User Manual

GETTING STARTED


OTHER EDITIONS


LAUNCHERS


MODULES


PLATFORM


APPENDIX


TUTORIALS & HELPFUL TRICKS


STRATEGIC PARTNER LINKS

Sepasoft - MES Modules
Cirrus Link - MQTT Modules

RESOURCES

Inductive University
Ignition Demo Project
Knowledge Base Articles
Forum
IA Support

ALL USER MANUAL VERSIONS

Ignition 8.1. Offline Version (04/2021)
Ignition 8 Online Version
Ignition 7.9 Online Version
Ignition 7.8 Online Version

Deprecated Pages

SDK Documentation

Employees

Sign In

Skip to end of metadata
Go to start of metadata


The Web Server page is for configuring the HTTP and HTTPS ports, setting up the  SSL  /  TLS  certificate, redirecting traffic through a known address, and whether or not all HTTP traffic should be forcefully redirecting to HTTPS.

If you are allowing users to access your  Gateway  from outside your  network  (through the Internet), you will need to configure the Public  HTTP  Address settings.

On this page ...



SSL/TLS Settings

On the Web Server screen you can view details of an SSL certificate details, export keys, remove the installed SSL certificate, and transition to a CA-signed certificate.

From the Gateway Webpage, click on Config > Networking > Web Server. From the Web Server page, click on the View Details button. 




The Certificate Details are shown. From here you can generate a Certificate Signing Request (CSR) by clicking the Generate CSR button in the upper right. 



For more information, see Secure Communication (SSL / TLS) .

HTTP and HTTPS Settings


HTTP Settings
HTTP Port

The port to which Ignition will listen for incoming HTTP traffic, for example: 8088.

Use Proxy Forwarded Headers

The following feature is new in Ignition version 8.1.10
Click here to check out the other new features

When enabled, the Gateway inspects each incoming HTTP request in search for headers that indicate it has been forwarded by one or more proxies. If these headers are present, then the request is updated so that the proxy is not seen as the other end point of the connection from which the request originated.

Caution: Enabling this setting when users can directly connect to the Gateway is a security risk. This setting is intended to be used in scenarios where untrusted users will not be able to bypass a trusted proxy that is responsible for setting the appropriate headers. 
For more information, see Use Proxy Forwarded Headers Explained

Resolve Client Hostnames

The following feature is new in Ignition version 8.1.10
Click here to check out the other new features
When enabled, Ignition's web server will attempt to resolve the remote HTTP client's hostname by performing a reverse DNS lookup using the remote HTTP client's IP address where appropriate. Enabling this setting could have a performance impact as the Gateway may attempt an expensive hostname lookup when handling requests. When disabled, Ignition's web server will not attempt to resolve hostnames and any queries for the remote HTTP client's hostname will result in their IP address instead.

When enabling this setting, it is highly recommended that reverse DNS is configured to prevent host lookup failures. This includes configuring valid mappings from users' IP addresses to their hostnames, and from users' hostnames back to their IP addresses. If reverse DNS isn't configured, then DNS queries could block certain requests until the queries time out (default of 10 seconds). 

HTTPS Settings
HTTPS Port The port to which Ignition will listen for incoming HTTPS traffic, for e xample: 8043.
Force Secure Redirect

When enabled, and if SSL / TLS is enabled, all http traffic will be redirected to its https counterpart.
(Default: disabled)

Included Cipher SuitesWhitelist of included cipher suites for clients connecting to Ignition using SSL/TLS.
Excluded Cipher Suites

Blacklist of excluded cipher suites for clients connecting to Ignition using SSL/TLS. Takes precedence over allowed cipher suites.

HTTP and HTTPS Connectors Restart

Certain actions will cause the HTTP port and/or the HTTPS port to restart. Refer to the following table for details.

Configuration ChangeHTTP Port
Restarted?
HTTPS Port
Restarted?
HTTPS PortYesYes
HTTPS PortYesYes

Force Secure Redirect

NoYes
User Included Cipher SuitesNo

Yes

User Excluded Cipher SuitesNoYes
SSL/TLS SetupNoYes

Use Proxy Forwarded Headers Explained

While enabled, the Gateway's web server will look for request headers mentioned on this page:  ForwardRequestCustomizer . Depending on which headers come in, the web server will alter its view of the remote client's connection on the incoming http request. The following is a list of which parts of the request that can be altered, although  it's not exhaustive:

  • The remote HTTP client's IP address
  • The remote HTTP client's port
  • The scheme used by the remote HTTP client when connected to the Gateway through one or more proxies (i.e., http/https)
  • Whether or not the connection is considered secure
  • The host/ip and port that the remote HTTP client used to connect to the Gateway through one or more proxies. 

While this setting is enabled, if the gateway does not see any of the mentioned headers, then the request will not be altered, effectively acting as if the setting is disabled. 

The diagram below represents a request originating from a browser, and demonstrates how this setting can impact the request. 

Public HTTP Address settings

If you are allowing users to access your  Gateway  from outside your  network  (through the Internet), you will need to configure the Public  HTTP  Address settings.

Public HTTP Address
Auto Detect HTTP Address

To specify an explicit HTTP address that Vision Clients and Perspective Sessions will use, turn this off. Most users will leave autodetect on.
(Default: enabled)

Public Address The public facing address that Vision Clients and Perspective Sessions must use to connect. If Force Secure Redirect is enabled, redirected connections will use this address, for e xample: yourcompany.com.
Public HTTP Port The public facing HTTP port that Vision Clients and Perspective Sessions must use to connect, for e xample: 80
Public HTTPS PortThe public facing HTTPS port that Vision Clients and Perspective Sessions must use to connect. If Force Secure Redirect is enabled, redirected connections will use this port, for e xample: 443

Cipher Support

Below is a list of supported ciphers.

  • TLS_AES_128_GCM_SHA256
  • TLS_AES_256_GCM_SHA384
  • TLS_CHACHA20_POLY1305_SHA256
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_128_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_128_GCM_SHA256
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA
  • TLS_DHE_DSS_WITH_AES_256_CBC_SHA256
  • TLS_DHE_DSS_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_DHE_RSA_WITH_AES_256_CBC_SHA256
  • TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_DHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256
  • TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA
  • TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
  • TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384
  • TLS_EMPTY_RENEGOTIATION_INFO_SCSV
  • TLS_RSA_WITH_AES_128_CBC_SHA
  • TLS_RSA_WITH_AES_128_CBC_SHA256
  • TLS_RSA_WITH_AES_128_GCM_SHA256
  • TLS_RSA_WITH_AES_256_CBC_SHA
  • TLS_RSA_WITH_AES_256_CBC_SHA256
  • TLS_RSA_WITH_AES_256_GCM_SHA384


In This Section ...

  • No labels