1 Reply Latest reply on Mar 14, 2017 3:11 PM by milefaker

    WebDirect: SSL termination and failover with nginx reverse proxy

    johnnyb

      Here's a technique by which you can (among other things) use any certificate you like for WebDirect and automate WebDirect failover in a FileMaker backup server configuration: point your clients at nginx, and have nginx handle the SSL and failover.

       

      SSL Termination

       

      With SSL termination, the CPU-intensive work of securing web traffic can be offloaded to a lightweight, high-performance proxy server, improving the performance and simplifying the administration of your WebDirect application.

       

      Instead of connecting directly to the WebDirect server, clients connect to the proxy server via HTTPS, which then forwards the requests to WebDirect via unencrypted HTTP. In addition to freeing up CPU cycles on the WebDirect server, this simplifies certificate administration, allows you to secure your WebDirect app with certificates not specifically supported by FileMaker, gives you control over the SSL ciphers to use, adds a layer of protection between your sensitive FileMaker server and the public Internet, and offers a higher degree of flexibility in your deployment—changes to IP addresses and hostnames affect only the proxy server and do not require restarting your FileMaker server, for example.

       

      Caveats

       

      This does require unchecking the "Use SSL" option in the FileMaker admin console. With that option checked, WebDirect's SSL will conflict with the SSL provided by nginx. You can work around that, but doing so only means that you're encrypting twice: once between the client and nginx, and again between nginx and WebDirect. So you'll want to disable WebDirect's built-in SSL to keep everything in the clear.

       

      With that option disabled, any regular FileMaker Pro clients that connect to the server will also stop using encryption. So this is a technique best reserved for servers that handle only WebDirect applications, or perhaps for installations in which clients connect only via an internal subnet.

       

      With everything in the clear, you'll also want to take extra care securing the WebDirect server. Any forwarded ports or public IPs associated directly with the WebDirect server should be disabled, if possible, and firewall rules should be in place allowing connections only from the internal network.

       

      Assuming you can get nginx up and running on a linux server and accessible to your clients, here's an example configuration for SSL termination:

       

      # nginx virtualhost configuration file for WebDirect SSL termination
      # john.burwell@crystaphase.com
      # 2016-04-05
      
      # Part of enabling support for vaadin websockets:
      map $http_upgrade $connection_upgrade {
          default upgrade;
          '' close;
      }
      
      
      # Proxy server configuration
      server {
        # Listen on both 443 for the main connections and 80 for streaming container data
        listen 80;
        listen 443 ssl;
        
        # The public name the proxy server should answer to:
        server_name webdirect.example.com;
      
      
        # Enable SSL:
        ssl on;
        
        # Specify the locations of your certificate, the private key, and your CA's intermediate:
        # (These paths will vary depending on your flavor of linux and your environment)
        ssl_certificate /opt/local/etc/nginx/ssl/webdirect.example.com/server.crt;
        ssl_certificate_key /opt/local/etc/nginx/ssl/webdirect.example.com/server.key;
        ssl_trusted_certificate /opt/local/etc/nginx/ssl/webdirect.example.com/ca-certs.pem;
      
      
        # Enable session caching, which stores negotiated session keys and improves round-trip performance:
        ssl_session_cache shared:SSL:20m;
        ssl_session_timeout 10m;
      
      
        # Use only modern encryption ciphers:
        ssl_prefer_server_ciphers on;
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
      
      
        # Optional: If this is set, then once a browser connects via HTTPS, it will always and only connect via HTTPS. 
        # Undoing this requires resetting client browsers, so you don't want to turn this on until you're ready.
        # add_header Strict-Transport-Security "max-age=31536000";
      
      
        # Force initial HTTP requests to switch to HTTPS:
        if ($ssl_protocol = "") {
          rewrite ^ https://$host:443$request_uri? permanent;
        }
      
      
        location / {
          # Specify the internal URL of your WebDirect server:
          proxy_pass http://<web-direct-ip>;
          
          # Set the headers required for WebDirect to know it is being proxied:
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header X-Forwarded-Proto $scheme;
         
          # If WebDirect sends a redirect, fix the redirected URL:
          proxy_redirect http://<web-direct-ip>/ http://webdirect.example.com/;
          
          # Disable the built-in proxy buffer--with this enabled, WebDirect will be slow to respond:
          proxy_buffering off;
          
          # HTTP 1.1 and "connection upgrade" is required for websockets:
          proxy_http_version 1.1;
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection $connection_upgrade;
        }
      
      
      }
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      

       

       

      Failover

       

      If you have FileMaker Server set up in a failover backup server configuration, you can mirror that in nginx as well. When nginx detects that the primary server is inaccessible, it will automatically switch to the backup server. So if the primary FileMaker server goes off-line and the backup FileMaker server kicks in, nginx should follow suit, and client connections will be forwarded to the backup server instead of the primary.

       

      To do that, add an upstream block to your nginx configuration, above the server block:

       

      upstream webdirect {
        server <primary-server-ip>;
        server <backup-server-ip> backup;
      }
      
      

       

      And then change your proxy_pass directive to use the 'webdirect' alias:

       

          proxy_pass http://webdirect;
      

       

       

      For more on the nginx proxy module and SSL termination:

       

      Module ngx_http_proxy_module

      NGINX SSL Termination | NGINX

      https://www.digitalocean.com/community/tutorials/how-to-set-up-nginx-load-balancing-with-ssl-termination

        • 1. Re: WebDirect: SSL termination and failover with nginx reverse proxy
          milefaker

          Wanted to share with you the solution I’m working with, based on your insight:

           

          Developers requested we enable “Use SSL for database connections”, which left us with a redirect loop, though connections between the SSL terminus and IIS on the webdirect server are over port 80.  The redirect loop was caused by the IIS URL Rewrite rule webdirect installed named “https_webd”.

           

          I modified the https_webd rewrite rule to add a condition

           

          Input: {REMOTE_ADDR}

          Type: matches the pattern

          Pattern: 11\.11\.11\.11

           

          where 11.11.11.11 is the IP of the corresponding FM database in the two-machine deployment.  This restricts the rewrite rule to apply only to connections from the FM database server, yielding green indicators throughout the admin console, terminating SSL externally, while using SSL for database connections.