Version: 2025.3.1

Reverse Proxy

Proxy and Reverse-Proxies configuration

inPoint.Web and inPoint.Identity can be behind reverse-proxy, for example in DMZ Scenarios.

Forwarding Proxy headers

inPoint.Web.Server and inPoint.Web.Identity have been tested with nginx configured as a reverse-proxy (e.g. to hide servers when exposed to the internet or for load-balancing).

Proxies in general (your specific implementation might need extra configuration) set some extra HTTP headers (X-Forwarded-For and X-Forwarded-Proto at the least) to let the Web Server know the real host/remote ip address (and not the local one of the proxy).

In order to correctly enable such scenarios you must let both inPoint.Web.Server and inPoint.Web.Identity know that they are running behind a proxy by setting the "useProxy" value to true (in the Host section).

If the proxy is setup on a different physical machine than inPoint.Web then also the "proxyIPs" setting must specifically be configured (otherwise you'll see in the Verbose logs errors like "Unknown proxy xx.xx.xx.xx").

Example nginx reverse-proxy setup

Here a working setup that has been tested providing all required configurations.

Server landscape

For this example let's say that:

We want inPoint.Web.Identity running from a custom relative path:

https://hidden.server:5000/identity

We want inPoint.Web.Server running from the same server but a different port and relative path:

https://hidden.server:6000/web

We want nginx running from a different server (from which we will be serving inPoint.Web):

https://open.server/web

inPoint Server web.config

You'll need to update:

C:\Program Files (x86)\H&S Heilig und Schubert Software AG\Pam.Storage\Web\web.config

Under the "pamSettings" section:

<add key="identityAuthority" value="https://open.server/identity" />

inPoint.Web.Identity configuration

"Authentication": {
    "authority": "https://open.server/identity",
    "redirectUrl": "https://open.server/web/callback",
    "logoutRedirectUrl": "https://open.server/identity/loggedout",
}

"Identity": {
    "useProxy": true,
    "proxyIPs": [ "<IP address of open.server>" ],
    "basename": "/identity"
}

inPoint.Web.Server configuration

"Authentication": {
    "authority": "https://open.server/identity",
    "redirectUrl": "https://open.server/web/callback",
    "logoutRedirectUrl": "https://open.server/identity/loggedout",
}

"Web": {
    "useProxy": true,
    "proxyIPs": [ "<IP address of open.server>" ],
    "basename": "/web"
}

nginx configuration (minimal)

events {
    worker_connections  1024;
}

http {
    gzip  on;
    proxy_cache_path  /etc/nginx/cache  levels=1 keys_zone=STATIC:10m inactive=24h max_size=1g;

    server {
        listen 443 ssl;
        server_name  open.server;
        ssl_certificate full_certificate.crt;
        ssl_certificate_key  cert-decrypted.key;

        location /identity/ {
            proxy_pass https://hidden.server:5000/identity/;
            proxy_http_version 1.1;
            proxy_set_header        Host                    $http_host;
            proxy_set_header        X-Real-IP               $remote_addr;
            proxy_set_header        X-Forwarded-Host        $host;
            proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
        }

        location /web/ {

            proxy_pass https://hidden.server:6000/web/;
            proxy_http_version 1.1;
            proxy_set_header        Host                    $http_host;
            proxy_set_header        X-Real-IP               $remote_addr;
            proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Host        $host;
            proxy_cache             STATIC;
            proxy_cache_valid       200                     1d;
            proxy_cache_use_stale   error timeout invalid_header updating http_500 http_502 http_503 http_504;
        }

        # SignalR/Websockets
        location /web/notifications/ {

            proxy_pass https://hidden.server:6000/web/notifications/;
            proxy_http_version      1.1;
            proxy_set_header        Upgrade                 $http_upgrade;
            proxy_set_header        Connection              keep-alive;
            proxy_set_header        Host                    $http_host;
            proxy_set_header        X-Real-IP               $remote_addr;
            proxy_set_header        X-Forwarded-For         $proxy_add_x_forwarded_for;
            proxy_set_header        X-Forwarded-Ssl         on;
            proxy_set_header        X-Forwarded-Proto       https;
            proxy_set_header        X-Forwarded-Host        $host;
            proxy_set_header        X-Forwarded-Server      $host;
            proxy_set_header        Upgrade                 $http_upgrade;
            proxy_set_header        Connection              $connection_upgrade;
            proxy_cache_bypass      $http_upgrade;
        }
    }
}

Test

With above configurations you will be able to access inPoint.Web by simply using:

https://open.server/web

Internally nginx will take of forwarding all the required requests without ever showing those details to the user (i.e. the client browse will only show https://open.server/web and never the internal server names).

Troubleshooting

Make sure all the correct server names are configured
Enable Verbose logging as specified in the Troubleshooting chapter

Proxy and Reverse-Proxies configuration​

Forwarding Proxy headers​

Example nginx reverse-proxy setup​

Server landscape​

inPoint Server web.config​

inPoint.Web.Identity configuration​

inPoint.Web.Server configuration​

nginx configuration (minimal)​

Test​

Troubleshooting​