How to enable HTTPS for MD Core UI only and Rest API is on HTTP?
These guidelines are supported starting from MetaDefender Core version 4.19.0 and above.
In some cases, the client application runs on the same machine as MD Core. In such cases, traffics never leave the system, but there is unnecessary processing overhead from the TLS connection negotiation. To optimize performance, you can configure Nginx on MD Core to open an additional HTTP port, such as port 8007, for internal communication.
How to configure
- Create a .conf file
If it doesn’t already exist, create the built-in
folder:
- On Windows, under <Installation Directory>\nginx\built-in\
- On Linux, under /etc/ometascan/nginx.d/built-in/
Place a .conf file in the above directory. Below is a sample .conf file to open port 8007 and restrict certain REST endpoints to that port only:
listen 8007 ; listen [::]:8007 ;
location ~ "^/index.html" {
return 404;
}
location ~ "^/(file|process)$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/(file|process)/([0-9a-f]{32})$" {
if ( $request_method !~ ^(GET)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/(file|process)/([0-9a-f]{32})/cancel$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/(file|process)/converted/([0-9a-f]{32})$" {
if ( $request_method !~ ^(HEAD|GET)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/(file|process)/processed/([0-9a-f]{32})$" {
if ( $request_method !~ ^(HEAD|GET)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/admin/batch/closeall$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/file/batch$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/file/batch/([0-9a-f]{32})$" {
if ( $request_method !~ ^(GET)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/file/batch/([0-9a-f]{32})/cancel$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/file/batch/([0-9a-f]{32})/certificate$" {
if ( $request_method !~ ^(GET)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/file/batch/([0-9a-f]{32})/close$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
location ~ "^/file/batch/([0-9a-f]{32})/close/callback$" {
if ( $request_method !~ ^(POST)$ ) {
return 404;
}
more_set_headers 'Cache-Control: no-cache';
content_by_lua_file resource/resourcehandler.raw;
}
- Restart of the “OPSWAT MetaDefender Core” service
To enable the HTTPS on the Web UI, please check Enabling HTTPS - MetaDefender Core
After configuration:
- Port 8008 remains the default for HTTPS and UI access.
- Port 8007 is available only for file submission via the REST API.
- If someone tries to access the UI through port 8007, a 404 Not Found response will be returned.
Currently, it is not possible to restrict port 8008 to the Core UI access only. That means users can still submit files through port 8008. This is due to default Nginx configurations, which are auto generated by the Core backend at runtime. Customizing this behavior is not supported at this time.
For additional details about Nginx configuration, see Nginx configurations - MetaDefender Core
If Further Assistance is required, please proceed to log a support case or chatting with our support engineer.