WINDOWSlotus

EnablingHTTP/2onanIBMLotusDominoServerSetupGuideAlexElliottAGECOM2019https://www.
agecom.
com.
auCONTENTSIntroduction3Requirements.
3AboutHTTP/23AboutNGINX3Howthisworks.
4Step1–InstallNGINX.
5Step2–SettingupNGINXtorunasaWindowsService.
6Step3–UpdateWindowsHostsFile.
8Step4–AddanotherlocalIPAddress8Step5-CreatingSSLCertificateFiles9ExtractingcertificatesfromanexistingDominoKeyringFile.
9CreateanewSSLCertificate11Step6–TheNGINXConfigurationFile.
13Step7-KeyExchangeSecurity14Step8–EnableConnectorHeaders14Step9–Testing.
15Step10–UpdateForwardingonyourRouter16Step11–FirewallSettings16Step12-FinalSetup16Tips17Checkyourwebsite'sperformance17MultipleWebsites17Forcingallconnectionstobesecure17BringingyourDominoserverdownformaintenance.
18SuggestionsorComments.
19AboutAGECOM.
19INTRODUCTIONThisguidedescribeshowyoucanprovideHTTP/2connectivitytoyourLotusDominoserverusingNGINX-afreeopen-sourcehigh-performanceHTTPserverandreverseproxy.
WithHTTP/2connectivityavailabletoyourDominoserverwebpageswillloadmuchfaster.
ThestepscoveredinthisguidedescribehowtoinstallandconfigureNGINXandsetitupasaHTTP/2proxyforincomingconnections.
TheAGECOMwebsiteprovidesHTTP/2connectivityusingtheconfigurationdescribedinthisguide.
YoucanchecktheAGECOMwebsiteat:https://www.
agecom.
com.
auREQUIREMENTSTheinformationprovidedinthisguideisbasedonthefollowingsystemsettings:MicrosoftWindowsserver2008orlater.
LotusDomino9.
0.
1orlaterYoumayabletousetheinformationforguidancewithotherplatformsandversions.
ItisassumedyoualreadyhaveanactivewebsiterunningonyourDominoserver.
ABOUTHTTP/2HTTP/2improvesspeedmainlybycreatingoneconstantconnectionbetweenthebrowserandtheserver,asopposedtoaconnectioneverytimeapieceofinformationisneeded.
Thissignificantlyreducestheamountofdatabeingtransferred.
Plus,ittransfersdatainbinary,acomputer'snativelanguage,ratherthanintext.
OtherfeaturesofHTTP/2include"multiplexing"(sendingandreceivingmultiplemessagesatthesametime),theuseofprioritization(moreimportantdataistransferredfirst),compression(squeezinginformationintosmallerchunks)and"serverpush,"whereaservermakesaneducatedguessaboutwhatyournextrequestwillbeandsendsthatdataaheadoftime.
ABOUTNGINXNGINXisafreeopen-sourcehigh-performanceHTTPserverandreverseproxy,amailproxyserver,andagenericTCP/UDPproxyserver.
It'sknownforitshighperformance,stability,richfeatureset,simpleconfiguration,andlowresourceconsumption.
Manywebserversandapplicationserversuseasimplethreadedorprocess-basedarchitecturehoweverNGINXstandsoutwithasophisticatedevent-drivenarchitecturethatenablesittoscaletohundredsofthousandsofconcurrentconnectionsonmodernhardware.
Onceyou'vegotNGINXsetupitcanreceiveallincomingconnectionsandredirectthemtotheappropriateDominoserver/website.
YoucaninstallNGINXonyourDominoserveroranyotherserveronyournetwork.
MoreinformationregardingNGINXcanbefoundontheNGINXwebsiteat:http://nginx.
orgHOWTHISWORKSAfterfollowingthestepsoutlinedinthisguideyou'llhaveNGINXhandlingincomingconnectionsfromtheInternetanddirectingthemtotheappropriateserverbasedonthetargethostname.
Ifyou'vespecifiedtodisplayamaintenancepage(intheeventaserverisdownformaintenance)themaintenancepagewillbereturned.
ConnectionsfromtheInternetmaybehttp,https,orhttp/2.
NGINXisresponsibleforestablishingandmaintainingsecureconnections(SSL).
YoucanalsoconfigureNGINXtoforceallincomingconnectionstoestablishasecureconnection.
ConnectionsfromNGINXtoyourinternalserversareestablishedoverhttpsoonceyouhavethissetupinplaceyouwon'tneedtomaintainaDominokeyringfile.
RequestedcontentisreturnedfromyourserversbacktoNGINXanditinturnreturnsthatcontenttotherequestor.
Secureconnectivityisalwaysmaintainedifthat'showtheoriginalconnectionwasestablished.
Thefollowingdiagramshowstheconnectivityflowinbasicterms.
FeaturesofNGINX:ApplicationAccelerationContentCacheingSSLandSPDYTerminationBandwidthManagementContent-BasedRoutingRequestManipulationResponseRewritingAuthenticationStreamingMediaMonitoringConfigurationSTEP1–INSTALLNGINXTheNGINXWindowsbinaryfileshouldbedownloadedfromtheNGINXwebsiteat:http://nginx.
org/en/download.
htmlThemostrecentstableversionshouldbedownloaded.
It'srecommendedyoumakeanoteoftheversiondownloadedsoyoucanreferenceitlaterwhenyouneedtodeterminewhatversioniscurrentlyinstalled.
NGINXmaybeinstalledonyourDominoserveroranyotherWindowsserver.
Createafolderintherootdirectoryofyourservercalled'nginx'andextractallfilesfromthedownloadedzipfileinthefolder.
Thereshouldnowbeanexecutablefilecallednginx.
exeinthenginxfolderandseveralothersubfolders.
That'sprettymuchittoinstallingnginx.
Westill,however,needtodothefollowingwhichiscoveredinthisguide:SetupnginxtorunasaWindowsserviceSetuptheNGINXconfigurationfileSetupSSLSTEP2–SETTINGUPNGINXTORUNASAWINDOWSSERVICENGINXisnotanexecutablethatcanbeinstalledasaWindowsservice.
ToworkaroundthisaWindowsServiceWrapperisavailablewhichcanbeinstalledasaWindowsserviceandinturnwillcontroltheloadingandunloadingofNGINX.
ThewrappercanactuallybeusedtohostanyexecutableasaWindowsservice.
TheWindowsServiceWrapperisavailableonGithubat:https://github.
com/kohsuke/winswYoucangostraighttothedownloadspageat:https://github.
com/kohsuke/winsw/releasesDownloadthelatestWindowsserviceexecutableandsaveittotheNGINXfolder.
Atthetimethisguidewaswrittentherecommendedversiontodownloadistheonewrittenfor.
NET4(ie.
WinSW.
NET4.
exe).
Aftertheexecutablehasbeendownloadeditisrecommendedthatyourenameitto'nginx-winsw.
exe'tomakeitclearwhichparticularapplicationthewrapperservicewillberesponsibleforloadingandunloading.
Thewrapperservicerequiresconfigurationsettingstobeplacedinanxmlfilematchingthenameoftheexecutable.
Forthisanxmlfilecalled'nginx-winsw.
xml'shouldbecreatedinthesamefolderasthenginx-winsw.
exefile.
Thefollowingitemsdemonstratetheminimumsettingsrequiredtobeaddedtothexmlfile:nginxnginxnginxc:\nginx\nginx.
exec:\nginx\roll-pc:\nginxc:\nginx\nginx.
exe-sstopAsamplexmlfilefortheWindowsservicewrappercanbedownloadedfromtheAGECOMSupportNote.
AftertheWindowsservicewrapperhasbeendownloadedandthexmlconfigurationfilecreateditmustnowbeinstalledasaWindowsservice.
Toinstallnginx-winsw.
exeasaWindowsserviceopenacommandpromptasAdministratorandgotothenginxfolder.
Typeinthefollowingcommand:nginx-winsw.
exeinstallAnewWindowsservicecalled'nginx'willnowhavebeencreatedandsettostartautomaticallyonboot.
ItisrecommendedyougointoWindowsservicesandchangethistostartManuallyfornow.
EventuallythiswillbesettostartAutomatically(Delayed)onceeverythinghasbeenconfirmedasworkingcorrectly.
STEP3–UPDATEWINDOWSHOSTSFILEThehostnameofyourwebserverandthelocalIPaddressitisboundtoneedtobeaddedtotheWindowshostsfilethatNGINXisbeinginstalledon-normallyfoundintheC:\Windows\System32\Drivers\etcfolder.
Forexampleifyourhostnameiswww.
acme.
comanditisboundtothelocalipaddressof10.
0.
0.
25(theipaddressyourDominoserverhttptaskislisteningonforincomingconnections)thenyouwouldaddthefollowingentriestothehostsfile:10.
0.
0.
25acme.
com10.
0.
0.
25www.
acme.
comAfterupdatingthehostsfileyoushouldpingbothformsoftheabovehostnamesonyourservertoensuretheyresolvetotheexpectedlocalipaddressandyougetasuccessfulreplyback.
STEP4–ADDANOTHERLOCALIPADDRESSIfNGINXhasbeeninstalledonyourDominoservertheserverwillrequireaminimumof2localstaticipaddresses.
OneipaddresswillbeusedbyNGINXtoreceiveincomingconnections,andanotheripaddresswillbeusedbytheDominoserver.
NGINXreceivesincomingHTTPconnectionsononeoftheipaddressesandwillredirecttraffictotheipaddressusedbyDomino(eitheronthecurrentmachineoranothermachinewhereDominohasbeeninstalled).
YoushouldnowgointotheWindowsnetworksettingsandaddanotherstaticipaddressthatisnotbeingusedelsewhereonthenetwork.
Thefollowingimageshowsasecondaryipaddressof10.
0.
0.
30thathasbeenadded:Note:IfNGINXhasbeeninstalledonanotherserverwheretherearenootherapplicationsthatareusinganyofthehttpports(80,443)thenyoushouldbeabletouseasingleipaddressandwon'tneedtoaddasecondipaddress.
STEP5-CREATINGSSLCERTIFICATEFILESAsmostbrowsersonlysupportHTTP/2overSSLyouwillneedsetupSSLforyourwebsitedomain.
ThefollowingsectionsdescribehowtoextractyourkeysandcertificatesfromanexistingDominokeyringfileorcreateanewSSLcertificatefromscratch.
EXTRACTINGCERTIFICATESFROMANEXISTINGDOMINOKEYRINGFILEIfyouhaveanexistingDominoKeyringfilewhichcontainscertificatesthathavenotexpiredyoucanextractthemusingtheDominoKeyringTool(version1.
1orlater).
FormoreinformationaboutthistoolandtodownloaditpleaserefertothefollowinglinkonIBM'swebsite:http://www-01.
ibm.
com/support/docview.
wssuid=swg21966137Afterdownloadingthetoolcopythe32-bitversiontoyourLotusNotesprogramsfolder.
YouwillalsoneedtocopytheDominokeyringfile(kyr)andthepasswordstashfile(sth)toyourlocaldrive.
OpenacommandpromptandswitchtotheNotesprogramfolder.
Enterthefollowingcommandtoviewthepublicandprivatekeysinthefile:kyrtoolshowkeys-k[pathtokeyringfile]Note:Ifthefollowingerrormessageisdisplayedaftertypingintheabovecommandthenyouhavemostlikelycopiedthe64-bitversionofKyrTool.
Ensureyoucopythe32-bitversionofthetoolthentryagain.
Uponsuccessfulexecutionoftheabovecommandyouwillseeoutputsimilartothefollowing:Usingkeyringpath'[pathofyourkeyringfile]'Keylength:2048bits-----BEGINPUBLICKEY-----[Yourpublickey]-----ENDPUBLICKEY-----Keylength:2048bits-----BEGINRSAPRIVATEKEY-----[Yourprivatekey]-----ENDRSAPRIVATEKEY-----Theprivatekeyneedstobesavedtoafile.
Theeasiestwaytodothisistorepeatthelastcommandbutdirectoutputtoafile.
Enterthefollowingcommand:kyrtoolshowkeys-k[pathtokeyringfile]>private.
keyThewebsitedomaincertificate,andthecertificateissuer'sintermediateandrootcertificatesalsoneedtobeextractedandsavedtoanotherfile.
Enterthefollowingcommandtoextractthemtoafile:kyrtoolshowcerts-k[pathtokeyringfile]>bundle.
crtSincethefilewillcontainmultiplecertificateswerecommendnamingittosomethinglike'bundle.
crt'.
Youmightalsowanttoprefixwiththefilewithsomethingindicatingthecertificateissuersname(eg.
Godaddy-bundle.
crt,entrust-bundle.
crt,etc).
Theprivate.
keyfileshouldnowbeeditedtoremovecontentthatisnotrequired–leavingonlytheprivatekey.
Opentheprivate.
keyfileinatexteditor.
Allcontentbeforetheline'-----BEGINRSAPRIVATEKEY-----'shouldberemovedandanycontentaftertheline'-----ENDRSAPRIVATEKEY-----'shouldberemoved.
Thecontentsoftheprivatekeyshouldnowbeonly:-----BEGINRSAPRIVATEKEY-----[Yourprivatekey]-----ENDRSAPRIVATEKEY-----Saveandclosetheprivatekeyfile.
Thebundle.
crtfileshouldnowbeedited.
Everythingoutsideoftheblocksstartingwith'-----BEGINCERTIFICATE-----'andendingwith'-----ENDCERTIFICATE-----'shouldberemoved.
Thecontentsofthebundlefileshouldnowcontainonlythedomaincertificate,andissuer'sintermediate&rootcertificatesinthefollowingformat:-----BEGINCERTIFICATE-----[Yourcertificate]-----ENDCERTIFICATE----------BEGINCERTIFICATE-----[IntermediateCertificate]-----ENDCERTIFICATE----------BEGINCERTIFICATE-----[RootCertificate]-----ENDCERTIFICATE-----Saveandclosethebundlefile.
Whenyou'vefinishedextractingthekeysandeditingthefilestheyshouldnowbecopiedtothe'conf'folderunderthemainNGINXfolder.
CREATEANEWSSLCERTIFICATEIfyoudon'thaveanexistingDominoKeyringfileorneedtocreateanewSSLcertificateyouwillneedtogenerateacertificatesigningrequest(CSR)andobtainonefromacertificateauthority(CA).
ACSRconsistsmainlyofthepublickeyofakeypair(privateandpublic),andsomeadditionalinformation(suchasdomainname,location,etc).
Bothofthesecomponentsareinsertedintothecertificatewhenitissigned.
TheeasiestwaytogeneratetheseisusingOpenSSLwhichcanbedownloadedat;https://www.
openssl.
org/YoucandownloadanOpenSSLbinarydistributionwithInstallerfromthefollowingwebsite:https://slproweb.
com/products/Win32OpenSSL.
htmlYoushoulddownloadthelatest32-bitor64-bitversionandruntheinstaller.
UsingOpenSSLthefollowingexamplecommandwouldbeenteredatthecommandprompt(intheOpenSSLbinfolder)forgeneratingtheprivatekeyandCSRfilesfortheAcmedomain:opensslreq-new-newkeyrsa:2048-nodes-keyoutacme.
key-outacme.
csrNote:youshouldreplace'acme'intheabovecommandwithyourowndomainname.
Additionalinformationmayberequestedafterenteringtheabovecommandwhichyoushouldsupplysuchas:CountryCode(eg.
AU)State,Territory,orProvinceinfull(eg.
NewSouthWales)CityorLocality(eg.
Sydney)OrganizationName(eg.
AcmePtyLtd)OrganizationUnitName/Department(eg.
Marketing)CommonName/FullQualifiedDomainName(eg.
www.
acme.
com)EmailAddressChallengePasswordOptionalcompanynameNote:Ifyougetthefollowingerror:WARNING:can'topenconfigfile:/usr/local/ssl/openssl.
cnfthentypeinthefollowingcommand:setOPENSSL_CONF=[path-to-OpenSSL-install-dir]\bin\openssl.
cfg(example:setOPENSSL_CONF=c:\OpenSSL-Win64\bin\openssl.
cfg)thentrytheoriginalopensslcommandagain.
Thefollowingtwofilesshouldnowhavebeengenerated:acme.
key–thiscontainsyourprivatekeyandshouldbekeptsecure.
acme.
csr–thiscontainsthecertificatesigningrequestandwhatyouwillsubmittothecertificateissuer.
Thefilecontainingtheprivatekey(ie.
acme.
key)shouldbecopiedtothe'conf'folderunderthemainNGINXfolder.
TheCSRfileshouldnowbeusedtosubmityourcertificaterequesttoyourchosencertificateissuer.
Informationonsubmittingyourrequest,obtainingyourcertificateandintermediate/rootcertificatesshouldbeavailableontheissuer'swebsite.
Afteryourcertificatehasbeenissueditshouldbedownloadedandputintoafile.
Theissuer'srootcertificates(andanyintermediatecertificates)alsoneedtobeputintothesamefilesoit'srecommendedit'snamedsomethinglikedomain-bundle.
crt(eg.
acme-bundle.
crt).
TheorderofthecertificatesinthefileisimportantforSSLtowork.
Thefirstcertificateinthebundlefileshouldbethecertificateforyourdomain,thentheissuersintermediatecertificates,andtheissuer'srootcertificateappendedtoit.
Thebundlefileshouldbeformattedlikethefollowing:-----BEGINCERTIFICATE-----[Yourcertificate]-----ENDCERTIFICATE----------BEGINCERTIFICATE-----[IntermediateCertificate]-----ENDCERTIFICATE----------BEGINCERTIFICATE-----[RootCertificate]-----ENDCERTIFICATE-----Thecertificatebundlefileshouldbecopiedtothe'conf'folderunderthemainNGINXfolderwhenyou'vefinishedaddingallcertificatestoit.
STEP6–THENGINXCONFIGURATIONFILETheNGINXconfigurationfilecontainsallthesettingsusedbyNGINX.
Thefileiscalled'nginx.
conf'andresidesinthe'conf'folderunderthemainNGINXfolder.
Itisbeyondthescopeofthisarticletodescribethesettingsinconfigurationfile.
Thereareplentyofresourcesontheinternetwhichcoverthesettingssuchas:NGINX-BeginnersGuideNGINX-ConfiguringHTTPSServersMartinFjordvald-NGINXConfigurationPrimerDigitalOcen-UnderstandingtheNGINXConfigurationFileStructureandConfigurationContextsThesampleconfigurationfileattachedtotheAGECOMSupportNoteisreadyforuseandcanbecopiedtothe'conf'folderunderthemainNGINXfolder.
Itshouldbenamed'nginx.
conf'.
Ifyouchoosetousethesamplefilethefollowingcustomizationswillberequired:TheIPaddressassignedforNGINXtolistenonforincomingconnections(Lines59,79)Thedomainnamesforyoursite(s)(Lines60,67,68,80,92)Thepath/filenameoftheprivatekeyfile(Line126)Thepath/filenameofthebundledcertsfile(Line123)Youwillalsonoticethesampleconfigurationfilereferstoafileinthehtmlfoldercalled'maintenance.
html'(alsoattachedtothesupportnote).
IfNGINXfindsthisfileitwilldisplaythecontentsofitinsteadofredirectingtoyourwebsite.
ThisisusefulifyouwanttobringyourDominoserverdownformaintenanceandprovideamessagebacktoincomingconnectionstoindicatemaintenanceisbeingperformed.
Itshouldbecopiedtothe'html'folderwhichisasubfolderofthemainNGINXfolder.
Wheneveryouwanttodisplaythemaintenancemessagesimplyrenamethefileto'maintenance.
html'andwhenit'snotrequiredrenameittosomethingelsesuchas'zz-maintenance.
html'.
Note:Themaintenance.
htmlfileshouldbecustomizedwithyourwebsiteandnameandemailaddress.
STEP7-KEYEXCHANGESECURITYThefirststepintheestablishmentofasecureconnectionistheexchangeoftheprivatekeysbetweenserverandclient.
Bydefault,NGINXusesa1028-bitDHE(EphemeralDiffie-Hellman)key,whichisrelativelyeasytodecrypt.
ToprovidemaximumsecurityitisrecommendedyoucreateyourownmoresecureDHEkey.
AgainusingOpenSSLopenacommandpromptandgototheOpenSSLbinfolder.
Enterthefollowingcommand:setRANDFILE=[path-to-OpenSSL-install-dir]\bin\.
rndExample:setRANDFILE=c:\OpenSSL-Win64\bin\.
rndNowenterthefollowingcommandtocreateaparametersfilewitha4096-bitkeylength:openssldhparam-outdhparam.
pem4096Thegenerationprocesswilltakeseveralminutes.
Note:ifyougetanerrormessage'Unabletowriterandomstate'whilethefileisbeinggeneratedmakesureyouenteredthe'setRANDFILE=….
'commandcorrectlyfirstthentryrunningtheopensslcommandagain.
IftheproblempersistsopenanewcommandpromptwithAdministratorprivilegesandtryrunningthecommandsagain.
Oncetheprocesshascompletedcopythedhparam.
pemfiletothe'conf'folderunderthemainNGINXfolder.
STEP8–ENABLECONNECTORHEADERSThefollowingsettingsshouldbeaddedtothenotes.
inifileusedbytheDominoserverifitdoesn'talreadyhaveit:HTTPEnableConnectorHeaders=1ThissettingenablestheDominoHTTPtasktoprocessspecialheadersthatareaddedtorequestsbyNGINX.
WhenNGINXpassestheHTTPrequeststoDominoitaddsheadersthatincludeinformationabouttheincomingconnectionsuchastheremoteIPaddress.
WithoutthisanyIPaddressrecordedforincomingHTTPconnectionswillbethatusedbyNGINXratherthantheactualremoteuser'saddress.
Informationaddedtotheheaderscanbeseeninthenginx.
conffileas'proxy_set_header'items.
STEP9–TESTINGNowthatallsetupandconfigurationstepshavebeenperformedyoushouldbeabletotesttheconnection.
GototheWindowsServicesontheDominoserverandensurethe'nginx'servicehasbeenstarted.
Ifnotthenstartit.
Iftheservicefailstostartsuccessfullycheckthe'error.
log'fileinthe'logs'folderunderthemainNGINXfolder.
Onthemachineyouaretestingfrom(whichshouldnotbethemachineNGINXoryourDominoserverisrunningon)thehostnameofyourwebsiteandtheipaddresswhichNGINXislisteningonshouldbeaddedtotheWindowshostsfile-normallyfoundintheC:\Windows\System32\Drivers\etcfolder.
ThiswillensurewhenyoutypeintheaddressofyourwebsiteinabrowserwindowtheconnectionwillbedirectedtoNGINX.
Forexampleifyourhostnameiswww.
acme.
comandthelocalipaddressNGINXislisteningonis10.
0.
0.
20thenyouwouldaddthefollowingentriestothehostsfile:10.
0.
0.
20acme.
com10.
0.
0.
20www.
acme.
comLaunchawebbrowserandtypeinyourwebsiteaddress(eg.
www.
acme.
com).
IfeverythinghasbeenconfiguredcorrectlytheconnectionwillbereceivedbyNGINXandthenforwardedtoyourDominoserver.
Thewebpageshouldbesuccessfullydisplayed.
NowtestthesecureSLLconnectionbyprecedingthewebsitenameinyourwebbrowserwith'https://'(eg.
https://www.
acme.
com).
IfSSLandNGINXhavebeenconfiguredcorrectlyanSSLconnectionwillbesuccessfullyestablishedbyNGINX,theconnectionforwardedtotheDominoserverandthewebsitedisplayedsecurely.
Tocheckifcontenthasbeenreturnusingthehttp/2protocolyoucancheckthenetworkingresponsesusingthebrowser'sdebugger.
InmostbrowserspressingtheF12keywillopenthedebuggingwindow.
Openthenetworkingtabinthedebuggingwindowthengotothewebsiteaddresslineinthebrowserandtypeinthehostnameofyoursiteprecededwith'https'.
ThefollowingimageshowsarequestforaresourceontheAGECOMwebsiteoverhttpsanditbeingreturnedbackusinghttp/2:STEP10–UPDATEFORWARDINGONYOURROUTERIfyourrouterhasbeenconfiguredtoforwardincomingtrafficonport80or443(orothercustomportsyouhavespecifiedforincominghttpconnections)youshouldupdatethetargetipaddresstothatassignedtoNGINX.
Thefollowingimageshowstypicalforwardingsettingsinarouter:Wecanseethatports1352(Notes/Domino)and25(SMTP)areforwardeddirectlytotheDominoserver'sIPaddressandports80(http)and443(https)areforwardedtotheipaddressassignedtoNGINX.
STEP11–FIREWALLSETTINGSIfWindowsFirewall,oranyotherfirewall,hasbeenenabledontheserveryoumayneedtoaddanentryfornginx.
Youshouldcheckthefirewallsettingsandifnecessaryaddanentryfornginx.
exetoallowincomingconnectionsfortheapplication.
STEP12-FINALSETUPNowthatyou'veconfirmedyoursiteiscorrectlyworkingwithNGINXyoushouldgototheWindowsservicesonthemachinethatNGINXwasinstalledonandsettheNGINXservicetoautomaticallystart.
WerecommendsettingittostartAutomaticallywithaDelayedStart:TIPSHere'salistoftipstogetthemostoutofusingNGINXinyourenvironment.
CHECKYOURWEBSITE'SPERFORMANCEYoucanchecktheperformanceofyourwebsiteandreceivetipsonhowtoimproveitbygoingtothefollowingsite:http://www.
webpagetest.
orgYouwillbeaskedtotypeintheaddressforyourwebsite.
Werecommendperformingtestsonyourwebsiteusingboththehttpandhttpsconnections.
Itwillgiverankingsforvariousaspectsofyourwebsitesandtipsonhowtoimproveit.
Thefollowingimageshowsanexampleofthevarioustestsandtherankingsthatweregiven:MULTIPLEWEBSITESIfyouarehostingmultiplesitesyoucaneasilyaddadditionalsitestotheNGINXconfigurationfile.
NGINXcanhandlealltheincomingconnectionsandredirectthemtotheappropriateserver.
You'llbeabletoprovideHTTP/2connectivityforallyourdomains.
FORCINGALLCONNECTIONSTOBESECUREToforceallconnectionstoyourwebsitetobesecurechangethefollowinglinesinthesamplenginxconfigurationfile(Lines74–76).
From:#Forwardtraffictoport80onthetargetserverorredirecttraffictohttpsproxy_passhttp://www.
acme.
com:80;#return301https://www.
acme.
com$request_uri;To:#Forwardtraffictoport80onthetargetserverorredirecttraffictohttps#proxy_passhttp://www.
acme.
com:80;return301https://www.
acme.
com$request_uri;Thiswillredirectincomingconnectionsoverport80toport443.
BRINGINGYOURDOMINOSERVERDOWNFORMAINTENANCEIfyouwishtobringyourDominoserverdownformaintenanceNGINXcanreturnapagebacktoincomingconnectionsindicatingthesiteisdownformaintenance.
Youshouldhavepreviouslydownloadedthe'sample-maintenance.
html'filefromtheAGECOMSupportNoteandsavedittothe'html'folderunderthemainnginxfolder.
Renamethesamplemaintenancefileto'maintenance.
html'.
NGINXwilldetecttheexistenceofthisfileandreturnthecontentsofit.
WhenyourDominoserverisbackonlinesimplyrenamethemaintenancefiletosomethinglike'zz-maintenance.
html'andNGINXwillautomaticallyresumedirectingtraffictoyourDominoserver.
Note:Themaintenance.
htmlfileshouldbecustomizedwithyourwebsiteandnameandemailaddressbeforeusingit.
SUGGESTIONSORCOMMENTSThankyouforreadingthisguide.
Ifyouhavesomesuggestionsforimprovingthecontentofthisguide,findanyerrors,orjustwanttodropusacommentpleaseContactUsandletusknow.
ABOUTAGECOMAGECOMhavebuiltareputationforsupplyingqualityproducts,supportandspecialistconsultingservicestotheIBMLotuscommunitygloballysince1995.
Ourapplicationsinclude:ImportforLotusNotesImportdatadirectlyfromthefollowingformatsinyourLotusNotesdatabases:CommaDelimited(CSV),MS-Access,MS-Excel,MS-Outlook,XML,Fileattachments,NotesStructuredText,andothercharacterdelimitedfiles.
Existingdocumentscanbeupdatedwithimportedcontent.
Importscanberunondemandorscheduled.
ExportforLotusNotesExportyourLotusNotesdocumentsandviewdatatomanydifferentfileformatsincluding:CommaDelimited(CSV),FixedWidth,HTML,IBMConnections,MicrosoftExcel,MicrosoftAccess,MicrosoftWord,PDF,TabDelimited,XMLandmore.
Exportscanberunondemandorscheduled.
AgentMonitorforLotusDominoCentrallymanage,monitor&reportonallagentsinalldatabasesonyourDominoservers(shared,private,scheduled).
Seewhenagentsarescheduled&bywho,viewagentlogs,missedschedules&agentswitherrors,changeagentsettings,enable/disableagentsandmore.
AmustforallDominoadministrators.
Wealsohaveotherapplications,utilitiesandsoftwarewhicharefreelyavailabletotheLotuscommunity.