Edit online

How to Run Oxygen Feedback Over HTTPS

There are two possible ways to run Oxygen Feedback Enterprise over HTTPS:
  • By using a reverse proxy.
  • By using the built-in SSL support in Oxygen Feedback Enterprise.

Reverse Proxy Method (Recommended)

It is strongly recommend to use a reverse proxy infrastructure to set up Oxygen Feedback Enterprise. This will allow you to have more control over security parameters. For example, you can use Nginx.

Using Nginx

  1. [Prerequisite] Nginx must be installed and Oxygen Feedback Enterprise must be up and running on http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}.
  2. Configure Nginx as a reverse proxy or a reverse proxy with SSL:
    Sample configuration for Nginx as a reverse proxy:
    server { 
        listen 80; 
        server_name ${your_server_name}; 
        location / { 
            proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port};
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Host $host; 
            proxy_set_header X-Forwarded-Proto $scheme; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
            client_max_body_size 0; 
        } 
    }

    For more information, see: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/.

    Sample configuration for Nginx as a reverse proxy with SSL:
    # Redirects trafic from http to https. 
    server { 
        listen 80 default_server; 
        server_name ${your_server_name}; 
        return 301 https://$server_name$request_uri; 
    }
                        
    server { 
        listen 443 ssl; 
        server_name ${your_server_name}; 
                        
        ssl_certificate ${path_to_your_certificate_file}; 
        ssl_certificate_key ${path_to_your_certificate_key_file};
                        
        location / { 
            proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port};
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Host $host; 
            proxy_set_header X-Forwarded-Proto $scheme; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
            client_max_body_size 0; 
        } 
    }

    There are other SSL configuration parameters that you may want to configure, depending on your needs. It is strongly advised to read more about this at: https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/.

    An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.

  3. [Optional] To allow HTTP/2, add http2 to the listen directive:
    listen 443 ssl http2;
  4. Restart Nginx.

Using Apache httpd

  1. [Prerequisite] Apache httpd must be installed and Oxygen Feedback Enterprise must be up and running on http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}.
  2. Configure Apache httpd as a reverse proxy or a reverse proxy with SSL:
    Sample configuration for Apache httpd as a reverse proxy:
    <VirtualHost *:443>
            [..............]
    	SSLEngine on
    	SSLCertificateFile      /path/to/cert.pem
    	SSLCertificateChainFile /path/to/cert.pem
    	SSLCertificateKeyFile /etc/ssl/private/privkey.pem
    	ProxyRequests     Off
    	SSLProxyEngine on
    	ProxyPreserveHost On
    	SSLProxyVerify none
    	SSLProxyCheckPeerExpire off
    	SSLProxyCheckPeerName off
    	AllowEncodedSlashes NoDecode
    	<Proxy *>
    			Order deny,allow
    			Allow from all
    	</Proxy>
    	ProxyPass         /  http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/ nocanon
    	ProxyPassReverse  /  http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/
    	RequestHeader set X-Forwarded-Proto "https"
    	RequestHeader set X-Forwarded-Port "443"
    </VirtualHost>

    For more information, see: https://httpd.apache.org/docs/current/howto/reverse_proxy.html.

    An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.

  3. [Optional] To allow HTTP/2, follow these steps:
    1. Ensure that Apache 2.4.17+ is installed (HTTP/2 is supported in these versions).
    2. Enable the http2 module by adding this to your httpd.conf:
      LoadModule http2_module modules/mod_http2.so
    3. Enable HTTP/2 for SSL/TLS connections:
      <VirtualHost *:443>
        Protocols h2 http/1.1
        SSLEngine on
        # SSL configurations
      </VirtualHost>
  4. Restart Apache httpd.

Built-in SSL Support

To configure the built-in SSL support for Oxygen Feedback Enterprise, follow these steps:
  1. Generate a certificate or use an existing one.

    [Optional] If you do not have a certificate, use the following procedure to generate a self-signed certificate on a Ubuntu machine. This should be used for testing purposes.

    1. Generate the private key:
      openssl genrsa -out private.pem 2048
    2. Generate the public key:
      openssl rsa -in private.pem -outform PEM -pubout -out public.pem
    3. Create a CSR (Certificate Signing Request):
      openssl req -new -key private.pem -out certificate.csr
      Note:
      After running this command, you will be prompted to enter some values. Follow the instructions on the screen and enter the corresponding values.
    4. Create a self-signed certificate:
      openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
    5. Generate a PKCS12 file:
      openssl pkcs12 -export -in certificate.crt -inkey private.pem -out feedback.p12 -name feedback -CAfile certificate.crt -chain

      The path of this file will be used for server.ssl.key-store.

      The name attribute value will be used for server.ssl.key-alias.

      The export password value you entered will be used for server.ssl.key-store-password.

  2. Go to $OXYGEN_FEEDBACK_INSTALL_DIR/oxygen-feedback-home/config and open the feedback-server.properties file.
  3. Set the value for server.ssl.enabled to be true:
    server.ssl.enabled = true
  4. [Optional] Change the http.port and https.port with according to your needs. The default values are 8080 for http and 8443 for https.
    Note:
    If you want to use ports 80 and 443, you need to have root permission to open them on a Linux machine.
  5. Set the type of keystore file to be used for the server certificate. If you followed the instructions to generate a self-signed SSL certificate, you will need to set this property to PKCS12:
    server.ssl.key-store-type=${certificate_key_store_type}
  6. Set the path name of the keystore file where you have stored the server certificate to be loaded:
    server.ssl.key-store=${certificate_file_path}
  7. Set the password used to access the specified keystore file. If you followed the instructions to generate a self-signed SSL certificate, you will need to use the password set when you generated the PKCS12 file:
    server.ssl.key-store-password=${password}
  8. Set the alias that identifies the key in the key store:
    server.ssl.key-alias=${alias}
Note:
The built-in SSL support has HTTP/2 automatically enabled (the server.http2.enabled=true property is set in the feedback-server.properties file). If you want to disable HTTP/2, set that property to false.