In addition to (or in place of) the default "raw" binary communication over the port you specified in the "bind" element, you can configure the floating license server to communicate over HTTPS. You can do this by "binding" the floating license server to an address and port for SCGI communication with an existing web server (e.g. Apache, NGINX, etc.).
This guide covers the very basics of the HTTPS server configuration. We assume you have experience running an HTTPS server.
Configure SCGI address and port
In the default "TurboFloatServer-config.xml" file you'll see an XML element like this:
<scgi just_scgi="false">
<bind address="127.0.0.1" port="42"/>
</scgi>
There are 3 options to configure:
1. The "just_scgi" attribute: Set this to "false" and raw, unencrypted connections will still be allowed. Set this to "true" and only connections over SCGI (via an HTTPS server) will be accepted and the global bind element will be ignored.
2. The "address" attribute in the "bind" element : Set this to the address you want the HTTPS server that sits in front of the floating license server to connect to.
If the address is not present, the server accepts TCP / IP connections on all server host IPv6 and IPv4 interfaces if the server host supports IPv6, or accepts TCP / IP connections on all IPv4 addresses otherwise. Use this address to permit both IPv4 and IPv6 connections on all server interfaces. This value is the default.
If the address is ::, the server accepts TCP/IP connections on all server host IPv4 and IPv6 interfaces.
If the address is 0.0.0.0, the server accepts TCP/IP connections on all server host IPv4 interfaces.
If the address is a "regular" IPv4 or IPv6 address (such as 127.0.0.1 or ::1), the server accepts TCP/IP connections only for that IPv4 or IPv6 address.
3. The "port" attribute in the "bind" element : Set this to the port you want the HTTPS server that sits in front of the floating license server to connect to.
For security sake, we recommend always bind to a local address (like "127.0.0.1") so that all data that touches the floating license server must first go through an HTTPS server.
Configure the HTTPS server (Apache)
If you're using the Apache HTTPS server, modify your "httpd.conf" file to enable the "scgi" module (so Apache can communicate with the floating license server instance):
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_scgi_module modules/mod_proxy_scgi.so
LoadModule ssl_module modules/mod_ssl.so
Next add a "VirtualHost" element that will accept HTTP connections and pass them along to the floating license server:
<VirtualHost yourhostaddress:443>
# Pass *everything* to the floating license server via SCGI
SetEnvIf Request_URI .* proxy-scgi-pathinfo
ProxyPass / scgi://127.0.0.1:42/
# ServerName gives the name and port that the server
# uses to identify itself. This can often be determined
# automatically, but we recommend you specify it
# explicitly to prevent problems during startup.
ServerName yourhostaddress:443
# Turn SSL on
SSLEngine on
</VirtualHost>
Replace "yourhostaddress" with the address name that the floating license server instance will be accessed from (i.e. the "public" address -- even if that "public" address is local network specific). Also, if you changed the SCGI "address" or "port" in the "TurboFloatServer-config.xml" file you'll also need to change the "ProxyPass" directive to use the address and port you changed them to.
Configure the HTTPS server (Nginx)
If you're using the NGINX HTTPS server, first make sure your NGINX has been compiled with the SCGI module. You can do this by running "nginx -V" via command line and you should see something like this:
nginx version: nginx/1.15.7
built by gcc 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.10)
built with OpenSSL 1.1.1a 20 Nov 2018
TLS SNI support enabled
configure arguments: --sbin-path=/usr/local/sbin --with-http_ssl_module --with-http_v2_module --without-http_uwsgi_module --with-pcre-jit --with-threads
If you don't see "--without-http_scgi_module" in the "configure arguments", then you know the NGINX instance was compiled with the SCGI module. It's compiled by default, so it should be available in every vanilla distribution of NGINX.
Next, modify your "nginx.conf" file to pass all communication to the address / port of your choosing to the floating license server instance via SCGI:
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name yourhostaddress;
# Maximum "request" size (i.e. max size the client sends us)
client_max_body_size 10m;
# pass every connection to the Hosted floating license server on this machine.
location / {
scgi_param SCGI 1;
scgi_param HTTPS $https if_not_empty;
scgi_param REQUEST_METHOD $request_method;
scgi_param CONTENT_LENGTH $content_length;
scgi_param REMOTE_ADDR $remote_addr;
scgi_pass 127.0.0.1:42;
}
}
Replace "yourhostaddress" with the address name that the floating license server instance will be accessed from (i.e. the "public" address -- even if that "public" address is local network specific). Also, if you changed the SCGI "address" or "port" in the "TurboFloatServer-config.xml" file you'll also need to change the "scgi_pass" directive to use the address and port you changed them to.
Test and fix access to the floating license server over HTTPS
After configuring the floating license server, then configuring the HTTPS server, start both of them up. If either one fails to start, read the error log and fix whatever problems are described. Once both are successfully started, you're ready to test if the floating license server is accessible via HTTPS. You can do this by opening a browser on your computer and typing the host address you've configured in your HTTPS server configuration.
So, in this example, "yourhostaddress" is the address that the HTTPS server is accessible from. Type, "https://yourhostaddress" into your browser, and if you've configured everything correctly (and both the floating license server and your HTTPS server are running) then this page should show:
If you see a certificate error page, then make sure you're using SSL certificates signed by a Certificate Authority. There are multiple options available, such as the free Let's Encrypt certificate authority.