Web Server Configuration
HTTP Access Models
- Legacy
- Internal/External
- Nginx
Legacy Webserver
The Legacy webserver is the basic web server that is internal to vovserver and serves content directly to web browser clients.
All traffic is transmitted using HTTP protocol and is unsecured. This method is approriate for REST versions up to version 2.0.
webport=0
, orwebport != 0
andwebprovider=nginx
Internal Webserver
The Internal webserver is an enhanced web server that is internal to vovserver, for secure pages and all REST versions.
webport != 0
andwebprovider=internal
To specify the web port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, see Advanced Control of the Product Ports. To enable SSL support (HTTPS), follow the steps in Configure the TLS/SSL Protocol.
You get REST v3 API support from this webserver, and we still transparently delegate some HTTP requests to the old web server on the VOV port.
The Internal server securely handles all incoming traffic, decrypting it before handing it off to the locally running vovserver. Likewise, any response that is sent back to the browser is routed through the Internal webserver, which encrypts the response and sends it to the browser. This implementation is known as an SSL termination proxy.
nginx Webserver
The vovserver serves content to a proxy webserver (nginx), which communicates to web browser clients. Under this model, SSL can be enabled, securing all traffic using the HTTPS protocol.
The nginx web server is enabled when the web port is configured with a non-zero value. To specify the web port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, see Advanced Control of the Product Ports. To enable SSL support (HTTPS), follow the steps in Configure the TLS/SSL Protocol.
For experts only, advanced customizations to the nginx configuration can be made by modifying its configuration template. Configuration templates are searched for in the following locations:
Order | Type | Path |
---|---|---|
1. | Instance-specific | $SWD/vovnginxd/conf/nginx.conf.template |
2. | Site-wide | $VOVDIR/local/config/vovnginxd/nginx.conf.template |
3. | Installation-specific(edits not recommended) | $VOVDIR/etc/config/vovnginxd/nginx.conf.template |
- The configuration template is copied into the nginx configuration directory located at $SWD/vovnginxd/conf, named as nginx.conf. The copy is made upon product start, as well as any time the web port or SSL configuration is changed.
- Changes to the actual configuration file can be read into nginx via the vovdaemonmgr reread vovnginxd command, but such changes will be overwritten the next time the configuration template is copied.
- The configuration template contains keywords surrounded by @ signs, such as @WEBPORT@, that are dynamically substituted with values during the copy process. Removal of these keywords is not recommended, as it may effect the ability for nginx to be reconfigured in the event of a vovserver failover.
Configure the TLS/SSL Protocol
The internal and nginx webservers support TLS/SSL Protocol communication via "https" - prefixed URLs when configured correctly.
The vovserver serves content to a proxy webserver (nginx), which communicates to web browser clients. Under this model, SSL can be enabled, securing all traffic using the HTTP protocol.
When SSL is enabled, nginx will look for an SSL certificate/key pair in the following locations:
Order | Type | Path | Files |
---|---|---|---|
1. | Site-wide wildcard | $VOVDIR/local/ssl | wildcard-crt.pem wildcard-key.pem |
2. | Host-specific | $SWD/config/ssl | hostname-crt.pem hostname-key.pem |
3. | Host-specific (auto-generated and self-signed) | $SWD/config/ssl | hostname-self-crt.pem hostname-self-key.pem |
- For hostname, use the actual host name that will be used to access the
web UI. This will be the value of VOV_HOST_HTTP_NAME that was set in the
configuration. If not defined, the value of VOV_HOST_NAME is used
instead.
To use the fully qualified domain name, the value of VOV_HOST_HTTP_NAME must be set.
- Self-signed certificates will present security warnings in most browsers.
Updating the TLS/SSL cert requires restarting the webserver so that the cert files can be re-read. For the internal webserver, see, "Restarting the Webserver" below.
Guest Access Port
The vovserver can be configured to enable a guest-access port, also called the read-only port due to the limited privileges allowed by the port. This port bypasses the login prompt and provides the user with a READONLY security principle, which disallows access to writable actions as well as certain pages in the UI.
To specify the guest access port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, follow the steps in Advanced Control of the Product Ports.
Transition from nginx Webserver to Internal
To transition from external (nginx) to the internal web server, follow these steps:
- Shut down nginx with the command vovdaemonmgr stop vovnginxd.
- Delay for 5 seconds with the command sleep 5.
- Start the internal web server with vovservermgr config webprovider internal.
Restarting the Webserver
Complete the following steps to restart the webserver without bringing down vovserver.