How do I force local communication within the application?
A little background. There are two main components to the application: the .NET workflow engine, and the node.js server. They communicate with each other all the time. If you are running Integrify behind a load balancer, have a corporate proxy, or just want to tweak for best performance, you may want to force the communication between these two pieces local.
Case 1: The Easy way (works for both SSL enabled and non-SSL enabled sites in all situations)
This is a very easy task. All that you need to do to force local communication between the server and service is add a windows host file entry on each application server node for the url of your Integrify site. You will need to perform these actions from your Integrify application server’s desktop.
-
Open C:\Windows\System32\drivers\etc\hosts as an Administrator in your favorite text editor
-
Add an entry to the bottom of the file similar to below using the url you use to access your Integrify site:
127.0.0.1 integrify.example.com
-
The change takes effect immediately after saving the file.
-
Do this on each node if you are load balancing
Case 2: The Elaborate way (SSL site with cert offloading)
This method is more involved and has a few environmental requirements in order to be used. You must be willing able to implement all of the following to use this method:
-
The SSL certificate will be hosted and terminated at the load balancer or proxy.
-
The traffic between the proxy/balancer and the application nodes will be unencrypted
-
The traffic between the Integrify node.js and .NET services will be unencrypted an localized.
The main benefit over “The Easy way” is that by configuring your environment this way, you eliminate encryption overhead where it is not likely needed. This will have some performance benefits. We are going to assume you know your proxy server or load balancer and how to configure it so we will instruct at a high level for some of this document. Note that there will be some downtime involved when making these changes, so you may want to do this during off-hours. You will need to perform some actions from your Integrify application server’s desktop, so make sure you have access. To implement this method, make the following changes to your environment:
-
Move the hosting of your site’s SSL certificate to your load balancer/proxy server.
-
Configure the proxy/loadbalnacer to accept traffic on port 443 (https) and forward it to the application nodes using http on port 8080 (or other port of your choice - more on that later). You can also safely configure a port 80 pass-through over http as the client will be redirected to https (443) automatically.
-
The default state of Integrify configured using https at install creates an http redirect in the root of the site. This forces https in the off chance a client requests http, as is the case of a user just typing in the Integrify site url in their browser’s address bar without specifying the protocol. We need to move this redirect to its own site in IIS. So let’s create the directory structure for that. 1. Open Windows File Manager and browse to your integrify installation directory (c:\integrify is default) and add a directory names ‘redirect’ 2. In that directory, create a new file named ‘web.config’ and enter the following into it using your favorite text editor
3. Open the Internet Information Services (IIS) Manager application 4. Add a new binding to your Integrify site in IIS defined with a wildcard on port 8080. _If you are already utilizing that port, pick another one, but this doc will assume 8080 was used._ 5. Remove the port 80 bindings from your Integrify site. 6. Add a new site and assign the root as the directory you created above in 1.1 (C:\integrify\redirect would be the default) 7. Depending on your needs and whether you have other sites on your Integrify application server, you might need to change the bindings of the site to specify your Integrify url on port 80. Otherwise, the wildcard binding on port 80 binding is fine. 8. You may want to restart/reset IIS at this point for the binding to take effect if you received any messages about bindings already existing. 9. Next, we need to make changes to your Integrify configuration, so run the OnPremise Manager from the start menu: <https://help7.integrify.com/hc/en-us/articles/115009292287-Running-the-Integrify-OnPremise-Manager> 10. Once in the OPM, select your application from the first drop-down , then 'Advanced Configuration' from the second drop-down and click 'Run'. 11. Edit the "webserver-web-config" file by clicking the edit icon (pencil) next to it. Find the line <rule name="REDIRECT" stopProcessing="true" enabled="true">
(@line 12) in the file, change it to the following, and click “Save”:
<rule name="REDIRECT" stopProcessing="true" enabled="false">
-
Next, we will force local communication to be unencrypted: 1. Let’s force node.js components to communicate with the .NET engine unencrypted. Edit the “server-config” file by clicking the edit icon (pencil) next to it. Under the “service_root” line (@line 4) in the file, add the following line and click “Save”:
"local_service_root": "http://127.0.0.1:8080/service",
2. Let's force the .NET service to communicate with the node.js components unencrypted. Edit the "app-settings" file by clicking the edit icon (pencil) next to it. Anywhere within the <appSettings> tags, add the following line and click "Save": <add key="local_node_root" value="http://127.0.0.1:8080"/> 3. We need to force .NET to run under httpTransport even though the app will believe it is running under https. Edit the server-config file by clicking the edit icon (pencil) next to it. Look for the line starting with "httpsTransport", on that line change the following and click "Save": "httpsTransport" to "httpTransport" 4. Finally, we need to tell the scheduler to communicate locally. Find the line that starts with "integrifyUrl:", change the url to "http://127.0.0.1:8080" and click "save".