Edit online

How to Run Oxygen Feedback Over HTTPS

There are two possible ways to run Oxygen Feedback Enterprise over HTTPS:
  • By using a reverse proxy.
  • By using the built-in SSL support in Oxygen Feedback Enterprise.

Reverse Proxy Method (Recommended)

It is strongly recommend to use a reverse proxy infrastructure to set up Oxygen Feedback Enterprise. This will allow you to have more control over security parameters. For example, you can use Nginx.

Using Nginx

  1. [Prerequisite] Nginx must be installed and Oxygen Feedback Enterprise must be up and running on http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}.
  2. Configure Nginx as a reverse proxy or a reverse proxy with SSL:
    Sample configuration for Nginx as a reverse proxy:
    server { 
        listen 80; 
        server_name ${your_server_name}; 
        location / { 
            proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port};
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Host $host; 
            proxy_set_header X-Forwarded-Proto $scheme; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
            client_max_body_size 0; 

    For more information, see: https://docs.nginx.com/nginx/admin-guide/web-server/reverse-proxy/.

    Sample configuration for Nginx as a reverse proxy with SSL:
    # Redirects trafic from http to https. 
    server { 
        listen 80 default_server; 
        server_name ${your_server_name}; 
        return 301 https://$server_name$request_uri; 
    server { 
        listen 443 ssl; 
        server_name ${your_server_name}; 
        ssl_certificate ${path_to_your_certificate_file}; 
        ssl_certificate_key ${path_to_your_certificate_key_file};
        location / { 
            proxy_pass http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port};
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-Host $host; 
            proxy_set_header X-Forwarded-Proto $scheme; 
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  
            client_max_body_size 0; 

    There are other SSL configuration parameters that you may want to configure, depending on your needs. It is strongly advised to read more about this at: https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/.

    An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.

  3. [Optional] To allow HTTP/2, add http2 to the listen directive:
    listen 443 ssl http2;
  4. Restart Nginx.

Using Apache httpd

  1. [Prerequisite] Apache httpd must be installed and Oxygen Feedback Enterprise must be up and running on http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}.
  2. Configure Apache httpd as a reverse proxy or a reverse proxy with SSL:
    Sample configuration for Apache httpd as a reverse proxy:
    <VirtualHost *:443>
    	SSLEngine on
    	SSLCertificateFile      /path/to/cert.pem
    	SSLCertificateChainFile /path/to/cert.pem
    	SSLCertificateKeyFile /etc/ssl/private/privkey.pem
    	ProxyRequests     Off
    	SSLProxyEngine on
    	ProxyPreserveHost On
    	SSLProxyVerify none
    	SSLProxyCheckPeerExpire off
    	SSLProxyCheckPeerName off
    	AllowEncodedSlashes NoDecode
    	<Proxy *>
    			Order deny,allow
    			Allow from all
    	ProxyPass         /  http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/ nocanon
    	ProxyPassReverse  /  http://${your_oxygen_feedback_host}:${your_oxygen_feedback_port}/
    	RequestHeader set X-Forwarded-Proto "https"
    	RequestHeader set X-Forwarded-Port "443"

    For more information, see: https://httpd.apache.org/docs/current/howto/reverse_proxy.html.

    An online configuration generator can be found here: https://mozilla.github.io/server-side-tls/ssl-config-generator/.

  3. [Optional] To allow HTTP/2, follow these steps:
    1. Ensure that Apache 2.4.17+ is installed (HTTP/2 is supported in these versions).
    2. Enable the http2 module by adding this to your httpd.conf:
      LoadModule http2_module modules/mod_http2.so
    3. Enable HTTP/2 for SSL/TLS connections:
      <VirtualHost *:443>
        Protocols h2 http/1.1
        SSLEngine on
        # SSL configurations
  4. Restart Apache httpd.

Built-in SSL Support

To configure the built-in SSL support for Oxygen Feedback Enterprise, follow these steps:
  1. Generate a certificate or use an existing one.

    [Optional] If you do not have a certificate, use the following procedure to generate a self-signed certificate on a Ubuntu machine. This should be used for testing purposes.

    1. Generate the private key:
      openssl genrsa -out private.pem 2048
    2. Generate the public key:
      openssl rsa -in private.pem -outform PEM -pubout -out public.pem
    3. Create a CSR (Certificate Signing Request):
      openssl req -new -key private.pem -out certificate.csr
      After running this command, you will be prompted to enter some values. Follow the instructions on the screen and enter the corresponding values.
    4. Create a self-signed certificate:
      openssl x509 -req -days 365 -in certificate.csr -signkey private.pem -out certificate.crt
    5. Generate a PKCS12 file:
      openssl pkcs12 -export -in certificate.crt -inkey private.pem -out feedback.p12 -name feedback -CAfile certificate.crt -chain

      The path of this file will be used for server.ssl.key-store.

      The name attribute value will be used for server.ssl.key-alias.

      The export password value you entered will be used for server.ssl.key-store-password.

  2. Go to $OXYGEN_FEEDBACK_INSTALL_DIR/oxygen-feedback-home/config and open the feedback-server.properties file.
  3. Set the value for server.ssl.enabled to be true:
    server.ssl.enabled = true
  4. [Optional] Change the http.port and https.port with according to your needs. The default values are 8080 for http and 8443 for https.
    If you want to use ports 80 and 443, you need to have root permission to open them on a Linux machine.
  5. Set the type of keystore file to be used for the server certificate. If you followed the instructions to generate a self-signed SSL certificate, you will need to set this property to PKCS12:
  6. Set the path name of the keystore file where you have stored the server certificate to be loaded:
  7. Set the password used to access the specified keystore file. If you followed the instructions to generate a self-signed SSL certificate, you will need to use the password set when you generated the PKCS12 file:
  8. Set the alias that identifies the key in the key store:
The built-in SSL support has HTTP/2 automatically enabled (the server.http2.enabled=true property is set in the feedback-server.properties file). If you want to disable HTTP/2, set that property to false.