SSL Termination¶
SSL Termination explains how Emakin behaves when TLS is terminated by a reverse proxy or load balancer instead of by the application itself.
Emakin can serve SSL directly through host configuration, but it also supports proxy-based SSL termination.
Deployment Model¶
In the documented proxy model:
- the browser connects to the reverse proxy over HTTPS
- the reverse proxy handles SSL/TLS
- the connection from the proxy to Emakin may be HTTP or HTTPS
The preserved documentation also notes that Emakin only trusts loopback proxy addresses by default and requires additional configuration when the reverse proxy uses an external IP.
Forwarded Headers¶
Emakin uses these forwarded headers to understand the original request:
X-Forwarded-Proto¶
Original request scheme (http or https).
X-Forwarded-For¶
Original client IP and proxy chain.
Warning: If this header is missing, audit logs may record the reverse-proxy IP instead of the real client IP.
X-Forwarded-Host¶
Original Host header from the client request.
Enabling Forwarded Headers¶
If the reverse proxy does not use a loopback address, update the configuration.
By Configuration File¶
The preserved example is:
1 2 3 4 5 6 7 8 | |
By Environment Variables¶
The preserved environment-variable example is:
1 2 3 | |
Diagnostics¶
Emakin provides a diagnostics page for inspecting request headers when the application runs in the development environment.
Start in Development Environment¶
Preserved example:
1 2 3 4 | |
Then start web mode:
1 | |
Docker example preserved from the current page:
1 | |
Header Diagnostics Page¶
The documented diagnostics path is:
1 | |
The existing documentation highlights these fields:
- Request Scheme should be
httpsfor SSL-originated requests - Host must identify the correct tenant
- Request RemoteIp represents the client IP when forwarding is configured correctly