Skip to main content
Version: Next

Hosting

NGINX

Once the solution is installed via Copy and paste on your server, you can configure a reverse proxy, such as NGINX, to redirect incoming HTTP traffic to the SimpleIdServer solution.

In a Linux environment, three systemd daemons will be installed, each running a different part of the SimpleIdServer solution.

There are three services hosted on different ports :

ServicePort
IdServer5001
Website5002
Scim5003
CredentialIssuer5005
CredentialIssuerWebsite5006

They share the same characteristics:

  • Hosted under HTTPS.
  • They use Forwarded Headers; these HTTP headers are employed to modify the Redirection URL returned by the Discovery endpoint. For example, when the parameter X-Forwarded-Proto equals http, the OPENID Well-Known configuration endpoint will return a redirection URL with an http scheme.

You can choose one of the following options to host the solution.

Subdomain hosting

Each service is hosted on a subdomain.

Subpath hosting

Each service is hosted on a subpath.

Subdomain hosting

In the NGINX configuration, for each service, replicate the server block with the following content.

Each block corresponds to a subdomain and handles one service.

Replace the <SERVICE_URL> variable with the URL of your service, and the <SERVICE_NAME> variable with the name of your service.

For example, for the IdServer service, replace the variables as follows:

ParameterValue
SERVICE_NAMEopenid
SERVICE_URLhttps://localhost:5001
DOMAINsimpleidserver.com
server {
listen 443 ssl;
listen [::]:443 ssl;

gzip on;
gzip_types text/plain text/css application/xml application/json application/javascript;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

large_client_header_buffers 4 32k;

server_name <SERVICE_NAME>.<DOMAIN>;
ssl_verify_client optional_no_ca;

location / {
proxy_pass <SERVICE_URL>;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_pass_header Set-Cookie;
proxy_pass_request_headers on;
proxy_cache_bypass $http_upgrade;
proxy_cookie_domain localhost $host;
proxy_set_header X-Scheme https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-URL-SCHEME https;
client_max_body_size 1M;
client_body_buffer_size 4096k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 32 256k;
}
}

Subpath hosting

In the NGINX configuration, add one server block for each service and replicate the location block with the following content.

For example, for the IdServer service, replace the variables as follows:

ParameterValue
PATHopenid
SERVICE_URLhttps://localhost:5001
DOMAINsimpleidserver.com
server {
listen 443 ssl;
listen [::]:443 ssl;

gzip on;
gzip_types text/plain text/css application/xml application/json application/javascript;

root /var/www/html;

# Add index.php to the list if you are using PHP
index index.html index.htm index.nginx-debian.html;

large_client_header_buffers 4 32k;

server_name <DOMAIN>;
ssl_verify_client optional_no_ca;

location /<PATH> {
proxy_pass <SERVICE_URL>;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection keep-alive;
proxy_set_header Host $host;
proxy_pass_header Set-Cookie;
proxy_pass_request_headers on;
proxy_cache_bypass $http_upgrade;
proxy_cookie_domain localhost $host;
proxy_set_header X-Scheme https;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-URL-SCHEME https;
client_max_body_size 1M;
client_body_buffer_size 4096k;
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 128k;
proxy_buffers 32 256k;
}
}

SSL Certificate

An SSL Certificate must be installed on your NGINX Server.

You can use Let's Encrypt to generate SSL Certificates valid for all your domains and/or subdomains.

For example, the following command line generates a certificate valid for three domains:

sudo certbot certonly -d  openid.simpleidserver.com -d scim.simpleidserver.com -d website.simpleidserver.com credentialissuer.simpleidserver.com credentialissuerwebsite.simpleidserver.com

Once the certificate is generated, you must update the server blocks add the ssl_certificate and ssl_certificate_key directives.

ssl_certificate /etc/letsencrypt/live/<DOMAIN>/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/<DOMAIN>/privkey.pem;

Additionally, add a new server block to redirect all HTTP traffic to HTTPS:

server {
listen 80;
server_name <DOMAIN>;
return 301 https://$host$request_uri;
}

For more information about NGINX, you can refer to the official website: https://www.nginx.com/blog/using-free-ssltls-certificates-from-lets-encrypt-with-nginx/

Load balancer

If the NGINX server is configured as a load balancer, there is a chance that a user's session may be recognized by one Identity Server instance but not by another. Therefore, you can edit the NGINX configuration to enable sticky sessions. For more information, please refer to the chapter 'Enabling Session Persistence' on the official website: https://docs.nginx.com/nginx/admin-guide/load-balancer/http-load-balancer/.

IIS

The zip file downloaded from here, contains all of SimpleIdServer's services.

They are ready to be run on IIS, and each of them has a web.config filer with a reference to the executable service to run.

To deploy the application under IIS, follow these steps:

  1. Add a new application pool named SimpleIdServer.
  2. Enable theLoad User Profile and check if the identity specified for the application pool is a member of the Cryptographic perators groups. his setting is required; otherwise, you'll encounter cryptographic exceptions such as:
Microsoft.AspNetCore.Server.IIS.Core.IISHttpServer[2]
Connection ID "17942340921349636565", Request ID "800001d7-0001-f900-b63f-84710c7967bb": An unhandled exception was thrown by the application.
System.Security.Cryptography.CryptographicException: The system cannot find the file specified.
at System.Security.Cryptography.CngKey.Import(ReadOnlySpan1 keyBlob, String curveName, CngKeyBlobFormat format, CngProvider provider) at System.Security.Cryptography.CngPkcs8.ImportPkcs8(ReadOnlySpan1 keyBlob)
  1. Add a new SimpleIdServer site, select your application pool, and specify the directory of your service.
info

If the application is deployed on Azure, add the application setting WEBSITE_LOAD_PROFILE and set its value to 1.