Skip to main content
Version: 7.0

SSL termination

Starting from version 7, the Passwork frontend requires mandatory use of HTTPS, so all standard installations and configurations include the corresponding settings. Nevertheless, we understand that SSL termination is used in many infrastructures.

danger

Attention!

These settings are necessary in the following cases:

  • SSL termination is mandatory in the infrastructure;
  • A Passwork instance is used in a controlled zone.

Passwork Docker Build

Example
	server {
listen 80;
server_name _;
root /server/www/public;
index index.html;

charset utf-8;
client_max_body_size 100M;
fastcgi_read_timeout 1800;

location ~ ^/.well-known/acme-challenge/ {
access_log /server/log/nginx/certbot.log;
root /var/www/certbot;
}

location = /favicon.ico {
access_log off; log_not_found off;
}
location = /robots.txt {
access_log off; log_not_found off;
}
location ~ /\. {
deny all;
}

location / {
include /server/nginx/extra/security-headers.conf;
include /server/nginx/extra/cors.conf;
if ($request_method = 'OPTIONS') {
return 204;
}
include /server/nginx/extra/csp.conf;
try_files $uri /index.html;
}

location ~ ^/api(/|$) {
include /server/nginx/extra/security-headers.conf;
include /server/nginx/extra/cors.conf;
if ($request_method = 'OPTIONS') {
return 204;
}
fastcgi_pass phpfpm;
fastcgi_param SCRIPT_FILENAME /server/www/public/index.php;
fastcgi_param HTTPS on;
fastcgi_param SERVER_PORT 443;
fastcgi_param HTTP_X_FORWARDED_PROTO https;
fastcgi_param HTTP_X_FORWARDED_PORT 443;
include /etc/nginx/fastcgi_params;
}

location ~* \.(js|css|png|jpg|jpeg|gif|ico|woff|woff2|ttf|svg)$ {
expires 6M;
log_not_found off;
access_log off;
add_header Cache-Control "public, max-age=2592000";
}

location ~ ^/index\.php(/|$) {
try_files $uri =404;
fastcgi_pass phpfpm;
fastcgi_index /index.php;
include /etc/nginx/fastcgi_params;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_param DOCUMENT_ROOT $realpath_root;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param SCRIPT_FILENAME $realpath_root$fastcgi_script_name;
fastcgi_param HTTPS on;
fastcgi_param SERVER_PORT 443;
fastcgi_param HTTP_X_FORWARDED_PROTO https;
fastcgi_param HTTP_X_FORWARDED_PORT 443;
add_header Cache-Control "no-store, max-age=0" always;
}

}
}

If a standard Docker installation is used and ports 80 and 443 are used after termination, the following must be done:

cd /<passwork>/ # Navigate to the root location of the Docker build
cp ./conf/nginx/extra/flex.example ./conf/nginx/nginx.conf
docker compose down && docker compose up -d

listen 80 — Nginx listens on port 80. If traffic is redirected to another port after termination, replace port 80 with the required one.

fastcgi_param HTTPS on; — Indicate to the backend that the connection is considered secure. This is important for correctly determining the request scheme when using SSO.

fastcgi_param SERVER_PORT 443; — Set the expected port for the secure connection. If a non-standard port for SSL is used in SSO, change port 443 to the required value.

fastcgi_param HTTP_X_FORWARDED_PROTO https; — Pass information that the original connection from the client was via HTTPS, even if SSL was terminated.

fastcgi_param HTTP_X_FORWARDED_PORT 443; — Similar to HTTP_X_FORWARDED_PROTO, informs the application that the original client port was 443. If a non-standard port for SSL is used in SSO, change port 443 to the required value.

Manual Passwork installation (Apache2\HTTPD)

If installation is used on Linux behind an SSL terminator, the example below should be used for correct Passwork configuration.

Example
<VirtualHost *:80>
ServerName example.passwork.pro
ServerAdmin webmaster@localhost
DocumentRoot /var/www/public
<Directory /var/www/public>
Options +FollowSymLinks -Indexes -MultiViews
AllowOverride FileInfo
Require all granted
</Directory>
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
<FilesMatch \.php$>
SetHandler "proxy:unix:/run/php/php8.3-fpm.sock|fcgi://localhost/"
ProxyFCGISetEnvIf "true" HTTPS on
ProxyFCGISetEnvIf "true" SERVER_PORT 443
ProxyFCGISetEnvIf "true" HTTP_X_FORWARDED_PROTO https
ProxyFCGISetEnvIf "true" HTTP_X_FORWARDED_PORT 443
</FilesMatch>
</VirtualHost>

ProxyFCGISetEnvIf "true" HTTPS on — Force the environment variable HTTPS=on for every request via FastCGI. Used to simulate a secure connection if SSL is terminated on an external proxy.

ProxyFCGISetEnvIf "true" SERVER_PORT 443 — Set the expected port for the secure connection. If a non-standard port for SSL is used in SSO, change port 443 to the required value.

ProxyFCGISetEnvIf "true" HTTP_X_FORWARDED_PROTO https — Adds the header HTTP_X_FORWARDED_PROTO=https to the FastCGI environment. This allows the Passwork backend to correctly determine the original client connection scheme through the proxy.

ProxyFCGISetEnvIf "true" HTTP_X_FORWARDED_PORT 443 — Similar to HTTP_X_FORWARDED_PROTO, informs the application that the original client port was 443. If a non-standard port for SSL is used in SSO, change port 443 to the required value.