Hi
We are setting up an on premise Mendix app for the first time, we have gone through the steps on this link to configure IIS
https://docs.mendix.com/howto50/deploying-mendix-on-microsoft-windows
The site is all working fine but when going through the security checklist
https://docs.mendix.com/howto50/security-checklist-for-your-on-premises-installation
there are 2 points which we are unsure about,
"
Use a HTTP reverse proxy with SSL support
Configure a reverse proxy (e.g. Nginx or IIS or Apache) as close to the application process as possible, that implements SSL on the http connection, so your end users who are using a web browser will connect to the application via the reverse proxy, using a https:// url. Make sure correct certificates matching the url used are in place, either recognized by Certificate Authorities present in modern web browsers, or by an internal Certificate Authority of your company, which has been distributed to the web browsers of all your users.
On the reverse proxy, which acts as SSL termination point, insert the HTTP header ‘X-Forwarded-Scheme’, with a value set to ‘https’ into requests that are sent to the Mendix application. This will communicate to the Mendix Runtime that the end user is using the application over https, and will set the ‘secure’ flag on session cookies. When the secure flag on session cookies is notset, browsers will also send the cookie when trying to connect over a normal http connection. So, when secure is not set on the cookies, also when only implementing a redirect tohttps on the normal http port, session-cookies will be sent in the clear over the network! The X-Forwarded-Scheme request header has to be inserted at the reverse proxy because it is the only way that the Mendix Runtime will detect the use of https automatically.
Use a HTTP reverse proxy with SSL support
Configure a reverse proxy (e.g. Nginx or IIS or Apache) as close to the application process as possible, that implements SSL on the http connection, so your end users who are using a web browser will connect to the application via the reverse proxy, using a https:// url. Make sure correct certificates matching the url used are in place, either recognized by Certificate Authorities present in modern web browsers, or by an internal Certificate Authority of your company, which has been distributed to the web browsers of all your users.
On the reverse proxy, which acts as SSL termination point, insert the HTTP header ‘X-Forwarded-Scheme’, with a value set to ‘https’ into requests that are sent to the Mendix application. This will communicate to the Mendix Runtime that the end user is using the application over https, and will set the ‘secure’ flag on session cookies. When the secure flag on session cookies is notset, browsers will also send the cookie when trying to connect over a normal http connection. So, when secure is not set on the cookies, also when only implementing a redirect tohttps on the normal http port, session-cookies will be sent in the clear over the network! The X-Forwarded-Scheme request header has to be inserted at the reverse proxy because it is the only way that the Mendix Runtime will detect the use of https automatically."
The first paragraph seems to be covered by us deploying the site through IIS successfully but I can't find any info about how to insert the X-Forwarded-Scheme header, where should that be done and how can we test to ensure it is working?
The second point on the security checklist we are struggling to understand is
"Let the HTTP reverse proxy serve static content
Highly recommended: Configure the reverse proxy to directly serve static content from the ‘web’ directory on the root location of the application url and the Mendix client system (located in the correct version to be used of the Mendix runtime distribution installed) on /mxclientsystem. The application process itself should only handle dynamic content (like the /xas/ and /ws/ sub-urls)."
Could we have a clearer explanation of what needs to be done and how to do it?
Thanks