Web Server Configuration

HTTP Access Models

There are 3 HTTP access models:
  • Legacy
  • Internal/External
  • Nginx

Legacy Webserver

The Legacy webserver is the basic web server that is internal to vovserver and serves content directly to web browser clients.

All traffic is transmitted using HTTP protocol and is unsecured. This method is approriate for REST versions up to version 2.0.

This is the case when
  • webport=0, or
  • webport != 0 and webprovider=nginx

Internal Webserver

The Internal webserver is an enhanced web server that is internal to vovserver, for secure pages and all REST versions.

The Internal webserver is established when
  • webport != 0 and webprovider=internal

To specify the web port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, see Advanced Control of the Product Ports. To enable SSL support (HTTPS), follow the steps in Configure the TLS/SSL Protocol.

You get REST v3 API support from this webserver, and we still transparently delegate some HTTP requests to the old web server on the VOV port.

The Internal server securely handles all incoming traffic, decrypting it before handing it off to the locally running vovserver. Likewise, any response that is sent back to the browser is routed through the Internal webserver, which encrypts the response and sends it to the browser. This implementation is known as an SSL termination proxy.

nginx Webserver

The vovserver serves content to a proxy webserver (nginx), which communicates to web browser clients. Under this model, SSL can be enabled, securing all traffic using the HTTPS protocol.

The nginx web server is enabled when the web port is configured with a non-zero value. To specify the web port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, see Advanced Control of the Product Ports. To enable SSL support (HTTPS), follow the steps in Configure the TLS/SSL Protocol.

For experts only, advanced customizations to the nginx configuration can be made by modifying its configuration template. Configuration templates are searched for in the following locations:

Order Type Path
1. Instance-specific $SWD/vovnginxd/conf/nginx.conf.template
2. Site-wide $VOVDIR/local/config/vovnginxd/nginx.conf.template
3. Installation-specific(edits not recommended) $VOVDIR/etc/config/vovnginxd/nginx.conf.template
If customizations are intended, it is recommended to start with a copy of the default configuration template shown at location 3 above and place into either location 1 or 2.
Note:
  • The configuration template is copied into the nginx configuration directory located at $SWD/vovnginxd/conf, named as nginx.conf. The copy is made upon product start, as well as any time the web port or SSL configuration is changed.
  • Changes to the actual configuration file can be read into nginx via the vovdaemonmgr reread vovnginxd command, but such changes will be overwritten the next time the configuration template is copied.
  • The configuration template contains keywords surrounded by @ signs, such as @WEBPORT@, that are dynamically substituted with values during the copy process. Removal of these keywords is not recommended, as it may effect the ability for nginx to be reconfigured in the event of a vovserver failover.

Configure the TLS/SSL Protocol

The internal and nginx webservers support TLS/SSL Protocol communication via "https" - prefixed URLs when configured correctly.

The vovserver serves content to a proxy webserver (nginx), which communicates to web browser clients. Under this model, SSL can be enabled, securing all traffic using the HTTP protocol.

When SSL is enabled, nginx will look for an SSL certificate/key pair in the following locations:

Order Type Path Files
1. Site-wide wildcard $VOVDIR/local/ssl wildcard-crt.pem

wildcard-key.pem
2. Host-specific $SWD/config/ssl hostname-crt.pem

hostname-key.pem
3. Host-specific (auto-generated and self-signed) $SWD/config/ssl hostname-self-crt.pem

hostname-self-key.pem
Note:
  • For hostname, use the actual host name that will be used to access the web UI. This will be the value of VOV_HOST_HTTP_NAME that was set in the configuration. If not defined, the value of VOV_HOST_NAME is used instead.

    To use the fully qualified domain name, the value of VOV_HOST_HTTP_NAME must be set.

  • Self-signed certificates will present security warnings in most browsers.

Updating the TLS/SSL cert requires restarting the webserver so that the cert files can be re-read. For the internal webserver, see, "Restarting the Webserver" below.

Guest Access Port

The vovserver can be configured to enable a guest-access port, also called the read-only port due to the limited privileges allowed by the port. This port bypasses the login prompt and provides the user with a READONLY security principle, which disallows access to writable actions as well as certain pages in the UI.

To specify the guest access port at product start, refer to the product-specific documentation for startup. To change the port in an already-running product instance, follow the steps in Advanced Control of the Product Ports.

Transition from nginx Webserver to Internal

To transition from external (nginx) to the internal web server, follow these steps:

  1. Shut down nginx with the command vovdaemonmgr stop vovnginxd.
  2. Delay for 5 seconds with the command sleep 5.
  3. Start the internal web server with vovservermgr config webprovider internal.

Restarting the Webserver

Complete the following steps to restart the webserver without bringing down vovserver.

  1. Enter the following: 
    vovservermgr config webport 0
  2. Wait five seconds, then enter: 
    vovservermgr config webport $VOV_WEB_PORT_NUMBER