Support for HTTPS
| Direction | To/From | Native Support | Recommendations | |
|---|---|---|---|---|
| Inbound | From OCX clients (for example, browser) | False | OCX does not support HTTPS natively on inbound connections. OCX runs as a non-root user and therefore cannot bind to privileged ports (80/443).
To enable HTTPS, deploy a local reverse proxy (e.g., Nginx, Caddy, or HAProxy) on the same host where OCX is deployed. This proxy will handle TLS termination and forward traffic to OCX over HTTP on localhost (e.g., 127.0.0.1:3000). OCX should be configured to listen only on localhost 127.0.0.1 to prevent direct access to the HTTP port from outside. This can be done by setting the OCX option common.host to 127.0.0.1 value. When OCX is deployed behind a reverse proxy, WebSocket support must be explicitly configured in the proxy to allow upgrade requests to pass through (using directives such as proxy_set_header Upgrade $http_upgrade; and proxy_set_header Connection "upgrade"; for Nginx). | |
| Outbound | To GWS | True | OCX uses the default Node.js CA bundle and supports TLS 1.2 and higher. Configure GWS to use HTTPS and use https:// and respective port number when configuring connections to GWS via OCX options services.platform.host, services.platform.port.
If self-signed certificates are used, specify the additional CA certificates using the common.extraCaCerts OCX configuration option. | |
| Outbound | To DBMS (MS SQL, PostgreSQL, etc.) | True | OCX uses the default Node.js CA bundle and supports TLS 1.2 and higher.
If self-signed certificates are used, specify the additional CA certificates using the common.extraCaCerts OCX configuration option. |