Run Acrolinx Behind a Reverse Proxy
We recommend setting up a dedicated reverse proxy for your Acrolinx Core Platform as a standard security measure. This reverse proxy should be on the same computer as the Core Platform.
A reverse proxy not only ensures that any traffic to your Core Platform is secure, it will also help you avoid other security issues. For example, on Linux a reverse proxy will help you avoid privilege escalations – you can create a dedicated Acrolinx Core Platform user with restricted permissions, and let the reverse proxy listen on ports that require superuser permissions. The Core Platform uses the default ports 80 and 443, which require superuser permissions.
In this article, you'll learn how to set up a reverse proxy for Acrolinx. We use NGINX at Acrolinx, so we've included an NGINX configuration example to show you how we do it. If you're just configuring the proxy for Acrolinx, you can use our example as a template – especially if you're on Standard Stack it should work as is. You can of course use other reverse proxy software if you prefer.
Configuring Your Reverse Proxy
To run your Core Platform behind a reverse proxy, you'll need the following configuration:
- Your proxy server is secured with an SSL certificate. Acrolinx doesn’t support self-signed certificates.
- Your proxy server has Transport Layer Security (TLS) termination enabled.
- Your proxy server adds forwarding information. The following headers are supported:
Forwardedas defined by rfc7239X-Forwarded-HostandX-Forwarded-Proto
- The proxy timeout limit is set to at least 360 seconds.
- The proxy server is configured so that the Acrolinx Core Platform has a dedicated domain name.
Example Configuration with NGINX
Below you can see an example configuration for an NGINX reverse proxy. This is the configuration that we use at Acrolinx, and we know it works for Standard Stack installations. If you have a different setup, you can still use this example as a template, but you should adapt it to your specific environment and needs. For the full details on how to set up a reverse proxy with NGINX, take a look at NGINX's own documentation on reverse proxy configuration and TLS termination.
A Tip for SELinux
By default, Red Hat Enterprise Linux runs Security-Enhanced Linux (SELinux) in "Enforcing" mode. This will block NGINX from connecting to Acrolinx's port (8031), unless you allow it.
To allow Acrolinx's port in SELinux, follow these steps:
- Open a command line as root.
- Run
getenforce. This checks the mode that SELinux is running in.
If it returns "Disabled" or "Permissive", you don't have to do anything.
If it returns "Enforcing", continue to the next step. Run
semanage port -l | egrep '(^http_port_t|8031)'. This lists the ports that NGINX is currently allowed to connect to.Example output:http_port_t tcp 80, 81, 443, 488, 8008, 8009, 8443, 9000
If you don't see port 8031 in the output, continue to the next step.
- Run
semanage port -a -t http_port_t -p tcp 8031. This adds port 8031 to the security context. To make sure port 8031 was added successfully, run
semanage port -l | egrep '(^http_port_t|8031)'again.Example output:http_port_t tcp 8031, 80, 81, 443, 488, 8008, 8009, 8443, 9000
- Restart NGINX.
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
server_name _;
ssl_certificate /etc/ssl/certs/cert.crt; # Your SSL cert goes here
ssl_certificate_key /etc/ssl/private/cert.key; # Your SSL key goes here
ssl_session_timeout 5m;
ssl_protocols TLSv1.2; # Add TLSv1.1 here if required for older versions of Java
ssl_prefer_server_ciphers On;
ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
location / {
client_max_body_size 0;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:8031;
proxy_read_timeout 900s;
}
}
If your proxy is serving more than just Acrolinx, make sure you configure server_name so that Acrolinx has a dedicated domain name with no subdirectories. Some Acrolinx components assume that Acrolinx is running at the top level of the host address. These components won’t work if the Acrolinx URL includes a subdirectory.
Acrolinx Platform Configurations
As a final step, you need to configure two properties on your Acrolinx Platform:
externalBaseUrl- The external base URL of your Acrolinx core server. This is so that certain resources like term help pages use the URL from NGINX.endpointListenHost- The restricted address that your core server listens on. If you don't set this, you leave your unsecured core server port open.
To configure your Acrolinx Platform to run behind a reverse proxy, follow these steps:
Open the
coreserver.properties.To edit
coreserver.propertiesfrom the Dashboard, go to Maintenance > Configuration Properties, then follow the folder structure overlay > server > bin and click on the filecoreserver.properties. You can then edit the properties directly from the Dashboard.If you're a Standard Stack user, you can edit
coreserver.propertiesfrom the configuration directory:%ACROLINX_CONFIGURATION_ROOT%\server\bin\coreserver.propertiesAdd the following properties:
externalBaseUrl=<PROXY_SERVER_ADDRESS> endpointListenHost = localhost
ExampleexternalBaseUrl=https://acrolinxhost/ endpointListenHost = localhost
Important
For
externalBaseUrl, enter a base URL only. Don’t enter a base URL with a subdirectory such ashttp://demo-inc.com/acrolinx/. Some Acrolinx components assume that Acrolinx is running at the top level of the host address. These components won’t work if the internal base URL is redirected to a subdirectory of the external base URL.- Save your changes and restart the core server.