HTTPS check

The HTTPS check checks whether the BPC can only be reached with HTTPS. Connections with TLS (HTTPS) are encrypted and can only be read by the server (BPC) and client (user, web browser). With an unencrypted connection, third parties may be able to view and manipulate the content of the communication.

Security procedure

We use the Pax-Web component for network communication. To deactivate HTTP, the following lines can be set in the central configuration file (bpc.env.sh or bpc.env.cmd) the following lines can be set:

  • Unix systems

  • Windows systems

bpc.env.sh
# enable/disable HTTP (org.osgi.service.http.enabled)
export ORG_OPS4J_PAX_WEB_ORG_OSGI_SERVICE_HTTP_ENABLED=false
# enable/disable HTTPS (org.osgi.service.http.secure.enabled)
export ORG_OPS4J_PAX_WEB_ORG_OSGI_SERVICE_HTTP_SECURE_ENABLED=true
bpc.env.cmd
rem enable/disable HTTP (org.osgi.service.http.enabled)
SET ORG_OPS4J_PAX_WEB_ORG_OSGI_SERVICE_HTTP_ENABLED=false
rem enable/disable HTTPS (org.osgi.service.http.secure.enabled)
SET ORG_OPS4J_PAX_WEB_ORG_OSGI_SERVICE_HTTP_SECURE_ENABLED=true

These lines are already present in the configuration file, which is delivered with the installation, but are commented out.

Limitations of the test

Typically, a web application only listens to requests locally, and external requests are forwarded to the application via a reverse proxy (e.g. nginx or HAProxy).

However, the check only checks the last connection to the BPC. As a reverse proxy is an external component, the BPC cannot check here whether it only allows encrypted connections. It should therefore also be ensured that any reverse proxies used only allow encrypted connections. Further information can be found in Reverse proxies.

In addition, the HttpsBaseUrlCheck provides an indicator of whether external connections are encrypted.

Press Esc to exit full screen
Modal image placeholder
Press Esc to exit full screen