These configurations are implemented in several layers through different technologies.These solutions have been internally tested.
Some of these configurations require direct manipulation of OutSystems Platform system database tables. Do not manipulate these tables in any other form not described in this document or indicated by OutSystems offical support. Unexpected changes in these tables may result in service disruption.
A - Request Header Manipulation
This occurs at a reverse proxy level. It translates the Internet exposed address into the internal application address.
To the Internet, your application is known and reachable by the address myapp.com. However, it’s served as server.local/myapp by the application server.
There are several different ways to accomplish this task depending on your reverse proxy. Below is an example configuration using a reverse proxy with Apache HTTP Web Server serving an application. For other technologies, please check the appropriate documentation.
< VirtualHost *:80 > ProxyRequests off ProxyPreserveHost off ServerName myapp.com ProxyPass / http://server.local/ ProxyPassReverse / http://server.local/ < / VirtualHost >
B - Referenced Content Exposure
OutSystems applications can reference content outside the application context URL path. An example of this are the resources in RichWidgets. These also need to be exposed by the reverse proxy the same way the main application is.
The image below shows the ‘myapp’ application, and the ‘Richwidgets’ and ‘EPA_Taskbox’ references also exposed.
Depending on the level of URL manipulation, these references may also need the following:
- Rewrite resource’s URL inside the code
- Request Header Manipulation
C - End-to-end SSL and SSL Offloading
When serving secure applications through a reverse proxy, OutSystems supports the following setups:
- End-to-End SSL
Encrypting the communication end-to-end. This can be done by installing an SSL certificate in every OutSystems Platform application server, and also in the reverse proxy. It can be the same certificate if it is multi-server or wildcard.
- SSL Offload
Install an SSL certificate in the reverse proxy. This keeps the traffic unencrypted between the reverse proxy and the internal application servers. It also removes the need to manage certificates in each application server. This technique is called SSL offloading.
In SSL Offload scenarios, two configurations need to be applied.
- All application screens and web flows must have HTTP Security set to ‘None’ in development time.
- Add a custom HTTP header at the reverse proxy level. The header should instruct OutSystems Platform to build the URLs with the HTTPS protocol.
To do so, first create the ‘OutSystems.HubEdition.HTTPtoHTTPSproxyHeader’ parameter in the OutSystems database:
insert into OSSYS_PARAMETER (Name,Val) values (‘OutSystems.HubEdition.HTTPtoHTTPSproxyHeader’,’X-Forwarded-Proto: https’)
Description: It allows you to set a special header that, whenever present, will allow the server to process the request as if it was secure.
Values: ’X-Forwarded-Proto: https’ (You can use a header [checks for presence of the header] or a header: value [checks for presence of the header with a specific value])
- OutSystems services and application server have to be restarted for this setting to apply.
- Configure a rule in the reverse proxy that adds the parameter X-Forwarded-Proto with the above defined value of https. This way OutSystems Platform knows to which traffic needs HTTPS URLs.
- If Apache is being used as a reverse proxy, add the following line to the proxy configuration file:
RequestHeader set X-Forwarded-Proto https
D - Rewrite URLs in resources
Typical reverse proxies only manipulate HTTP headers. They don’t parse web resource code, therefore this code isn’t manipulated. The HTML received by the client will contain absolute URLs based on what OutSystems Platform generates, not considering reverse proxy transformations.
In the example below, the URL for the application is to be changed by adding an extra path “apps” after the request host header. This scenario is used when there is a requirement to serve several applications under a common path.
To implement this requirement, we need to rewrite all URLs in the resources. This must be done in a request post-processing step before it is sent to the client, preferably at the reverse proxy level.
Below is the configuration required on an Apache Web Server to implement this scenario.
This configuration covers both application runtime, development, and console administration (Service Center and LifeTime).
E - Disable content compression
In a reverse proxy scenario where the content requires rewrite, the code cannot be compressed at the application server level.
To disable compression, follow these instructions:
Disable Platform own Ajax compression, first create if it doesn't exist, the ‘OutSystems.HubEdition.CompressHttpAjaxResponse’ parameter in the OutSystems database:
insert into OSSYS_PARAMETER (Name,Val) values (‘OutSystems.HubEdition.CompressHttpAjaxResponse’,’False’)
Description: If set to false, the AJAX responses will not be compressed by Outsystems (if IIS is configured to compress, AJAX responses will be compressed).
Values: True/False Default:True
Application Server Level
- To do so, first create if it doesn't exist, the ‘IIS.SetHttpCompression’ parameter in the OutSystems database:
insert into OSSYS_PARAMETER (Name,Val) values (‘IIS.SetHttpCompression’,’False’)
Description: If set to "False" instructs ConfigurationTool not to enable IIS compression settings.
Values: True/False Default:True
- In IIS Management Console, disable the static and dynamic content compression.
JBoss AS 7.1.1
- In the OutSystems servers, edit the file '/opt/jboss-as-7.1.1.Final/bin/standalone-outsystems.properties'
- Set the 'org.apache.coyote.http11.Http11Protocol.COMPRESSION' to 'off'
- Restart Jboss
- In the OutSystems servers, edit the file '/opt/wildfly-8.2.0.Final/standalone/configuration/standalone-outsystems.xml'
- Comment the following line to look like this:
- Restart wildfly
To learn more about how to set up your OutSystems Platform with a reverse proxy check the OutSystems Platform in Reverse Proxy scenarios guide.