enaio® gateway – Protection Using Reverse Proxy

enaio® 10.10 »

enaio® gateway can be protected using end-to-end SSL encryption for all components, but in live systems, it should also always be protected by firewalls and reverse proxies. The installation and configuration of NGINX are documented here as an example.

NGINX as a Reverse Proxy

NGINX can be installed on the same server on which enaio® gateway is running.

  • Download NGINX and extract the archive in a directory on the installation computer.

  • Modify the nginx.conf configuration file in the \conf: directory

    • Replace the server section with the following passage:

      • Copy 
      upstream gateway { 
          server gateway:${port}; 


      server {
        listen 80;
        server_name   _;
        return 301 https://$host$request_uri;
      }

      server { 
          listen 443 ssl; 
          server_name ${gateway-url};
          
          add_header Strict-Transport-Security    "max-age=31536000; includeSubDomains" always;
          add_header X-Frame-Options              SAMEORIGIN;
          add_header X-Content-Type-Options       nosniff;
          add_header X-XSS-Protection             "1; mode=block";
          
          ssl_protocols               TLSv1.2 TLSv1.3;
          ssl_ecdh_curve              secp384r1;
          ssl_ciphers                 "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
          ssl_prefer_server_ciphers   on;
          ssl_dhparam                 /etc/nginx/dhparams.pem;
          ssl_certificate             C:\nginx\config\certificate.pem;
          ssl_certificate_key         C:\nginx\config\private-key.pem;
          ssl_session_timeout         10m;
          ssl_session_cache           shared:SSL:10m;
          ssl_session_tickets         off;
          ssl_stapling                on;
          ssl_stapling_verify         on;
              
          location / { 
              proxy_pass http://localhost:81;
          } 
      }

    • Replace the ${port} placeholder with the host name via which NGINX is called.
    • Replace the ${gateway-url} placeholder with the host name via which the clients connect.
    • Replace the address in the 'location' section with the address NGINX uses to reach enaio® gateway.
    • If necessary, modify the path to the directories for the certificate file and the key file.
    • Copy the certificate file and the key file to the directories.
    • Save the file.
  • Start NGINX by entering start nginx into the command prompt as the administrator.
  • Use the Task Manager or the command prompt to check whether NGINX is running: tasklist -fi "imagename eq nginx.exe"
  • If necessary, modify the enaio® gateway port according to the configuration.

    • The port can be modified using enaio blue gatewayw.exe in the \services\OS_Gateway\bin directory.

Multiple enaio® gateway Installations

The 'location' section must be extended if you use further enaio® gateway installations on one computer for different authentications. Example:

location /gateway_1 { 
  proxy_pass http://localhost:8081;

location /gateway_2 { 
  proxy_pass http://localhost:8082;

Calls via https://<host>:443/gateway_1 will be forwarded to https://<host>:8081 and calls from https://<host>:443/gateway_2 to https://<host>:8082.