Indicium configuration
Configuration template (Indicium)
IndiciumPlease remove the parts you don't need before using this template.
You can validate the correctness of your json configuration through this website: https://jsonlint.com/.
{
"Logging": {
"pathFormat": "YourOwnName-{Date}.txt",
"IncludeScopes": false,
"ErrorLog": {
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Debug",
"Indicium": "Warning"
}
}
},
"MetaSourceConnection": {
"Server": "[server]",
"Database": "[iam_database]",
"PoolUserName": "[username]",
"PoolPassword": "[password]"
},
"HideMetaDataDocument": true,
"LoginOptions": {
"AllowLocalAccounts": true,
"AllowPasswordForget": true,
"AllowStaySignedIn": true
},
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"DefaultTwoFactorTokenTemplate": "Your validation code is {twoFactorToken}.",
"TwoFactorTokenTemplates": {
"NL": "Uw validatiecode is {twoFactorToken}",
"ENG": "Your validation code is {twoFactorToken}."
}
},
"Agent": {
"Enabled": true
},
"Licensing": {
"ScheduleUpdate": true
},
"AllowedOrigins": [
"https://www.mydomain.com",
"https://www.otherdomain.com"
],
"ReverseProxy": {
"Enabled": true,
"TracingEnabled": true,
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto",
"XForwardedFor",
"All"
],
"CustomHeaders": {
"XForwardedHost": "CUSTOM-FORWARDED-HOST",
"XForwardedProto": "CUSTOM-FORWARDED-PROTO",
"XForwardedFor": "CUSTOM-FORWARDED-FOR"
},
"AllowedHosts": [
"www.example.com",
"*.example.com"
],
"KnownProxies": [
"10.60.0.185"
],
"KnownNetworks": [
"10.60.0.0/16"
],
"ExternalPathBase": "/"
},
"Applications": {
"Preload": [
"itst",
"23",
"does-not-exist"
],
"RemoveUnusedModelAfterHours": 72
}
}
Configuration template (Indicium Basic)
In accordance with our Lifecycle Policy, Indicium Basic has been declared End of Life as of Thinkwise Platform version 2023.2.
Please remove the parts you don't need before using this template.
You can validate the correctness of your json configuration through this website: https://jsonlint.com/.
{
"Logging": {
"IncludeScopes": false,
"LogLevel": {
"Default": "Information",
"System": "Information",
"Microsoft": "Warning",
"Indicium": "Debug"
}
},
"MetaSourceConnection": {
"Server": "[server]",
"Database": "[iam_database]",
"PoolUserName": "[username]",
"PoolPassword": "[password]"
},
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"PasswordResetTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw wachtwoordherstelcode",
"Body": "Uw wachtwoordherstelcode is: <b>{resetToken}</b>"
},
"TwoFactorTokenTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw inlogcode",
"Body": "Uw validatiecode om in te loggen is: <b>{twoFactorToken}</b>"
}
},
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"TwoFactorTokenTemplate": "Uw validatiecode is {twoFactorToken}"
},
"AllowedOrigins": [
"https://www.mydomain.com",
"https://www.otherdomain.com"
],
}
Hide $metadata and OpenAPI specification
IndiciumIt is possible to hide the /$metadata
and /openapi
endpoints to limit the amount of information exposed by Indicium, since with these endpoints all
available entities for your application and all available operations for every entity can be retrieved, including the (optional) parameters.
Add the following property to the appsettings.json
file:
{
"HideMetaDataDocument": true
}
Azure AD authentication (Indicium Basic)
Indicium BasicSince Indicium Basic doesn't have a login page, OpenID is not available. However, there is a solution for Azure AD authentication via an Azure SQL Database.
Azure SQL Database allows you to "create contained users mapped to Azure AD identities". In turn, Indicium Basic allows users to sign in with these contained users.
In IAM, the Authentication type for the corresponding user has to be 'External' (menu Authorization > Users > tab Form > tab User). This is the same as how a user is configured for Azure AD authentication via OpenID.
Email configuration on Azure
Sending emails from Azure requires some additional configuration. Azure blocks outbound email messages sent from any service in Azure that doesn't use an authenticated SMTP relay service, to protect Azure data center IP addresses from reputation abuse.
The most common SMTP relay service that is integrated with Microsoft Azure is SendGrid, which is free for up to 25,000 emails per month. The SendGrid SMTP API allows you to send emails using the Thinkwise SMTP connector, but you could also use their Web API with the Thinkwise HTTP connector.
Instructions on how to setup SendGrid in Azure and send emails using SMTP can be found here and here. Please consult the SendGrid documentation for more information.
Amazon SNS support
IndiciumAmazon Simple Notification Service (Amazon SNS) can be used to call Indicium's standard APIs (for example, tasks, tables, etc.).
In the Amazon SNS requests, the application/json
Content-Type is used. This makes these requests compatible with the Indicium APIs.
Amazon SNS authentication
IndiciumIndicium supports authentication by Amazon SNS. This service can then send notifications to Indicium.
To use Amazon SNS for sending notifications, subscribe to Amazon SNS topics on one or more HTTPS endpoints. To confirm your subscription, navigate to the SubscribeURL, either with the HTTP Connector or manually from the browser.
The endpoint can, for example, be an Indicium Process Flow API endpoint. This way, you can create custom logic to handle the message. Please consult the Amazon documentation for full details on how to subscribe.
Two-factor authentication (2FA)
Indicium supports different kinds of two-factor authentication:
- TOTP
- SMS
The type of two-factor authentication you need can be configured per user in the Intelligent Application Manager.
TOTP two-factor authentication does not require any additional configuration in Indicium.
For Email and SMS two-factor authentication, it is required to configure the email and SMS settings in the appsettings.json
file.
Trusted IP's to bypass 2FA
Only when logging in with Microsoft as OpenID provider (see OpenID), you can set trusted IP ranges to bypass the two-factor authentication for on-premise environments. So, when working at the office, users will not be prompted for two-factor authentication.
For more information, see the Microsoft documentation on Trusted IPs.
Email 2FA
Deprecated as of Thinkwise Platform version 2023.2. For Indicium, these settings are now available in IAM. See: Email settings.
To enable Email two-factor authentication, add the following template to the appsettings.json
file and fill it out.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"DefaultTwoFactorTokenTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your login code",
"Body": "Your login validation code is: <b>{twoFactorToken}</b>"
},
"TwoFactorTokenTemplates": {
"NL": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw inlogcode",
"Body": "Uw validatiecode om in te loggen is: <b>{twoFactorToken}</b>"
},
"ENG": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your login code",
"Body": "Your login validation code is: <b>{twoFactorToken}</b>"
}
}
}
}
You can automate two-factor authentication through email links using the query string parameter twoFactorToken
.
If you use this, the user can simply click on a hyperlink in the email to finish logging in.
The hyperlink has the following format:
<indicium_base_url>/account/ui/twoFactor?twoFactorToken={twoFactorToken}
.
You can configure this hyperlink in the Email
template, in the Body
parameter of the TwoFactorTokenTemplates
.
Example
"Body": "Click on the link below to log in:<br />
<indicium_base_url>/account/ui/twoFactor?twoFactorToken={twoFactorToken}"
Make sure to replace <indicium_base_url>
with your Indicium base url.
Email 2FA (Indicium Basic)
In accordance with our Lifecycle Policy, Indicium Basic has been declared End of Life as of Thinkwise Platform version 2023.2.
To enable Email two-factor authentication, add the following template to the appsettings.json
file and fill it out.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"TwoFactorTokenTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw inlogcode",
"Body": "Uw validatiecode om in te loggen is: <b>{twoFactorToken}</b>"
}
}
}
SMS 2FA
IndiciumSMS authentication is especially useful for users with old mobile devices and no internet.
To enable SMS two-factor authentication, add the following template to the appsettings.json
file and fill it out.
{
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"DefaultTwoFactorTokenTemplate": "Your validation code is {twoFactorToken}.",
"TwoFactorTokenTemplates": {
"NL": "Uw validatiecode is {twoFactorToken}",
"ENG": "Your validation code is {twoFactorToken}."
}
}
}
Currently we only support Twilio to communicate as SMS provider.
SMS 2FA (Indicium Basic)
Indicium BasicSMS authentication is especially useful for users with old mobile devices and no internet.
To enable SMS two-factor authentication, add the following template to the appsettings.json
file and fill it out.
{
"SMS": {
"Username": "[Account SID]",
"Password": "[Authorization Token]",
"FromPhoneNumber": "[Provider Phone Number]",
"TwoFactorTokenTemplate": "Uw validatiecode is {twoFactorToken}"
}
}
Currently we only support Twilio to communicate as SMS provider.
Title for authentication pages
IndiciumThe title for Indiciums authentication pages is set in IAM: menu Settings > Global settings > field Title.
If no title property is entered in IAM, the title 'Thinkwise Identity Provider' will be used.
Enable setting, changing, and resetting passwords
Deprecated as of Thinkwise Platform version 2023.2. For Indicium, these settings are now available in IAM. See: Email settings.
Indicium supports changing and resetting passwords for users with IAM authentication. Even if a user has not set a password yet, they can set it via email using the 'Forgot your password' link on the login page.
Password expiration is not enforced. This prevents the use of predictable passwords, since it is possible to re-use a more complex and saver password.
To change or reset a password, Indicium needs to be able to send emails to users. This requires some additional configuration.
See also Disable 'Forgot your password?' link on login page.
Make sure the users' email addresses are configured in IAM.
Add the following template to the appsettings.json
file and fill it out.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"DefaultPasswordResetTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your password reset code",
"Body": "Your password reset code is: <b>{resetToken}</b>"
},
"PasswordResetTemplates": {
"NL": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Uw wachtwoordherstelcode",
"Body": "Uw wachtwoordherstelcode is: <b>{resetToken}</b>"
},
"ENG": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Your password reset code",
"Body": "The code to reset your password is: <b>{resetToken}</b>"
}
}
}
}
You can automate resetting a password through a hyperlink by using the query string parameters username
and resetToken
.
If you use this, the user can simply click on a hyperlink in the email to reset their password.
The hyperlink has the following format:
<indicium_base_url>/account/ui/resetPassword?username={username}&resetToken={resetToken}
.
You can configure this format in the Email
template, in the Body
parameter of the PasswordResetTemplates
.
Example
"Body": "Click on the link below to reset your password: <br />
<indicium_base_url>/account/ui/resetPassword?username={username}&resetToken={resetToken}"
Replace <indicium_base_url>
with your Indicium base url.
Enable changing and resetting passwords (Indicium Basic)
In accordance with our Lifecycle Policy, Indicium Basic has been declared End of Life as of Thinkwise Platform version 2023.2.
Indicium Basic supports changing and resetting passwords for users with IAM authentication.
Password expiration is not enforced. This prevents the use of predictable passwords, since it is possible to re-use a more complex and saver password.
To change or reset a password, Indicium needs to be able to send emails to users. This requires some additional configuration.
To enable the reset password feature, add the following template to the appsettings.json
file and fill it out.
See also Disable 'Forgot your password?' link on login page.
{
"Email": {
"SmtpServer": "[SMTP server address]",
"SmtpPort": 587,
"UseSSL": true,
"SmtpUsername": "[SMTP account username]",
"SmtpPassword": "[SMTP account password]",
"PasswordResetTemplate": {
"FromEmail": "[Sender email address]",
"FromDisplay": "[Sender email display name]",
"Title": "Reset password",
"Body": "The code to reset your password is: <b>{resetToken}</b>"
}
}
}
Make sure the users' email addresses are configured in IAM.
Disable 'Forgot your password?' link on login page
IndiciumYou can disable the 'Forgot your password?' link on the Indicium login page by adding the following JSON property to the appsettings.json
file.
"LoginOptions": {
"AllowPasswordForget": false
}
When the AllowPasswordForget
property is set to false
, the 'Forgot your password?' link is disabled. Also, the 'Forgot your password?' page or API cannot be
used any longer.
Remove 'Stay signed in' option from login page
You can remove the 'Stay signed in' option from the Indicium login page by adding the following JSON property to the appsettings.json
file.
"LoginOptions": {
"AllowStaySignedIn": false
}
When the AllowStaySignedIn
property (default: true
) is set to false
, the 'Stay signed in' option is removed.
It will also remove the 'Remember my choice' option if multiple login options are available, for example, when OpenID providers are configured.
Enable Cross-Origin Resource Sharing (CORS)
By default, a website only allows requests that come from the same origin (domain). If you host a website yourself and you want to allow requests from another origin, you can use Cross-Origin Resource Sharing.
This concept also applies to the Indicium Application Tier. To enable cross-origin requests, add the allowed origin(s) to the appsettings.json
file:
{
"AllowedOrigins": [
"https://www.mydomain.com",
"https://www.otherdomain.com"
]
}
This is only available when Indicium runs in Development mode.
Preload application models during startup
IndiciumTo reduce the response times for users who are the first to access applications after a cold start or restart, you can specify application models that Indicium must try to preload from IAM during startup.
Keep in mind that:
- For applications containing system flows, this feature has little to no effect. The reason is that Indicium already implicitly loads applications containing system flows during startup, as it needs to know the model before it can execute the scheduled flows.
- Due to the way that Indicium handles loading models from Software Factory sources, this feature only works for models synced to IAM.
- If a new version of a preloaded model/application is synced to IAM, Indicium will not automatically preload the new version.
Example
Preloading application models can be configured in the appsettings.json
configuration file under the Applications:Preload
configuration key.
Specify either the ID or the alias of the applications that need to be preloaded.
Indicium will try to load these models for the specified applications during startup.
{
"Applications": {
"Preload": [
"itst",
"23",
"does-not-exist"
]
}
}
This process is also logged to the default Indicium log:
Example log file: preloading models and one fail
Periodic removal of idle application models from memory
IndiciumIndicium can periodically remove idle application models from memory. An application model is considered idle when:
- It has not received any API calls during the specified time.
- There has been no active system flow during the specified time.
- It has not been marked as a preloaded application model.
In the appsettings.json
configuration file, the RemoveUnusedModelAfterHours
configuration option specifies the period of time in hours after which the model
is removed.
Please note that "Applications" is the same configuration section as the "Applications" section mentioned in preloaded application model.
"Applications": {
"RemoveUnusedModelAfterHours": 72
}
The default (and recommended) value of this setting is 72
hours.
This may feel like a long time to keep idle application models in memory, but the goal is not to clear the memory as quickly and often as possible.
After all, it is a cache that serves an important purpose.
The performance-memory trade-off needs to be considered because once an application model is removed from memory and requested again through an API call,
it needs to be loaded from the database, which will be a performance hit on that API call.
The main goal of this feature is to ensure that Indicium instances that are rarely restarted, for example, because they are in use 24/7, don't gradually use more and more memory for 'dead' application models that have not been used for weeks. We recommend to lower this value only if all of the points below are true:
- Indicium is restarted rarely.
- Many applications are used for a short time within a short time.
- Indicium's memory usage is noticeably growing to several gigabytes within the 72-hours.
Change logfile name
It is possible to edit the log file name and the path. This can be useful if you are running multiple instances of Indicium next to each other or if you do not like the current name.
To change a log file name, add the pathFormat
to the Logging
segment in Indicium's appsettings.json
:
{
"pathFormat": "YourOwnName-{Date}.txt"
}
- Replace the content of
FileName
with a name of your own choosing (YourOwnName
). - If no
{Date}
is specified, Indicium will add it. - If file extension
.txt
is not specified, Indicium will add it.
Edit minimum log level
It is possible to edit the minimal log level. The default log level is 'Error'. This can be useful if you need more information.
The log level of other logging namespaces can be overridden by adding a key and value to the Logging:ErrorLog:LogLevel
section. Some keys cannot be modified
and will always be set to level 'Information'.
{
"Logging": {
"ErrorLog": {
"LogLevel": {
// Log Information level messages to the error log.
"Default": "Information",
// Log Debug level messages if the namespace of the logger starts with 'Microsoft'.
"Microsoft": "Debug"
}
}
}
}
This process is also logged to the default Indicium log:
*Example log file: preloading models and one fail
Disable background operations
IndiciumIt is possible to disable all background operations managed by Indicium and IAM. At the moment, the only example of such a background operation is the scheduling of system flows.
The default value for background operations is true
. To disable the background operations: set 'Agent:Enabled' to 'false' in the appsettings.json
:
{
"Agent": {
// Skip registering this Indicium instance as an agent on IAM.
// Also disables adding all agent related services such as the scheduled system flow runner.
"Enabled": false
}
}
Disable scheduled license update checks
IndiciumIndicium performs a license check on startup and obtains, if necessary, an updated license. This check recurs periodically to keep the license valid. See Automatic license renewal.
To make Indicium perform this check only on startup, set Licensing:ScheduleUpdate
to false
in the appsettings.json
.
{
"Licensing": {
// Only check and update (if necessary) the current license once on startup
// and skip scheduling further checks from being run in the background.
"ScheduleUpdate": false
}
}
Reverse Proxy Settings
IndiciumIndicium can be used in a reverse proxy setup by taking advantage of the X-Forwarded-
headers mechanism.
These headers include:
- Should contain the original IP address of the client that is making the request.
This header is mostly used for logging purposes only and not really needed by Indicium itself. The presence of this header can however trigger a verification check to assert that a request was sent by a trusted reverse proxy server.
- Used to tell Indicium what the host name of Indicium is from the client's point of view.
This header is needed to correctly generate things such as redirect urls.
- Contains the protocol (HTTP/HTTPS) that was used in the original request.
This header is needed, for example, in situations where the public facing server is configured to force https but Indicium itself is only setup to use http. The public facing proxy server would send this header with a value of
https
to the internal Indicium, which would then know that any public facing urls in responses must also use the https scheme.
Configure reverse proxy
To make an Indicium installation aware that it is going to be used in a reverse proxy setup, some settings must be added to the appsettings.json
configuration
file.
These settings must be added to a ReverseProxy
section on the root level of the config file.
The reverse proxy feature must also be explicitly enabled by setting Enabled
to true
:
{
"ReverseProxy": {
"Enabled": true
}
}
Debug tracing for reverse proxy
Debug tracing logs information to Indicium's log file. This can help you troubleshoot issues with reverse proxy settings. See Log files.
To activate debug tracing for reverse proxy, add the TracingEnabled
property to the ReverseProxy
settings in the appsettings.json
file:
"ReverseProxy": {
"Enabled": true,
"TracingEnabled": true
}
Allowing headers
To specify which of the X-Forwarded-*
headers are allowed to be consumed by Indicium change the AllowedHeaders
section with the desired combination of the
values below:
{
"ReverseProxy": {
"AllowedHeaders": [
"XForwardedHost",
"XForwardedProto",
"XForwardedFor",
"All"
]
}
}
The All
value is a shortcut to allow all three headers.
By default only XForwardedFor
and XForwardedProto
are allowed.
Overriding header names
To override the header names that Indicium should listen to for X-Forwarded-*
values use the CustomHeaders
section:
{
"ReverseProxy": {
"CustomHeaders": {
"XForwardedHost": "CUSTOM-FORWARDED-HOST",
"XForwardedProto": "CUSTOM-FORWARDED-PROTO",
"XForwardedFor": "CUSTOM-FORWARDED-FOR"
}
}
}
Restrict X-Forwarded-Host values
To restrict which host domains are allowed as values in the X-Forwarded-Host
header use the AllowedHosts
section:
{
"ReverseProxy": {
"AllowedHosts": [
"www.example.com",
"*.example.com"
]
}
}
Host values are subject to the following rules:
- Values are compared using ordinal-ignore-case.
- Port numbers must be excluded.
- If the list is empty, all hosts are allowed.
- A top-level wildcard * allows all non-empty hosts.
- Subdomain wildcards are permitted but don't match the root domain. For example, *.example.com matches the subdomain foo.example.com but not the root domain example.com.
- Unicode host names are allowed but are converted to Punycode for matching.
- IPv6 addresses must include bounding brackets and be in conventional form (for example, [ABCD:EF01:2345:6789:ABCD:EF01:2345:6789]). IPv6 addresses aren't special-cased to check for logical equality between different formats, and no canonicalization is performed.
Failing to restrict the allowed hosts may allow an attacker to spoof links generated by the service.
By default all hosts are allowed.
Specify trusted proxies
By default Indicium only accepts X-Forwarded-For
header values from proxies running on the same server.
To grant other servers access specify their IP address in the KnownProxies
section:
{
"ReverseProxy": {
"KnownProxies": [
"10.60.0.185"
]
}
}
Specify trusted networks
In addition to trusting proxies by specific IP it is also possible to grant multiple servers access by specifying network ranges using
CIDR notation in the KnownNetworks
section:
{
"ReverseProxy": {
"KnownNetworks": [
"10.60.0.0/16"
]
}
}
The above states a network IP 10.60.0.0
with a mask of 255.255.0.0
.
This would allow servers in the IP range 10.60.0.1
- 10.60.255.254
to send X-Forwarded-For
headers.
Changing the path base of Indicium
Assume for a moment that there is an Indicium running on a server named internalserver
.
In addition to that there is a external facing proxy server named revproxy
.
The revproxy
server is configured to accept https requests on port 443 for domain www.example.com
.
It sends the requests it receives to the Indicium running on an IIS server at internalserver.example.com/indicium
.
Because Indicium is running in the virtual app domain /indicium
any requests that generate redirects or paths to static images etc. will be returned to the
client as www.example.com/indicium/<request remainder>
.
Since the reverse proxy acting as www.example.com
is rerouting anything after the main domain to internalserver.example.com/indicium
the actual request to
the Indicium server becomes internalserver.example.com/indicium/indicium/<request remainder>
.
This breaks a lot of things, including logging in via /account/ui/login
.
To fix this issue, specify the path base according to the externally facing server using the ExternalPathBase
option:
{
"ReverseProxy": {
"ExternalPathBase": "/"
}
}
When Indicium receives a request and detects that the host was changed using the X-Forwarded-Host
header, it will also change the path base of the request to
what was specified in ExternalPathBase
.
In the above example internal requests that are made directly to the Indicium server will continue to use /indicium
as the path base since those should not be
sending the X-Forwarded-Host
header.
Because the revproxy
server running for www.example.com
should send this header (to change the host back to www.example.com
from
internalserver.example.com
), the path base is changed to /
which fixes the url responses that the Indicium server generates since it now assumes that it is
running on the server root.
Configuring IIS as a reverse proxy
To use IIS as a reverse proxy the following modules must be installed on the server:
X-Forwarded-For
To configure IIS to send the X-Forwarded-For
header when Application Request Routing
is triggered go to Application Request Routing Cache
->
Server Proxy Settings
from the main server menu.
In this screen there is a Custom Headers
section with a field called Preserve client IP in the following header
.
Set the value of this field to X-Forwarded-For
(Note: it might already be configured this way after installing ARR
).
X-Forwarded-Host/Proto
Pick or add a site to use as the reverse proxy.
In this example a new site was added that was bound to use http on port 10100.
Go to the URL Rewrite
section of the site and click on View Server Variables
:
In this screen one can specify which variables to use when a rewrite rule has been triggered.
To whitelist the X-Forwarded-Host/Proto
headers add the following variables as needed:
- HTTP_X_FORWARDED_HOST
- HTTP_X_FORWARDED_PROTO
In this case only X-Forwarded-Host
was needed so HTTP_X_FORWARDED_HOST
has been added as a server variable:
Go back to the URL Rewrite
section and start adding a reverse proxy rule:
Configure the Inbound Rules
section to point to your internal server running Indicium.
This values should contain the domain, port and virtual host path as needed but leave out the protocol.
In this example the domain is internalserver.yourdomain.com
, the port is 8888
and Indicium itself is running on a virtual host application path called indicium
.
Once the rule has been added double click on it to start editing it once more.
Configure the rule to use the HTTP_X_FORWARDED
server variables that were added earlier.
This example only adds HTTP_X_FORWARDED_HOST
and sets it to {HTTP_HOST}
which will pass on the original host to the Indicium application.
Another common example would be when the reverse proxy is secured by https
but all internal trafic is off loaded to http
(e.g. when the SSL offloading
option is checked in IIS).
In that case the Indicium server should be notified of this by adding the X-Forwarded-Proto
header.
This would mean that the HTTP_X_FORWARDED_PROTO
variable must be added as a server variable and set to https
on the inbound rule section of the rewrite rule.
Internet proxy
In some cases, Indicium requires internet access. Reasons can be, for example, automatic license renewal or a process flow in your application that uses an HTTP Connector.
If your network requires a proxy server, you can tell Indicium in various ways which proxy to use:
- One way is to add the following section to Indicium's
web.config
.
When upgrading Indicium, make sure the
web.config
is manually updated, or the changes will be undone.
<aspNetCore processPath="dotnet" arguments=".\Indicium.dll" stdoutLogEnabled="false" stdoutLogFile=".\logs\stdout" forwardWindowsAuthToken="false" hostingModel="InProcess">
<environmentVariables>
<environmentVariable name="ALL_PROXY " value="https://username:password@serverproxy.corp.com:80" />
</environmentVariables>
</aspNetCore>
Another option is to add an environment variable to the system. The easiest way is to use the Windows Search and search for: "Edit the system environment variables". Then, open the Advanced tab and click the Environment variables button. Here, you can add the environment variables for the proxy. Use "ALL_PROXY" as a name. The required Value is the proxy server address.
You can also set a separate proxy for HTTP or HTTPS. In that case, uses the following names:
- HTTP_PROXY: Proxy server used for HTTP requests.
- HTTPS_PROXY: Proxy server used for HTTPS requests.
- ALL_PROXY: Proxy server used for both HTTP and HTTPS.
- NO_PROXY: a comma-separated list of hostnames that do not require a proxy.
New system variable