Public Facing HTTPS, but local HTTP, to Gateway

Tim.Johnson · February 19, 2024, 4:20pm

We have a public-facing gateway, with all traffic forced to https. That's not a problem, and I don't have any reason to change it.

However, the issue is when a developer is connected locally (via VPN, not using the Fully Qualified Domain Name, but rather an IP address) because, although we have a valid cert, when we try to select the 'Trust Certificate' button, it says 'Certificate Invalid'.

Although we can successfully open a Designer session using the FQDN...
and we can see all the projects and files in the tree (views, styles, etc), when we try to open any, we get a 'Not Accessible' error.

Is there a way we can either enable http access ONLY from the local network, or be able to trust the cert?

(Oh, and before you give me grief about showing our domain and ip addresses, they're not real
...obviously.
I've changed them for display.)

justin.brzozoski · February 19, 2024, 4:42pm

I've been able to do what you want by ensuring that "Force Secure Redirect" was disabled in the Ignition web server settings, and having our public-facing web proxy in front of it (e.g. nginx, AWS load balancer, whatever) enforce the HTTPS redirect there. Then, I had to tunnel or VPN into the network containing the gateway and I could still access it as http://10.10.10.10:8088 just fine.

Is the setup I described not possible with your network architecture?

Tim.Johnson · February 19, 2024, 4:47pm

Thanks @justin.brzozoski, I'll have to check, but I think it might be. That's what I wondered.

pturmel · February 19, 2024, 5:07pm

If you go that route, you will want to tell Ignition to trust the forwarded-for headers from nginx (or other proxy).