HTTP configuration
Encap server HTTP Configuration
Smart device environment requirements
The following internet protocol access needs to be open for use:
Security considerations
To limit exposure of the Encap server to the internet, it is recommended to only proxy the specific sub-paths of the server that are used externally. For the paths and functionality that they support, see the list below.
Load balancing considerations
The Encap server supports running multiple Encap server instances behind a load balancer against the same database. This allows for horizontal scaling if performance is an issue, or to decrease downtime.
The Encap server does not require the load balancer to use any form of sticky sessions. An Apache httpd configuration for this would look something like this:
<Proxy balancer://hacluster>
BalancerMember https://192.168.0.31:11443 route=ha1
BalancerMember https://192.168.0.29:11443 route=ha2
</Proxy>
ProxyPass /ha balancer://hacluster/ha
ProxyPassReverse /ha balancer://hacluster/ha
Reverse HTTP Proxy
The Encap server provides a web server that is by default configured to bind on ports 9080 and 9443 for serving HTTP and HTTPS requests respectively. For ease of maintenance and to support clustering and fail-over setups, we recommend that you install a reverse proxy server that connects your customers to the Encap server. Alternatively, you can also choose to modify the configuration of the Encap server web server and connect your customers to it directly, without a reverse proxy in between to manage this.
The reverse proxy must forward the HTTP Header X-Forwarded-Proto to Encap server. For more information, see List of HTTP header fields. The Encap server uses this header to determine how to handle forwarded requests.
Apache 2 HTTP configuration for X-Forward-Proto
# /etc/apache2/sites-available/default
<VirtualHost *:80>
:
# Set X-Forwarded-Proto needed by SAML handling
RequestHeader set X-Forwarded-Proto "http"
</VirtualHost>
Apache 2 HTTPS configuration for X-Forward-Proto
# /etc/apache2/sites-available/default-ssl
<IfModule mod_ssl.c>
<VirtualHost _default_:443>
:
# Set X-Forwarded-Proto needed by SAML handling
RequestHeader set X-Forwarded-Proto "https"
</VirtualHost>
</IfModule>
Forward proxy support for Firebase FCM and Apple APNS push messages
The Encap server supports proxying push messages for FCM and Apple APNS when setting the following parameters in encap-cluster.properties:
FCM
server.fcmProxyServer.hostserver.fcmProxyServer.portserver.fcmProxyServer.proxyType
APNS
server.apnsProxyServer.hostserver.apnsProxyServer.port
See parameter table for full description of valid parameter values: Core cluster configurations.
Example proxy config with Apache 2
To enable Apache2 as forward proxy, you need the following mods enabled:
proxy, proxy_http, rewrite, deflate, headers, proxy_connect, proxy_html
The following config is an example of how the Apache2 server can be set for forward proxying on port 8889:
Example: httpd.conf
<VirtualHost *:8889>
ErrorLog ${APACHE_LOG_DIR}/error_forward_proxy.log
CustomLog ${APACHE_LOG_DIR}/access_forward_proxy.log combined
</VirtualHost>
<IfModule mod_proxy.c>
ProxyRequests On
<Proxy *>
</Proxy>
</IfModule>
<IfModule mod_proxy.c>
Listen 8889
</IfModule>
The proxy server needs to support CONNECT. The proxy_connect mod is necessary for supporting CONNECT in Apache2.
For further information, see section 5.2 in document HTTP Upgrade to TLS.