What's new in SafeLinx 1.3?

HCL SafeLinx 1.3 introduces the following new functionality.

  • SafeLinx as a reverse proxy for HCL Verse You can configure SafeLinx to function as a reverse proxy for HCL Verse to provide failover and load balancing. For more information, see Configuring SafeLinx as a reverse proxy for Verse high availability.
  • Support for SNI SafeLinx now supports the Server Name Indication (SNI) extension to TLS whereby a client indicates which host name it is attempting to connect to at the start of the TLS handshake. When you consolidate multiple HTTP services to listen on one external IP address and port, SNI allows each service to have its own X.509 certificate and other TLS attributes. In prior releases, SafeLinx used the Host name in the HTTP header to determine the host to connect to, which did not allow for service-specific X.509 certificates and TLS attributes.

    Your current HTTP services configuration continues to work without modification. You now have the option to configure X.509 certificates and TLS attributes separately for HTTP services that share one IP address and port.

    For more information, see Consolidation of multiple HTTP access services under one IP address.

  • Access manager binding to one IP address and port number You can configure the access manager to bind to a specific IP address and port number when connecting to the SafeLinx Administrator. For more information, see Configuring the access manager to bind to a specific IP address.
  • "No authentication required" rule for HTTP services You can now configure an HTTP service to use a "No authentication required" rule that defines a server path that doesn't require authentication. SafeLinx allows anonymous access for any requests that begin with the path specified in the rule. This rule is defined using the NOAUTH keyword.

    For example, to allow anonymous access to any request on the server myserver.internal.com that begins with /path/open/, specify the following rule:

    NOAUTH https://myserver.internal.com/path/open

    This type of rule should be used with caution. For security reasons, only one anonymous request is allowed per TLS socket.

    For more information, see Configuring special access rules for application server URLs.

  • SAML configuration change A new entry in config.yml is required for SAML. This entry enables the session cookie for the Service Provider function to flow without TLS. If you have an existing SAML configuration, add the following entry to the session section of the config.yml file.
    
    session:​
      cookie:​
        secure: false​
     

    The config.example.yml file provided with SafeLinx includes this setting.