Hi there “Process Automation” fans,

Welcome to a new installment of “Process Automation” tips.

For this post we’ll dive again into the reverse proxy setting (via NGINX) to harden our VMs for the bad outside world. We did it before purely for the OPA platform, but as we gain knowledge for xECM, we want to extend the NGINX configuration also to this platform. AND our previous attempt has a weird timeout-smell that we also want to solve!

Let’s get right into it…

The “what?” and “why?” are already explained in the introduction, but I was simply curious what other advantages ChatGPT would suggest using a reverse proxy:

A reverse proxy sits in front of your apps and decides how traffic enters, where it goes, and under what rules with these benefits:

1. One clean URL instead of port chaos; cleaner URLs, easier user access, easier docs, and easier future changes.
2. TLS / HTTPS once, not everywhere; you have one single HTTP endpoint, backends stay HTTP. Certificate live in NGINX, renew once, and rotate once.
3. Protection before traffic hits your app; NGINX blocks bad traffic before it reaches Tomcat. Request limits, IP blocking, method filtering, and header sanity checks. TomEE isn’t a firewall; NGINX is!
4. Timeouts and buffering control; NGINX lets you tune long-running requests, streaming, buffering, and idle connections
5. Hide and swap backends freely; Users don’t notice. Bookmarks don’t break.
6. Observability & debugging; Central access logs, request timing, and upstream failures.
7. Performance; Even on a simple VM, NGINX is great at static files, connection handling, and keep-alive reusability. Especially over multi-UIs like OPA, OTDS, xECM, multi-tomcats, etc.

The “timeout-smell” in the introduction is about this error (which you get after some time of inactivity)

Interesting, but solvable with the steps in this post including the xECM URLs for convenient non-ports reserve proxy browsing eXperience over multiple UIs (OPA over TomEE and xECM over Tomcat).

…

It’s time to open the NGINX configuration file: sudo vi /etc/nginx/nginx.conf

Update it smartly based on whatever you have currently for this content. Compared with the previous NGINX post it’s more about location mappings, timeout settings, content upload size, and a better ‘Forward-For’ value:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62

worker_processes  1;

events {
    worker_connections  1024;
}

http {
    server {
        # Overall settings
        listen 80;
        server_name opa.mydomain.com;
        client_max_body_size 50m; #CAP-file upload!

        # Forwarding options
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # NOT $remote_addr;
        proxy_set_header X-Forwarded-Proto $scheme; # For HTTPS
        
        # Important: upstream connections
        proxy_http_version 1.1; 
        proxy_set_header Connection "";
        
        # Timeouts: prevent "drops after some time"
        proxy_connect_timeout 30s;
        proxy_send_timeout 300s;
        proxy_read_timeout 300s;
        send_timeout 300s;

        # Location mappings
        location /home/system {
          proxy_pass http://127.0.0.1:8080;
        } # end location
        location /home/opa_tips {
          proxy_pass http://127.0.0.1:8080;
        } # end location
        location /cordys {
          proxy_pass http://127.0.0.1:8080;
        } # end location
        location /otdsws/login {
          proxy_pass http://127.0.0.1:8181;
        } # end location
        location /otdsws {
          proxy_pass http://127.0.0.1:8181;
        } # end location
        location /otds-admin {
          proxy_pass http://127.0.0.1:8181;
        } # end location
        location /livelinksupport {
          proxy_pass http://127.0.0.1:8282;
        } # end location
        location /livelink {
          proxy_pass http://127.0.0.1:8282;
        } # end location
        location /cws {
          proxy_pass http://127.0.0.1:8282;
        } # end location
        location /otsapxecm {
          proxy_pass http://127.0.0.1:8282;
        } # end location
    } # end server
} # end http

Save it all, validate with sudo nginx -t and restart NGINX with sudo systemctl restart nginx.

…

After this config change, we’ll also do an update in these locations:

1. Update OTDS URL in xECM
2. Set timeout in xECM (because we can!)
3. Update OTDS URL in OPA
4. Update DocStore service container URLs
5. Restart with clean cache

Update OTDS URL in xECM

For these settings it better to use the administrator login via http://opa.mydomain.com/livelink/cs?func=admin.adminuserlogin and provide the credentials (mine is admin:admin).
Dive into the administration section of xECM (from the menubar) and open section “Configure Integration Settings” (?func=otdsintegration.settings) to update this value:

Set timeout in xECM

In that same administration section of xECM, you can also search for “Security Parameters” (?func=admin.securityvars). Open it, and update the authentication timeout settings (I’m on DEV; Set it wisely!):

Update OTDS URL in OPA

Now move to OPA designtime, open the ‘Security Administration’ artifact, and update the public OTDS login URL:

Update DocStore service container URLs

Next is the ‘docstore’ type of service container in our organization. Get the properties, and update the URLs:

Restart with clean cache

After all these changes, it’s best to restart it all. I just reboot my VM, grab a cup of coffee, and monitor when all services are up and running again which eventually will be a party! 🥳

With all these changes in place, we now have a better experience across the two UIs; solidly and safely over a reverse proxy in NGINX; how nice!

Greatly “DONE” where we’re hardening our VM further over a reverse proxy server with NGINX. Give it a shot yourself on your VM/server and eXperience the impact of such server. I see all the benefits already and my VMs will not run without anymore. Have a great weekend, and we jump into a new topic next week at “OpenText Process Automation Tips”.

Don’t forget to subscribe to get updates on the activities happening on this site. Have you noticed the quiz where you find out if you are also “The Process Automation guy”?