Parameter:
HTTPConnectorHeadersSecretShort description: Shared secret between reverse proxy and Domino HTTP so that upstream connector headers are accepted only from trusted proxies – mandatory from 12.0.1.
Profile
Parameter | HTTPConnectorHeadersSecret |
Category | Security / TLS |
Component | Server |
Available since | 10.0 |
Supported versions | 10.0, 11.0, 12.0, 14.0, 14.5, 14.5.1 |
GUI equivalent | notes.ini only (no GUI) |
Possible values | Free-form string, identical on proxy and Domino |
Description
When Domino is operated behind a reverse proxy (nginx, Apache, HCL SafeLinx, F5), the connector headers (
\$WSRA, \$WSRH, \$WSRU, ...) must be passed through so that Domino knows the real client IP, the original protocol, and the original host name. From Domino 12.0.1 onwards, HTTPConnectorHeadersSecret is mandatory: only requests that carry a valid \$WSIS token with this shared secret are allowed to set those headers.Without a secret, Domino has been ignoring connector headers since 12.0.1 – Verse/iNotes behind a reverse proxy would otherwise work with the internal server IP instead of the client IP.
Example configuration
HTTPEnableConnectorHeaders=1 HTTPConnectorHeadersSecret=Vw3qFv9Lp8sR-mySharedSecret
Notes & pitfalls
- Configure an identical secret on all upstream reverse proxies.
- At least 32 characters, generated cryptographically securely.
- During rollout: temporarily allow both values in parallel (switch proxies one at a time).
- Never log it in clear text.
- The change takes effect only after a restart of the HTTP task (
restart task http).