Start a conversation
  1. AEM Lyris LM
  2. Lyris LM - Installation
  3. Articles

Enforcing TLS 1.2 or 1.3 in Lyris LM using Nginx Reverse Proxy

Overview

Your security team has recommended enforcing TLS 1.2 or 1.3 on your Lyris LM server(s) and you would like to know if this is possible and how to implement it.  Note that this works for HTTPS only.

Solution

We have developed an easier alternative to the Nginx setup explained below - the Enforcing TLS 1.2 or 1.3 in Lyris LM using Stunnel article.

ListManager has certain limitations when it comes to web traffic over TLS. If you want to force TLS 1.2 or higher you will need to implement a reverse proxy externally to ListManager. Review the information below to familiarize yourself with this type of implementation before utilizing the PDF instructions at the end of this article.

What is the reverse proxy?

A reverse proxy server is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A reverse proxy provides an additional level of abstraction and control to ensure the smooth flow of network traffic between clients and servers, including security, availability, performance, and traffic shaping.

mceclip0.png

 

Why do we need it?

The ListManager web server is not able to get an "A" rate on SSL Test Rating which is due to the fact that ListManager doesn't support strong/new ciphers for TLS encrypted connections (HTTPS/SSL). This inability to handle secure TLS/SSL connections is caused by an incomplete HTTP/HTTPS server implementation provided by ActiveTCL 1.4/1.5 and OpenSSL 1.0.2u.

mceclip1.png

 

How does it work?

The diagram below illustrates how it will work in front of the current LM web server, forcing all HTTP traffic to be redirected to HTTPS and using just the LM HTTP implementation to avoid over-heading and improve performance. It will also use all new and well secured TLSv1.2 or TLSv1.3 (depending on your implementation) ciphers to provide an "A" rate on SSL implementation.
mceclip0.png

It will be implemented by an Nginx instance listening on HTTP (TCP 80) and HTTPS (TCP 443) ports all the internet requests and then mediating all connections to LM HTTP server (TCP 8080 - if they are running on the same server).

Testing

After implementing the nginx reverse proxy you are able to receive an "A" rating.

mceclip1.png

SEE ATTACHED DOCUMENT FOR MORE INFORMATION AND STEPS TO INSTALL AND CONFIGURE

LM_-_Enable_Nginx_Reverse_Proxy.pdf

  1. 3046 KB
  2. View
  3. Download
Choose files or drag and drop files
Was this article helpful?
Yes
No

  1. Priyanka Bhotika

  2. Posted
  3. Updated

Comments