Search Appliance


Thunderstone Search Appliance Manual

Require HTTPS for Proxy Admin


Set this option to Y so that proxy-forwarded access to the admin interface is only permitted via HTTPS and not HTTP. Forwarded connections are those hop(s) in the connection chain that are forwarded from the client to a proxy (that then accesses the Search Appliance directly); for control of direct connections to the Search Appliance admin (or the direct last-hop from a proxy to the Search Appliance), see Require HTTPS for Direct Admin.

Forwarded connections are checked by examining the X-Forward-Proto header value of connections to the admin interface: if all tokens are https, the forwarded connection is considered secure/HTTPS, otherwise insecure/HTTP. If no X-Forwarded-Proto header is present, the connection is not considered forwarded and this setting does not apply. Note that for this setting to be effective, the network must be secured such that all devices with direct access to the Search Appliance can be trusted to set (or clear) the X-Forwarded-Proto header properly, as the header is easily forged.

For safety, Require HTTPS for Proxy Admin cannot be enabled if you're currently accessing the Search Appliance via an insecure proxies.

If you have set this option Y and accidentally configure it such that you can not access the Search Appliance, you can re-enable HTTP admin by going to the physical console of the Search Appliance and selecting the drop Admin restrictions (HTTPS,IP,Cipher requirements) option.

Copyright © Thunderstone Software     Last updated: Dec 5 2019