Web Server Configuration

HTTP Access Models

There are 2 HTTP access models:
  • Basic: The vovserver serves content directly to web browser clients. All traffic is transmitted using HTTP protocol and is unsecured.
  • Advanced: The vovserver serves content to a proxy webserver (nginx), which communicates to web browser clients. Under this model, SSL can be enabled, securing all traffic using the HTTPS protocol. The nginx server securely handles all incoming traffic, decrypting it before handing it off to the locally running vovserver. Likewise, any response that is sent back to the browser is routed through nginx, which encrypts the response and sends it to the browser. This implementation is known as an SSL termination proxy.

    The use of nginx also provides a static port for the web UI in the event of a quick restart or failover condition of the vovserver on the same host when the main port is specified to a port list or any.

Guest Access Port

The vovserver can be configured to enable a guest-access port, also called the read-only port due to the limited privileges allowed by the port. This port bypasses the login prompt and provides the user with a READONLY security principle, which disallows access to writable actions as well as certain pages in the UI.

To specify the guest access port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, follow the steps in Advanced Control of the Product Ports.

Advanced Model (nginx)

The nginx web server is enabled when the web port is configured with a non-zero value. To specify the web port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance or to enable SSL support (HTTPS), follow the steps in Advanced Control of the Product Ports.

When SSL is enabled, nginx will look for an SSL certificate/key pair in the following locations:

Order Type Path Files
1. Site-wide wildcard $VOVDIR/local/ssl wildcard-crt.pem

wildcard-key.pem

2. Host-specific $SWD/config/ssl hostname-crt.pem

hostname-key.pem

3. Host-specific (auto-generated and self-signed) $SWD/config/ssl hostname-self-crt.pem

hostname-self-key.pem

Note:
  • For hostname, use the actual host name that will be used to access the web UI. This will be the value of VOV_HOST_HTTP_NAME that was set in the configuration. If not defined, the value of VOV_HOST_NAME is used instead.

    To use the fully qualified domain name, the value of VOV_HOST_HTTP_NAME must be set.

  • Self-signed certificates will present security warnings in most browsers.

For experts only, advanced customizations to the nginx configuration can be made by modifying its configuration template. Configuration templates are searched for in the following locations:

Order Type Path
1. Instance-specific $SWD/vovnginxd/conf/nginx.conf.template
2. Site-wide $VOVDIR/local/config/vovnginxd/nginx.conf.template
3. Installation-specific(edits not recommended) $VOVDIR/etc/config/vovnginxd/nginx.conf.template
If customizations are intended, it is recommended to start with a copy of the default configuration template shown at location 3 above and place into either location 1 or 2.
Note:
  • The configuration template is copied into the nginx configuration directory located at $SWD/vovnginxd/conf, named as nginx.conf. The copy is made upon product start, as well as any time the web port or SSL configuration is changed.
  • Changes to the actual configuration file can be read into nginx via the vovdaemonmgr reread vovnginxd command, but such changes will be overwritten the next time the configuration template is copied.
  • The configuration template contains keywords surrounded by @ signs, such as @WEBPORT@, that are dynamically substituted with values during the copy process. Removal of these keywords is not recommended, as it may effect the ability for nginx to be reconfigured in the event of a vovserver failover.