The Simplifier Server needs a typcial Reverse Proxy as standard setup.
The Reverse Proxy should provide the following services for a secure setup
- SSL Offloading
- Virus / Malware Scanning
- Web Application Firewall
Forwarded Ports:
- 443 (HTTPS)
Port 443
- HTTPS (valid certificate)
- modern, secure TLS configuration (incl. HTTP Strict Transport Security)
- HTTP2 if possible
- Header:
- “Upgrade”: Pass from client (for WebSockets)
- “X-Real-IP”: IP address of the client
- “X-Forwarded-Forwarded-For”: Remote address of the client, or X-Forwarded-For Header of the parent proxy server.
- “X-Forwarded-Proto”: Original protocol of the request (“http” or “https”)
- CORS Headers (see below)
- (Temporary) Redirect from “/” to either AdminUI (“/UserInterface/”) or App of choice (“/appDirect/$appName”)
- Proxy connection/read/send Timeout to high value, e. g. 10 min
- Maximum body size (post, put) to appropriate value, e. g. 20 MB (doesn’t have to be too big, because packets > 20 MB are transferred as single chunks)
- Proxy forwarding to Simplifier AppServer port 8080 (if on another server, must be reachable via firewall)
CORS headers
Cross-Origin Resource Sharing (CORS) is a mechanism that uses additional HTTP headers to allow a user agent to access selected resources from a server located on a different origin (domain) than the currently used Web site. A user agent makes a cross-origin HTTP request when requesting a resource from another domain, protocol, or port than the one from which the current document originates.
The CORS mechanism supports secure cross-domain queries and data transfers between browsers and web servers. Modern browsers use CORS in an API container such as XMLHttpRequest or Fetch to minimize the risks of cross-origin HTTP requests.
For request methods’ POST’,’ GET’,’ PUT’,’ DELETE’:
| Header name | Header value |
| Access-Control-Allow-Origin | * |
| Access-Control-Allow-Credentials | true |
| Access-Control-Allow-Methods | GET, POST, PUT, DELETE, OPTIONS |
| Access-Control-Allow-Headers | DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization,SimplifierToken |
Additionally for request method ‘OPTIONS’:
| Header name | Header value |
| Access-Control-Max-Age | 1728000 |
| Response name | Response code |
| Empty Content | 204, No proxy call required |
The following paths should be configured for routing it back to Simplifier
| Location / Path | Description |
| “^/genToken/$” | The Simplifier Authentification Service based on Tokens |
| “^/assets/(.*)$” | The static assets like images, pdf files, etc for an Application |
| “^/client/(.*)$” | The Client REST API to access business objects, connector or plugins |
| “^/library-managed/(.*)$” | Third-Party Javascript Libraries that need for the HTML5 Applications |
| “^/library-static/(.*)$” | Third-Party Javascript Libraries that need for the HTML5 Applications |
| “^/appDirect/(.*)$” | Hosting Path for the created HTML5 Applications |
| “^/UserInterface/(.*)$” | Admin Backend Interface Application (should only accessible in a secure environment, internal network) |
| “^/authentication/(.*)$” | External Authentication Provider for e.g. oAuth |
| “^/passwordExpired/(.*)$” | Password Reset Page for Admin Interface |
| “^/marketplace/(.*)$” | Simplifier Marketplace |
| “^/develop/(.*)$” | Plugin Interface |
| “^/system-library/(.*)$” | System Libraries like OpenUI5 |