All versions of this manual
X
 

Web server

The web server of Linkurious Enterprise delivers the application to end users through HTTP/S. It is configured in the server configuration key within the configuration file (linkurious/data/config/production.json):

General

Within the server key:

  • listenPort (default: 3000): The port of the web server

Some firewalls block network traffic ports other than 80 (HTTP). Since only root users can listen on ports lower than 1024, you may want reroute traffic from 80 to 3000 as follows:

sudo iptables -t nat -A PREROUTING -p tcp --dport 80 -j REDIRECT --to-port 3000

If you use SSL, you can add a second rule to redirect 3443 to 443:

sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 3443

Serving Linkurious Enterprise under a custom path

Within the server key:

  • baseFolder (default: /): The base path where Linkurious Enterprise will be found

In some cases, you may want to host Linkurious Enterprise on a path other than root for a particular domain. For example, if you want Linkurious Enterprise to be reachable at http(s)://HOST:PORT/linkurious you should set baseFolder equal to linkurious.

Link generation

Within the server key:

  • domain (default: "localhost"): The domain or sub-domain used to access the web server. It is mandatory to edit it for publishing visualizations online. It is also used to restrict the validity of cookies to a domain or sub-domain.
  • publicPortHttp (default: listenPort): The public HTTP port of the web server.
  • publicPortHttps (default: listenPortHttps): The public HTTPS port of the web server.

In some cases, Linkurious Enterprise needs to generate links to itself (for example when generating a link to a widget). For that, the server needs to know its public domain and port to generate those links.

The public port can be different from the actual port if you use traffic rerouting (using a firewall or a reverse-proxy). In the example above (traffic rerouting), the actual HTTP port (listenPort) is 3000, but the public HTTP port (publicPortHttp) is 80.

Cookies

Within the server key:

  • cookieSecret (optional): Set the secret used as a seed to compute cookie strings.
  • cookieDomain (optional): Set this value if you need your cookie to be set for a domain different from domain.
  • cookieHttpOnly (default: true): Set the httpOnly flag of your cookies, so that they cannot be accessed using JavaScript.
  • cookieSecure (default: false): Set the secure flag of your cookies so that they are only served via HTTPS (note: if Linkurious Enterprise is behind a reverse proxy, see trustedReverseProxies).
  • cookieSameSite (default: "lax"): set to "none" to allow cookies to be set when Linkurious Enterprise is embedded in an iframe.
  • trustedReverseProxies (optional): array of reverse proxies to trust, to be used when cookieSecure is enabled and the server is running behind a reverse proxy. This will cause the server to trust the following headers set by the reserve proxy: X-Forwarded-For, X-Forwarded-Host, and X-Forwarded-Proto. Example value: ["loopback", "123.123.123", "192.168.1.0/16"]. The array can contain a mix of:
    • IP addresses (e.g. "192.168.1.150")
    • IP subnet expressions (e.g. "192.168.0.0/16")
    • builtin shorthands:
      • "loopback" (for "127.0.0.1/8" + "::1/128")
      • "linklocal" (for "169.254.0.0/16" + "fe80::/10")
      • "uniquelocal" (for "10.0.0.0/8" + "172.16.0.0/12" + "192.168.0.0/16" + "fc00::/7")

Cross-origin resource sharing (CORS)

Within the server key:

  • allowOrigin: Define the cross-origin resource sharing (CORS) policy. Accept cross-site HTTP/S requests by default. The value can be:
    • a string ("abc.com"): only requests from "abc.com" domain are allowed.
    • wildcard-prefixed string ("*.abc.com"): request from all sub-domains of abc.com are allowed.
    • an array of strings (["abc.com", "*.def.com"]): requests from abc.com and all sub-domains of def.com are allowed.
    • a single wildcard ("*"): requests from any domain are allowed.

Allow to render Linkurious Enterprise embedded in another Web page

Linkurious Enterprise can be embedded in another Web page via an iframe under certain technical conditions. This can be tricky due to modern Web browser security mechanisms.

Follow these steps:

  1. The embedding Web page and Linkurious Enterprise must be served using the same scheme (e.g. both on HTTPS)
  2. The embedding Web page and Linkurious Enterprise must have the same domain, e.g. if the embedding Web page can be served under https://app.example.com (domain: example.com), then Linkurious Enterprise must be served under another subdomain of example.com, e.g. https://linkurious.example.com.
  3. If you are using a modern Web browser, set server.cookieSameSite to "none" in the configuration (see why).
  4. In the configuration, set server.allowFraming to true. This will tell Linkurious Enterprise to disable the default iframe protection by not setting the X-Frame-Options:SAMEORIGIN HTTP header.

Custom HTTP Headers

Within the server key:

  • customHTTPHeaders (optional): For compliance, custom HTTP headers can be added. These headers will be returned in each HTTP response from the Web server.

Example:

"customHTTPHeaders": {
  "header1": "value1",
  "header2": "value2"
}

Note: Some header keys are reserved for Linkurious Enterprise and will be overwritten by the server to default values.

Image cross-origin (client-side)

Within the ogma.settings.render key:

  • imgCrossOrigin (default: "anonymous"): Restrict the origin of images displayed in visualizations to prevent running malicious code on the graphic card of users. Display images from any origin by default. Read here to learn more.

Disabling compression for dynamic content

It is possible to disable the gzip compression for dynamic content that is returned by the Linkurious Enterprise server.

Within the server key:

  • disableCompression (default: false): Disable gzip compression for dynamic content when set to true.

Content Security Policy (CSP)

If you want to enable content-security-policy for Linkurious Enterprise, you need to use the custom HTTP Headers option of the Web server. The policies required for the application to work are:

  • default-src 'self': allow scripts, styles and images hosted by Linkurious Enterprise (referenced by URL)
  • default-src 'unsafe-inline': allow code in <script> tags in pages hosted by Linkurious Enterprise
  • default-src blob:: to allow running WebWorkers with Blob sources (required to run graph layouts)

As a consequence, the recommended CSP policy is:

"customHTTPHeaders": {
  "Content-Security-Policy": "default-src 'self' 'unsafe-inline' blob: data:"
}

SSL

Within the server key:

  • listenPortHttps (default: 3443): The port of the web server if HTTPS is enabled. See the Install section to learn why you should not set 443 directly.
  • useHttps (default: false): Encrypt communications through HTTPS if true. Requires a valid SSL certificate.
  • forceHttps (default: false): Force all traffic to use HTTPS only if true.
  • forcePublicHttps (default: false): Force all generated URL in Linkurious Enterprise to use HTTPS (useful when HTTPS is not enabled in Linkurious Enterprise but offered by an external reverse proxy). The server will redirect HTTP GET requests to HTTPS and reject all other HTTP requests.
  • certificateFile: The relative path to the SSL certificate (must be in PEM format, located within the linkurious/data folder).
  • certificateKeyFile: The relative path to a private key of the SSL certificate (must be in PEM format, located within the linkurious/data folder).
  • certificatePassphrase: The pass-phrase protecting the SSL certificate (if any).
  • tlsCipherList (optional): The ciphers supported by any connection established by Linkurious Enterprise as a server or client. It expects a string in OpenSSL cipher list format. The default value is tls.DEFAULT_CIPHERS.

External communications with the Linkurious Enterprise server can be secured using SSL without installing third-party software.

If the Linkurious Enterprise server, graph database, and the search index are installed on different machines, we recommend using secure communication channels between these machines (e.g. HTTPS or WSS). Please refer to the data-source documentation and search index documentation to learn how to enable HTTPS.

To use custom Certificate Authorities (CA), please check how to use additional Certificate Authorities in Linkurious Enterprise.

TLS versions

The TLS protocol versions supported by Linkurious Enterprise are v1.0, v1.1, v1.2 and v1.3. By default, TLS v1.0 and v1.1 are disabled.

If you want to change the enabled versions of the TLS protocol:

  • Stop Linkurious Enterprise
  • Open the file at data/manager/manager.json and add a line above "server/app.js", (for example: add "--tls-min-v1.3", to disable all versions of TLS bellow v1.3)
  • After the change, save the file and restart Linkurious Enterprise.

Available options (source):

  • --tls-min-v1.0: only enable TLS v1.0 and above
  • --tls-min-v1.1: only enable TLS v1.1 and above
  • --tls-min-v1.2: only enable TLS v1.2 and above (default)
  • --tls-min-v1.3: only enable TLS v1.3 and above

To customize the exact list of ciphers used by the TLS protocol, see tlsCipherList in the server configuration above.