Shared Web Server
The Shared Web Server panel appears on the Runtime Management page (Manage > Runtime Management). Use this panel to configure the selected Runtime’s web server settings for web service publishing.
-
You must have the Runtime Management privilege to perform actions on the Shared Web Server panel. If you have the Runtime Management Read Access privilege, you can view existing settings, but you cannot make any modifications.
-
The number of tabs that you see and the settings on the tabs vary, depending on whether the account that you are using owns the Runtime, Runtime cluster, or runtime cloud that you selected and the features enabled in the account.
Changes to the web server configuration specified on the General tab are saved for the most part in the <installation_directory>/conf/container.properties file. Notable exceptions are account authentication and web service user authentication properties, which are saved in the <installation_directory>/conf/http-auth.properties file.
A "Plugin Restart" message appears when Cloud owners save configuration changes on the Shared Web Server panel. Restarting the plugin saves changes to configuration settings, but may cause Shared Web Server downtime for users. Owners may choose to cancel the restart if they do not want to cause downtime for users, or if they want to restart the plugin at a later time.
General
The General tab enables you to set account-level settings and override several default values.
| Setting | Options | Details |
|---|---|---|
| Base URL for API Requests | - | Constructed based on hostname, external hostname, and port/SSL port settings. |
| API Type | Basic | User management disabled. No Client Certificates/Custom Authentication. No API Service/Proxy components. Default for new accounts with Services Enablement feature. |
| Intermediate | User management enabled at process level. No API Service/Proxy components. Available only for accounts with Services Enablement feature enabled before June 2014. | |
| Advanced | API Service/Proxy components enabled. User management at API Service component level. Default for new accounts with API Management feature. Changing from Intermediate/Advanced with filters in User Management prompts a confirmation; clicking OK deletes the filters. | |
| Authentication Type | The authentication type that the account uses when communicating with the Runtime, Runtime cluster, or runtime cloud. For Runtimes and Runtime clusters, the authentication type selected here is used by all ports added to this web services server. The authentication type options are None, Basic, Client Certificate Header, Client Certificate, Custom, External Provider, and Gateway. For Clouds, each port that is added can use the None, Basic, Client Certificate, or External Provider authentication types. The Cloud owner’s account can then select any one of the authentication types used by its ports as the Cloud’s authentication type. Cloud accounts see only the authentication type(s) that the Cloud owner makes available to them. All web service users in the account must use the same authentication type. | |
| None | No sign-in required. Users can still be added for identifying service calls or appending instance ID in Cloud environments. When Authentication Type is set to None, Users can still be added on the User Management tab and are used in the following scenarios: 1. For Runtimes and Runtime clusters, the Username identifies who is making the service call. In this scenario, passwords are ignored. 2. For runtime clouds, one or more Users must be set on the User Management tab. The Username appends the instance ID so that the account being called is identified. Plus, it identifies who is making the service call. | |
| Basic | Basic Authentication required. If API Type is Basic, a token generation button appears. No client certificates or custom authentication allowed. | |
| Client Certificate Header | Client certificate included in HTTP/HTTPS headers. Available only if API Type is Intermediate or Advanced. | |
| Client Certificate | Client certificate required for authentication. Available only if API Type is Intermediate or Advanced. Certificates must be unique on Shared Web Server. | |
| Custom | Uses JAAS LoginModule. Available only for Runtimes and Runtime clusters with API Management feature. Available only with Intermediate or Advanced API Types. | |
| External Provider | External identity provider used. Available only if API Type is Advanced and you have functionality. Available on Runtimes, Runtime clusters, and local runtime clouds. Cannot be set on Runtimes or Runtime clusters attached to runtime cloud. | |
| Gateway | Uses a validation token validated by Runtime, Runtime cluster, or Cloud. Available only if API Type is Advanced and you have functionality. Same platform limitations as External Provider. |
Listening Port Configuration
The settings under Listening Port Configuration on the General tab are specific to the server environment. In runtime cloud configurations, these settings are present only for the account that owns the runtime cloud.
You can have only one API Gateway authentication port configured. If you configure more than one port or already have multiple ports configured and you update any settings in the Shared Web Server panel, you will be prompted to delete or disable any additional port configurations.
Internal Port and External Port are independent from Internal Host and External Host.
If you want to use the default value for the External Port, type in the default Port number for it to be used. The default Port is not displayed in the Base URL for API Requests field, because the standard is to not include the default Port number in the URL.
| Setting | Details |
|---|---|
| Default | Default listening port. Also used for accessing Swagger in a deployed API. |
| Port | The port number of the external port that routes to the shared web server listener. |
| SSL | If selected, the port is an SSL (HTTPS) port. Default SSL port is 9093. |
| Authentication Type | Port authentication type matches account authentication type. Cannot be changed individually per port. |
| External SSL | If selected, the external port is an SSL (HTTPS) port. External SSL ports can be redirected to an internal non-SSL port. |
| Base URL for API Requests | Constructed based on External Host and optionally the External Port. |
| Authentication Type: Client Certificate | When set, the SSL Certificate field appears. Select the correct Certificate component for the client. |
| Authentication Type: Client Certificate Header | When set, the Client Certificate Header Name field appears. Add the name of the header where the certificate resides. |
Advanced Settings
The settings under Advanced Settings on the General tab are for advanced web service users and may not need to be configured in a majority of cases. In runtime cloud configurations, this section is present only for the account that owns the runtime cloud.
| Setting | Details |
|---|---|
| Internal Host | For multi-homed boxes, an IP address can be used for binding to a specific interface. Important: Internal Host and External Host are independent from Internal Port and External Port. To use the default value for External Port, manually type the default Port number. Default ports are not displayed in the Base URL for API Requests because standards omit them. |
| Examine Forwarded Headers | Embedded Java tech can examine forwarded headers and extract external host info for response/callback. Selecting this option substitutes the load balancer’s hostname for the node’s hostname in requests. Important: Necessary for secure (https) Swagger Visualization Portal URLs. When enabled, external host, port, and protocol info are extracted from proxy request headers. Required Proxy Headers:
If the proxy is configured to forward the host name in a different header than X-Forward-Host, you can configure the custom property com.boomi.container.sharedServer.http.forwardedProtoHeader on your Runtime. For instance, if you configure the proxy to forward the host name in the X-Destination-Host header, set the com.boomi.container.sharedServer.http.forwardedProtoHeader on your Runtime to X-Destination-Host. Your Runtime will check the request for the X-Destination-Host header and extract the host name information from it. |
| External Host | External hostname or IP for the listener. Important: Internal Host and External Host are independent from Internal Port and External Port. To use the default value for External Port, manually type the default Port number. Default ports are not shown in the Base URL for API Requests field as the standard is to not include the default Port number in the URL. |
| Override Base URL | If behind a load balancer/firewall, enter the load balancer or firewall URL. Used for display in API URLs and documentation; does not affect Runtime connectivity. |
| Maximum Number of Threads | Maximum number of handler threads that the listen process spawns. Other requests are queued. Default: 250. |
Protected Headers
The values of protected headers in web service requests are not passed as dynamic document properties to the shared web server listener process execution.
Use default
If selected (the default), the Header Name list is updated to contain only the following header names. Editing of the list is disabled.
| General Headers | Request Headers | Non-standard Headers |
|---|---|---|
Connection | Host | Proxy-Connection |
Upgrade | Proxy-Authorization | x-Forwarded-For |
Via | X-Forwarded-Proto |
Define custom headers
The Header Name list is editable.
Defining custom headers does not remove the names of the default protected headers from the list. You must manually delete those headers.
-
Each list entry has a field in which the name of a header is specified — either a standard HTTP header or a custom header.
-
Standard HTTP header field names are case-sensitive. Header names can contain alphanumeric characters and special characters !#$%&'*+.^`~-_.
-
Custom header field names must have the prefix
X-WSS-. Custom header fields are case-sensitive. -
Clicking Close next to a header name removes that header name from the list.
Only the values of the following special standard HTTP headers are eligible to be passed to the shared web server listener process execution:
| Request Headers | Entity Headers |
|---|---|
Accept | Content-Encoding- the compression method applied to the data |
Accept-Charset | Content-Language |
Accept-Encoding | Content-MD5 |
Accept-Language | Content-Type - the MIME type of any input data, if given |
So there is no need to specify any other standard HTTP headers as protected.
User Management
The User Management tab’s settings apply directly to the account's relationship, or the web service user in an account’s relationship, to the Runtime, Runtime cluster or runtime cloud in question. This tab is present only if API Type is set to Intermediate or Advanced on the General tab.
On this tab the owner of the Runtime, Runtime cluster or runtime cloud can add and delete web service users. The owner can view and generate a user’s authentication token, select their client certificate, or enter their external user name. The owner can view and edit the IP filtering rules for a user, and view and edit the list of processes that should be accessible to each user.
| Setting | Details |
|---|---|
| Enable Internal Roles | Available only if API Type is set to Advanced. If you select this check box, the Internal Roles Management tab appears. |
| Users | List of web service users with access to the account and the Runtime, Runtime cluster or runtime cloud on which it resides. The first user in the list is always the account, which cannot be deleted. It is identified by its account ID. If the selected Runtime is attached to a runtime cloud, this field displays the Instance ID, which is the account ID followed by a period and a suffix. Any user of a runtime cloud can add web service users to this list. Use the icons at the top of the list to add or delete web service users. When you select a web service user, the user name, authentication, IP filtering rules, and processes to which the user has access appear on the right side of the panel. |
| Username | Used to enter the user name of the web service user. You cannot enter spaces or special characters in this field and it cannot be blank. The user name must be unique to the account and the Runtime, Runtime cluster, or runtime cloud. An @ symbol and the account ID are appended to the user name that you enter, in the format usernname@accountID. The account ID cannot be edited. The user name is not equivalent to a user name or email address. |
| Use IP Filtering | Used to enable IP filtering. If you select this check box but do not specify any IP filters, all IP addresses are blocked for the user. If you specify filters, only IP addresses matching those patterns are allowed. |
| Use API Filtering | Used to grant access to processes linked to certain API Service components that are deployed to the selected Runtime or environment. The user will be able to invoke web service calls only for processes linked to API Service components to which they have access. This section is present only if API Type is set to Advanced. |
| Use Process Filtering | Used to grant access to certain web service listener processes that are deployed to the selected Runtime or environment. The user will be able to invoke web service calls only for processes to which they have access. This section is present only if API Type is set to Intermediate. |
Internal Roles Management
The Internal Roles Management tab allows a administrator to associate specific users to each internal role. Internal Roles are defined in on the Authentication > Internal page.
This tab is present only if API Type is set to Advanced on the General tab and the check box Enable Internal Roles is selected on the User Management tab.
Internal Role
List of internal roles that exist on the Runtime, Runtime cluster, or runtime cloud on which it resides.
CORS Configuration
The CORS Configuration tab is used to define rules for the handling of incoming CORS requests. This tab is present only if API Type is set to Advanced.
| Setting | Details |
|---|---|
| Origins | Lists the origin domains from which the web server allows requests in the order in which the web server applies matching. You should order origins from most specific to least specific. You can reorder origins by dragging their reorder icons. \ denotes any domain and, if specified, should be last in the list. |
| Ports | Expands or collapses the controls used to specify ports from which the web server allows requests from the selected origin. If the list is not populated, the web server allows requests from the default ports — 80 for HTTP and 443 for HTTPS. |
| Allowed Methods | Expands or collapses the controls used to specify allowed methods in requests from the selected origin. |
| Allowed Request Headers | Expands or collapses the controls used to specify allowed headers, in addition to the defaults, in requests from the selected origin. |
| Exposed Response Headers | Expands or collapses the controls used to specify headers, in addition to the defaults, included in the web server’s responses to requests from the selected origin. |
