HTTPS proxy mode

If you deploy ActivityInfo behind a load balancer or reverse proxy that provides SSL termination, you must update ActivityInfo's configuration so that the ActivityInfo server knows that it should accept insecure requests via http, while still presenting secure, HTTPS URLs in notification emails and other user-facing materials.

Https Proxy mode is supported in ActivityInfo Standalone Server, version 4.0.15 and later.

Updating config.ini

You can enable "HTTPS Proxy" mode by editing ActivityInfo's config.ini file. For example:

[Server]
Https Port=8080
Https Proxy=True

Using environment variables

You can also provide configuration values using environment variables.

This is particularly convenient for passing configuration to ActivityInfo running in a Docker container. The following Docker Compose file includes an "environment" section used to enable HTTPS Proxy mode:

version: "3"
networks:
  web:
    external: true

services:
  activityinfo:
    image: activityinfo/activityinfo:4.1.3
  
  volumes:
      - activityinfo:/data
    environment:
      - ACTIVITYINFO_SERVER_HTTPS_PROXY=TRUE
      - 
ACTIVITYINFO_SERVER_DOMAIN=activityinfo.example.gov
    networks:
      - web
volumes:
  activityinfo:

Ensure the X-Real-IP header is set

The ActivityInfo Standalone server implements rate limiting based on IP address for a number of endpoints, including the login page. If a single IP address makes too many failed login attempts, the ActivityInfo standalone server will temporarily block that IP address from make any further attempts to login for a few minutes. This is a defense against Brute-force attacks and Password spraying attacks.

To avoid blocking all users, it is important that the ActivityInfo standalone server can accurately identify the IP address of all requests, rather than just linking every request to the IP of the proxy server. When HTTPS Proxy mode is enabled, the ActivityInfo Standalone server relies on the conventional X-Real-IP HTTP header to provide this information. Make sure that your proxy server is correctly setting this header to avoid locking out all of your users!

Traefik forwards this header by default, and most Nginx configuration files will include this as well. An example of Nginx configuration file:

server {
    server_name activityinfo.example.gov

    location / {
      proxy_set_header        Host $host;
      
proxy_set_header        X-Real-IP $remote_addr;

      proxy_pass              http://localhost:8080;
      
proxy_redirect          http://localhost:8080 https://FQHOST;
    }
}

Next item

Mapbox configuration