listen 443 ssl http2;
- Restart Nginx.
Using Apache httpd
- [Prerequisite] Apache httpd must be installed and Oxygen Feedback Enterprise must be up and running on
http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}
. - Configure Apache httpd as a reverse proxy or a
reverse proxy with SSL:Sample configuration for Apache httpd as a reverse proxy:
<VirtualHost *:443> [..............] SSLEngine on SSLCertificateFile /path/to/cert.pem SSLCertificateChainFile /path/to/cert.pem SSLCertificateKeyFile /etc/ssl/private/privkey.pem ProxyRequests Off SSLProxyEngine on ProxyPreserveHost On SSLProxyVerify none SSLProxyCheckPeerExpire off SSLProxyCheckPeerName off AllowEncodedSlashes NoDecode <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/ nocanon ProxyPassReverse / http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/ RequestHeader set X-Forwarded-Proto "https" RequestHeader set X-Forwarded-Port "443" </VirtualHost>
For more information, see: https://httpd.apache.org/docs/current/howto/reverse_proxy.html.
An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.
- [Optional] To allow HTTP/2, follow these steps:
- Ensure that Apache 2.4.17+ is installed (HTTP/2 is supported in these versions).
- Enable the http2 module by adding this to your
httpd.conf
:LoadModule http2_module modules/mod_http2.so
- Enable HTTP/2 for SSL/TLS
connections:
<VirtualHost *:443> Protocols h2 http/1.1 SSLEngine on # SSL configurations </VirtualHost>
- Restart Apache httpd.
Built-in SSL Support
- Generate a certificate or use an existing one.
[Optional] If you do not have a certificate, use the following procedure to generate a self-signed certificate on a Ubuntu machine. This should be used for testing purposes.
- Generate the private
key:
openssl genrsa -out private.pem 2048
- Generate the public
key:
openssl rsa -in private.pem -outform PEM -pubout -out public.pem
- Create a CSR (Certificate Signing
Request):
openssl req -new -key private.pem -out certificate.csr
Note:After running this command, you will be prompted to enter some values. Follow the instructions on the screen and enter the corresponding values. - Create a self-signed
certificate:
openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
- Generate a PKCS12
file:
openssl pkcs12 -export -in certificate.crt -inkey private.pem -out feedback.p12 -name feedback -CAfile certificate.crt -chain
The path of this file will be used for
server.ssl.key-store
.The name attribute value will be used for
server.ssl.key-alias
.The export password value you entered will be used for
server.ssl.key-store-password
.
- Generate the private
key:
- Go to
$OXYGEN_FEEDBACK_INSTALL_DIR/oxygen-feedback-home/config
and open the feedback-server.properties file. - Set the value for
server.ssl.enabled
to be true:server.ssl.enabled = true
- [Optional] Change the
http.port
andhttps.port
with according to your needs. The default values are 8080 for http and 8443 for https.Note:If you want to use ports 80 and 443, you need to have root permission to open them on a Linux machine. - Set the type of keystore file to be used for the server
certificate. If you followed the instructions to generate a self-signed SSL certificate,
you will need to set this property to
PKCS12
:server.ssl.key-store-type=${certificate_key_store_type}
- Set the path name of the keystore file where you have stored the
server certificate to be
loaded:
server.ssl.key-store=${certificate_file_path}
- Set the password used to access the specified keystore file. If
you followed the instructions to generate a self-signed SSL certificate, you will need
to use the password set when you generated the PKCS12
file:
server.ssl.key-store-password=${password}
- Set the alias that identifies the key in the key
store:
server.ssl.key-alias=${alias}
server.http2.enabled=true
property is set in the
feedback-server.properties file). If you want to disable HTTP/2,
set that property to false.