WebDirect and HTTPS

[Matt Klein]

Now that I'm deeper into my WebDirect solution,  I've come across a question that I can't find a definitive answer for anywhere including forums and official FMI guides.   Doesn't mean it doesn't exist out there.  I've just not been able to find it.

Here it is:

If you want to ensure that data is passing between Web Direct and the browser securely(HTTPS) it seems like it is NOT necessary to turn on "Require Secure Connections" in the Database Server section of FileMaker Server.    It seems like all you need to do is make sure you use HTTPS instead of HTTP in the URL when accessing the WebDirect server.

However,  not turning on "Require Secure Connections" in the Database Server section of FileMaker Server will allow non-secure(HTTP) connections as well as secure(HTTPS).   Turning on "Require Secure Connections" seems to force the HTTPS connection and doesn't allow HTTP connections.



So,   the "Require Secure Connections" in the Database Server section of FileMaker Server doesn't handle the encryption from WebDirect to the browser.   Instead,  the "Require Secure Connections" in the Database Server section of FileMaker Server handles the encryption between the Database Server and the WebDirect server.   The encryption between WebDirect and browser is handled by the Web Server itself and it's merely a matter of using HTTPS or HTTP to determine if the data passing between WebDirect and the browser is encrypted.


Can anyone verify that I'm correct or wrong for that matter? 

[gozoinks]

You seem to have it.

 

When this option is on, encrypted connections are required; when it is off, encryption is permitted but optional. Encryption is always available if you opt to use it, regardless of this setting. This is why both HTTP and HTTPS work for WebDirect, even with this option turned off.

 

With this setting enabled, FileMaker Server will not accept unencrypted connections. FileMaker clients (Pro, Go) can detect this and will switch to encrypted connections automatically. Your web server does not detect this, however, and it will not make the same switch. This is why turning this option on doesn't prevent your web server from listening on HTTP, but only HTTPS connections succeed.

 

You may want to configure your web server to redirect requests from HTTP to HTTPS, in order to eliminate any confusion for your users. There are lots of ways to do this. The simplest might be with an .htaccess file in your web root, if you're using Apache on Mac OS X. You can do it with IIS on Windows, also.

 

Now, while I'm on the subject… If you're making your WebDirect application available to the public Internet, you might consider implementing a reverse proxy server. A reverse proxy accepts connections from users on the Internet and forwards the requests to a server safely protected behind a firewall, so that people aren't connecting directly to your back-end database server. You can then require SSL for connections from the clients to the proxy, and you can use unencrypted connections from the proxy to the FileMaker server (where you can leave "Require…" turned off). This reduces the load on your FileMaker server by offloading encryption overhead to the proxy, which improves overall performance. If you were to go this route, you'd set up the HTTP->HTTPS redirect on the proxy server. Popular reverse proxies include HAProxy, Squid, and nginx. Cisco firewalls often have a facility for this as well.

For posterity, here's a link to the FileMaker Server 13 security guide:

 

http://help.filemaker.com/ci/fattach/get/104213/0/filename/security_guide_en_13_final.pdf