enaio® gateway – Protection Using Reverse Proxy
enaio® gateway can be protected using end-to-end SSL encryption for all components, but in live systems, it should also always be protected by firewalls and reverse proxies. The installation and configuration of NGINX are documented here as an example.
NGINX as a Reverse Proxy
NGINX can be installed on the same server on which enaio® gateway is running.
-
Download NGINX and extract the archive in a directory on the installation computer.
-
Modify the nginx.conf configuration file in the \conf: directory
- Replace the server section with the following passage:
- Replace the ${port} placeholder with the host name via which NGINX is called.
- Replace the ${gateway-url} placeholder with the host name via which the clients connect.
- Replace the address in the 'location' section with the address NGINX uses to reach enaio® gateway.
- If necessary, modify the path to the directories for the certificate file and the key file.
- Copy the certificate file and the key file to the directories.
- Save the file.
Copyupstream gateway {
server gateway:${port};
}
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name ${gateway-url};
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
add_header X-Frame-Options SAMEORIGIN;
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ecdh_curve secp384r1;
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 OLD_TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 OLD_TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256";
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/nginx/dhparams.pem;
ssl_certificate C:\nginx\config\certificate.pem;
ssl_certificate_key C:\nginx\config\private-key.pem;
ssl_session_timeout 10m;
ssl_session_cache shared:SSL:10m;
ssl_session_tickets off;
ssl_stapling on;
ssl_stapling_verify on;
location / {
proxy_pass http://localhost:81;
}
} - Start NGINX by entering start nginx into the command prompt as the administrator.
- Use the Task Manager or the command prompt to check whether NGINX is running: tasklist -fi "imagename eq nginx.exe"
- If necessary, modify the enaio® gateway port according to the configuration.
The port can be modified using enaio blue gatewayw.exe in the \services\OS_Gateway\bin directory.
Multiple enaio® gateway Installations
The 'location' section must be extended if you use further enaio® gateway installations on one computer for different authentications. Example:
location /gateway_1 {
proxy_pass http://localhost:8081;
}
location /gateway_2 {
proxy_pass http://localhost:8082;
}
Calls via https://<host>:443/gateway_1 will be forwarded to https://<host>:8081 and calls from https://<host>:443/gateway_2 to https://<host>:8082.