Configure secure communication with Security Proxy
The Security Proxy supports a secure listener. In order to secure all the traffic between Security Proxy and mobile application you need to configure TLS/SSL by:
- enabling TLS/SSL
- providing the certificate that will be used to generate session key
- providing the certificate key which will be used by Security Proxy to decrypt the session key and establish a secure session
Additionally, though not recommended, you can configure properties which have their default values:
- specify protocols versions
- specify the group of ciphers that will be used to encrypt/decrypt the communication
The following table presents all properties described in this section:
| Property | Required | Description |
|---|---|---|
| SECURITY_PROXY_SSL_ENABLED | yes | Enable/disable TLS/SSL suport |
| SECURITY_PROXY_SSL_CERTIFICATE | yes if SSL enabled | The ssl certificate of the server in PEM format |
| SECURITY_PROXY_SSL_CERTIFICATE_KEY | yes if SSL enabled | The ssl private key of the server in PEM format |
| SECURITY_PROXY_SSL_PROTOCOLS | no | TLS/SSL protocol versions |
| SECURITY_PROXY_SSL_CIPHERS | no | TLS/SSl cipher suites |
Note: If you configure
SECURITY_PROXY_SERVER_NAME_ROUTINGyou can only use self-signed or multi-domain certificates.
Enable SSL
In order to enable TLS/SSL add SECURITY_PROXY_SSL_ENABLED=true to the docker-compose.yml file.
Provide certificate
This property specifies the certificate of the server (and possibly also the chain certificate). Please see the Nginx documentation on how to prepare the certificate and optionally certificate chain.
The certificates must be provided in the PEM format like in the example below:
SECURITY_PROXY_SSL_CERTIFICATE=-----BEGIN CERTIFICATE-----\nMIIDSjCCAjKgAwIBAgIQRK+wgNajJ7qJMDmGLvhAazANBgkqhkiG9w0BAQUFADA/\nMSQwIgYDVQQKExtEaWdpdGFsIFNpZ25hdHVyZSBUcnVzdCBDby4xFzAVBgNVBAMT\nDkRTVCBSb290IENBIFgzMB4XDTAwMDkzMDIxMTIxOVoXDTIxMDkzMDE0MDExNVow\nPzEkMCIGA1UEChMbRGlnaXRhbCBTaWduYXR1cmUgVHJ1c3QgQ28uMRcwFQYDVQQD\nEw5EU1QgUm9vdCBDQSBYMzCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB\nAN+v6ZdQCINXtMxiZfaQguzH0yxrMMpb7NnDfcdAwRgUi+DoM3ZJKuM/IUmTrE4O\nrz5Iy2Xu/NMhD2XSKtkyj4zl93ewEnu1lcCJo6m67XMuegwGMoOifooUMM0RoOEq\nOLl5CjH9UL2AZd+3UWODyOKIYepLYYHsUmu5ouJLGiifSKOeDNoJjj4XLh7dIN9b\nxiqKqy69cK3FCxolkHRyxXtqqzTWMIn/5WgTe1QLyNau7Fqckh49ZLOMxt+/yUFw\n7BZy1SbsOFU5Q9D8/RhcQPGX69Wam40dutolucbY38EVAjqr2m7xPi71XAicPNaD\naeQQmxkqtilX4+U9m5/wAl0CAwEAAaNCMEAwDwYDVR0TAQH/BAUwAwEB/zAOBgNV\nHQ8BAf8EBAMCAQYwHQYDVR0OBBYEFMSnsaR7LHH62+FLkHX/xBVghYkQMA0GCSqG\nSIb3DQEBBQUAA4IBAQCjGiybFwBcqR7uKGY3Or+Dxz9LwwmglSBd49lZRNI+DT69\nikugdB/OEIKcdBodfpga3csTS7MgROSR6cz8faXbauX+5v3gTt23ADq1cEmv8uXr\nAvHRAosZy5Q6XkjEGB5YGV8eAlrwDPGxrancWYaLbumR9YbK+rlmM6pZW87ipxZz\nR8srzJmwN0jP41ZL9c8PDHIyh8bwRLtTcm1D9SZImlJnt1ir/md2cXjbDaJWFBM5\nJDGFoqgCWjBH4d1QB7wCCZAA62RjYJsWvIjJEubSfZGL+T0yjWW06XyxV3bqxbYo\nOb8VZRzI9neWagqNdwvYkQsEjgfbKbYK7p2CNTUQ\n-----END CERTIFICATE-----\n
Note: The certificate needs to be provided in one line, so you need to replace all end of line characters to '\n' like it was done in the example above
Provide certificate key
The private key of the server certificate must be provided in the PEM format like in the example below:
SECURITY_PROXY_SSL_CERTIFICATE_KEY=-----BEGIN ENCRYPTED PRIVATE KEY-----\nMIIFDjBABgkqhkiG9w0BBQ0wMzAbBgkqhkiG9w0BBQwwDg\nMBQGCCqGSIb3DQMHBAgD1kGN4ZslJgSCBMi1xk9jhlPxPc\n9g73NQbtqZwI+9X5OhpSg/2ALxlCCjbqvzgSu8gfFZ4yo+\nX0R+meOaudPTBxoSgCCM51poFgaqt4l6VlTN4FRpj+c/Wc\nblK948UAda/bWVmZjXfY4Tztah0CuqlAldOQBzu8TwE7WD\nH0ga/iLNvWYexG7FHLRiq5hTj0g9mUPEbeTXuPtOkTEb/0\nGEs=\n-----END ENCRYPTED PRIVATE KEY-----\n
Note: The certificate key needs to be provided in one line, so you need to replace all end of line characters to '\n' like it was done in the example above
Specify protocols versions
You can specify versions of SSL/TLS protocols by setting the SECURITY_PROXY_SSL_CIPHERS property.
Note: It is highly recommended to use the default TLS/SSL protocols.
The default cipher suites used by Security Proxy are:
TLSv1 TLSv1.1 TLSv1.2
Specify the cipher suite
You can specify the group of ciphers that will be used to encrypt and decrypt the communication between Security Proxy and mobile application by setting the SECURITY_PROXY_SSL_CIPHERS property.
Note: It is highly recommended to use the default cipher suites and TLS/SSL protocols.
The default cipher suites used by Security Proxy are:
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4