Configure FME Server for SSL using NGINX as a reverse proxy

Liz Sanderson
Liz Sanderson

FME Version

  • FME 2022.0

Introduction

This article provides instructions for setting up FME Server on Windows OS to use the NGINX web server as a reverse proxy. In this case, we want our web URLs to use the default NGINX web server port (80) but we also want requests to be forwarded automatically to FME Servers Web Application Server. This is an example of using a reverse proxy with FME Server. NGINX reverse proxy also allows easy SSL configuration and the ability to choose ports under 1024 without root permission. HTTPS is configured on the NGINX reverse proxy rather than the Apache Tomcat web application server.

Please be advised that these instructions were tested using FME Server 2022, NGINX 1.22.0 and OpenSSL v3.0.5 (for SSL certificate) on Windows Server 2022 Datacenter but they should also apply to older versions.

 

Step-by-Step Instructions 

Part 1: Install NGINX server

Download the OS-compatible application (.exe) file from NGINX and run to install the NGINX server.
Browsing to http://localhost/ or http://<hostname> should result in the following page:

1.png
 

Part 2: Install FME Server

  1. Download FME Server application (.exe) file from Safe.com  & run to install. 
  2. Please proceed with the installation steps as appropriate. Ensure that the web application server port is set as 8080 since port 80 is already used by NGINX server. 

2.png

[Optional] Part 3: Configure NGINX reverse proxy without SSL

We are proxying the request to http://localhost, http://localhost:80 ,http://<hostname> or  http://<hostname>:80 (default HTTP port is 80) to redirect to the FME Server web service running at http://localhost:8080 (or http://<hostname>:8080) on the same server. Complete the steps in this section only if you are not configuring for HTTPS.

  1. Open the file nginx.conf (for the purpose of this demo, it is located at C:\nginx-1.22.0\conf).
  2. Under the “server” entry listening at port 80, find “location” entry and add the line below:
proxy_pass http://<hostname>:<WebApplicationServerPort>/;

4.png

  1. Check the NGINX web server

Go to http://localhost or http://localhost:80 on the server itself, http://<hostname> or http://<hostname>:80. On a new installation, an NGINX landing page will be displayed if the web server is configured correctly.

9.png

  1. Check FME Server Web Application Server

Go to http://localhost:<FME-Web-App-Server-port> on the server itself or http://<hostname>:<FME-Web-App-Server-port>. In this demo, port 8080 was used as FME Web App Server Port. This should redirect to /fmeserver (i.e. the FME Server Web Interface).

10.png

Part 4: Configure NGINX reverse proxy for SSL offloading

 1. Create SSL certificate

For the purpose of this demo we will use a self-signed certificate generated using OpenSSL. However, if you want to enable FME Server for HTTPS in a production environment, you should consider a certificate issued by a Certified Authority.

  1. Download the OpenSSL application(.exe) file from SLProWeb which is recommended by OpenSSLWiki and install.
  2. Create a "ssl" folder in the nginx folder (e.g C:\nginx-1.22.0\ssl)
  3. Open command prompt, navigate to the bin folder of OpenSSL (by default "C:\Program Files\OpenSSL-Win64\bin") and type in the following command [This will generate your private key file and your certificate]: 
    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout <full-pathname-to-nginx-conf-folder>\nginx.key -out <full-pathname-to-nginx-conf-folder>\nginx.crt

    For the purpose of this demo: 

    openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout \nginx-1.22.0\ssl\nginx.key -out \nginx-1.22.0\ssl\nginx.crt
    7.png
  4. Fill out the prompts appropriately. The most important input is the request for the Common Name (e.g. server FQDN or YOUR name). You need to enter the domain name that you want to be associated with your server. You can enter the public IP address instead if you do not have a domain name.
  5. Enable Diffie-Helman key exchange and make sure only the current user (assuming this will be the user running nginx) has permission on the parameter file:
openssl dhparam -out \nginx-1.22.0\ssl\dhparam.pem 2048
icacls.exe c:\nginx-1.22.0\ssl\dhparam.pem /reset
icacls.exe c:\nginx-1.22.0\ssl\dhparam.pem /grant:r "%username%:(r)"
icacls.exe c:\nginx-1.22.0\ssl\dhparam.pem /inheritance:r

2. Configure NGINX Server for HTTPS

We are proxying the request to https://localhost:443, https://localhost, https://<hostname> or https://<hostname>:443 (default HTTPS port is 443) to redirect to the FME Server web service running at http://localhost:8080 (or http://<hostname>:8080) on the same server.

  1. Download the configuration files attached to this article
  2. Copy the content of the attachment into the nginx "conf" folder and replace the existing nginx.conf file
  3. Update the fmeserver.conf file:
    1. Replace the <HOSTNAME> placeholders with the public hostname of FME Server
    2. Double check paths that reference the FME Server installation directory to make sure they are correct. By default the installation folder is "c:/Program Files/FMEServer/*". (nginx requires these paths to be specified with forward slashes)
  4. Open file server.xml file as administrator. This file is located in <FMEServerDir>\Utilities\tomcat\conf.
  5. Update the proxyPort directive to 443:
    proxyPort="443"
  6. Update the scheme directive to https:
    scheme="https"
  7. Open the following configuration file: <FMEServerDir>\Utilities\tomcat\webapps\fmeserver\WEB-INF\conf\propertiesFile.properties
  8. Update the WEB_SOCKET_SERVER_PORT directive to 443:
    WEB_SOCKET_SERVER_PORT=443
  9. Update the FME Server Web URL to use HTTPS:
    Run a text editor as an administrator and open fmeServerConfig.txt. At the end of the file, under FME SERVER SETTINGS START > Port and Host Assignments, update the FME_SERVER_WEB_URL directive from http to https, and change the port to 443.
  10. Restart FME Server.
  11. Restart the NGINX server. 

Part 5: Verify the Configuration

  1. Check the forwarding rules

Since we have configured the FME Server for HTTPS and redirect any HTTP requests on port port 80 to 443, go to http://localhost/ ,https://localhost/, http://<hostname> or https://<hostname>:443 .This should redirect to /fmeserver (i.e. the FME Server Web Interface).

11.png
 

Part 6: Configure FME Server

Update Service URLs

FME Server's Web User Interface uses various service URLs when submitting requests to each service. These service URLs must be updated to use the hostname of the reverse proxy:

  1. Log in to FME Server under an admin account.
  2. Locate Services under Admin > System Configuration > Network & Email.
  3. Expand the “Services” section.
  4. Click on the “Change All Hosts” button.
  5. Update the hostname for all Service URLs to use the hostname of the reverse proxy.

12.png

This screenshot was taken in FME Server 2021, the interface may be different but the concepts are the same. 

Check workspace processing and publication

  • Confirm that FME Server can run a workspace with Service: Job Submitter

  1. Login to the FME server Web User Interface with the administrator account that you created during installation.

  2. Click Run Workspace.

  3. On the Run Workspace page, specify:

a. Repository: Samples
b. Workspace: austinApartments.fmw
c. Service: Job Submitter

  1. Click Run.
  • Similarly, confirm that FME Server can run the workspace with Service: Data Streaming 
  • Confirm that FME Server can run the workspace with Service: Data Download 
  1. On the Run Workspace page, specify:

a. Repository: Samples
b. Workspace: austinDownload.fmw
c. Service: Data Download.

  1. Click Run and upon job completion, click the “Data Download URL” to download the result. Ensure that the URL uses the reverse proxy hostname.
13.png
 

 This screenshot was taken in FME Server 2021.2, the interface may be different but the concepts are the same. 

  • Confirm that you can still publish workspaces from FME Desktop using the URL that contains the reverse proxy hostname.

Appendix 1: NGINX for FME Cloud

For our platform as a Service (PaaS) product FME Cloud , our developers took advantage of the capabilities of NGINX as a reverse proxy for FME Server. While it simplifies the configuration of FME Server for SSL, including the web socket server, NGINX brings a couple of other benefits which are described in more detail in this blog post.

Appendix 2: NGINX for FME Server installation on Linux Ubuntu

To configure FME Server for SSL using NGINX as a reverse proxy, when you install FME Server in your own Linux Ubuntu environment, we provide all configuration files for NGINX and the detailed steps on how to configure FME Server and NGINX on Ubuntu 16.04.
The detailed instructions and required files for Ubuntu 16.04 only can be downloaded from the following GitHub repository.

 
 

Was this article helpful?

Comments

1 comment

  • Comment author
    mgg_beca

    Hi, can you please update for FME Flow.

    Kind regards,

    Marc

    0

Please sign in to leave a comment.