Administration
Security

SSL Termination

4min
starting from version 7, the passwork frontend requires the mandatory use of https, so all standard installations and configurations include the appropriate settings however, we understand that many infrastructures use ssl termination please note! these settings are required in the following cases ssl termination is mandatory in the infrastructure; a passwork instance is used within a controlled zone docker build passwork example server { &#x9; listen 80; &#x9; server name ; &#x9; root /server/www/public; &#x9; index index html; &#x9; charset utf 8; &#x9; client max body size 100m; &#x9; fastcgi read timeout 1800; &#x9; location ^/ well known/acme challenge/ { &#x9; access log /server/log/nginx/certbot log; &#x9; root /var/www/certbot; &#x9; } &#x9; location = /favicon ico { &#x9; access log off; log not found off; &#x9; } &#x9; location = /robots txt { &#x9; access log off; log not found off; &#x9; } &#x9; location /\\ { &#x9; deny all; &#x9; } &#x9; location / { &#x9; include /server/nginx/extra/security headers conf; &#x9; include /server/nginx/extra/cors conf; &#x9; if ($request method = 'options') { &#x9; return 204; &#x9; } &#x9; include /server/nginx/extra/csp conf; &#x9; try files $uri /index html; &#x9; } &#x9; location ^/api(/|$) { &#x9; include /server/nginx/extra/security headers conf; &#x9; include /server/nginx/extra/cors conf; &#x9; if ($request method = 'options') { &#x9; return 204; &#x9; } &#x9; fastcgi pass phpfpm; &#x9; fastcgi param script filename /server/www/public/index php; &#x9; fastcgi param https on; &#x9; fastcgi param server port 443; &#x9; fastcgi param http x forwarded proto https; &#x9; fastcgi param http x forwarded port 443; &#x9; include /etc/nginx/fastcgi params; &#x9; } &#x9; location \\ (js|css|png|jpg|jpeg|gif|ico|woff|woff2|ttf|svg)$ { &#x9; expires 6m; &#x9; log not found off; &#x9; access log off; &#x9; add header cache control "public, max age=2592000"; &#x9; } &#x9; location ^/index\\ php(/|$) { &#x9; try files $uri =404; &#x9; fastcgi pass phpfpm; &#x9; fastcgi index /index php; &#x9; include /etc/nginx/fastcgi params; &#x9; fastcgi split path info ^( +\\ php)(/ +)$; &#x9; fastcgi param document root $realpath root; &#x9; fastcgi param path info $fastcgi path info; &#x9; fastcgi param script filename $realpath root$fastcgi script name; &#x9; fastcgi param https on; &#x9; fastcgi param server port 443; &#x9; fastcgi param http x forwarded proto https; &#x9; fastcgi param http x forwarded port 443; &#x9; add header cache control "no store, max age=0" always; &#x9; } &#x9;} } if you are using the standard docker installation and ports 80 and 443 are used after termination, you need to do the following shell cd /\<passwork>/ # go to the root location of a docker build cp /conf/nginx/extra/flex example /conf/nginx/nginx conf docker compose down && docker compose up d listen 80 — nginx listens on port 80 if traffic is redirected to another port after termination, replace port 80 with the required one fastcgi param https on; — informs the backend that the connection is considered secure this is important for correctly determining the request scheme when using sso fastcgi param server port 443; — sets the expected port for a secure connection if a non standard ssl port is used for sso, replace port 443 with the appropriate value fastcgi param http x forwarded proto https; — passes information that the original connection from the client was via https, even if ssl was terminated fastcgi param http x forwarded port 443; — similar to http x forwarded proto , informs the application that the client's original port was 443 if a non standard ssl port is used for sso, replace port 443 with the required value manual installation passwork (apache2\httpd) example \<virtualhost 80> servername example passwork com serveradmin webmaster\@localhost documentroot /var/www/public \<directory /var/www/public> options indexes +followsymlinks +multiviews allowoverride all require all granted \</directory> errorlog ${apache log dir}/error log customlog ${apache log dir}/access log combined \<filesmatch \\ php$> sethandler "proxy\ unix /run/php/php8 3 fpm sock|fcgi //localhost/" proxyfcgisetenvif "true" https on proxyfcgisetenvif "true" server port 443 proxyfcgisetenvif "true" http x forwarded proto https proxyfcgisetenvif "true" http x forwarded port 443 \</filesmatch> \</virtualhost> proxyfcgisetenvif "true" https on — forcefully sets the environment variable https=on for every request through fastcgi used to simulate a secure connection when ssl is terminated at an external proxy proxyfcgisetenvif "true" server port 443 — sets the expected port for a secure connection if a non standard port is used for ssl in sso, replace port 443 with the required value proxyfcgisetenvif "true" http x forwarded proto https — adds the header http x forwarded proto=https to the fastcgi environment this allows the passwork backend to correctly detect the original client connection scheme through the proxy proxyfcgisetenvif "true" http x forwarded port 443 — similar to http x forwarded proto , informs the application that the client’s original port was 443 if a non standard port is used for ssl in sso, replace port 443 with the required value
Updated 13 May 2025
Doc contributor
Did this page help you?
Docs powered by Archbee