Skip to main content

On-Premises

General Information

AOP comes with different configurations for on-premises deployment. The on-premises server can be configured to run in a secure environment. The following sections provide security recommendations for configuring the AOP on-premises server.

info

Please check the hash of the downloaded zips to ensure the integrity of the files.

Offline Activation

If you work with sensitive data, we recommend running the AOP server in a private network without external internet access. For activation, you can provide --generate_lrf to generate a license request file. After logging in, you can upload this license request file to our www.apexofficeprint.com portal.

For detailed information on the file generation process, refer to the Report Generation Process section.

Security Recommendations for On-Premises AOP Server Configuration

General Settings

  • Access Token: Use a strong, unique token for the access_token setting to protect the logs and general stats.

HTTPS and Encryption

  • HTTPS Mode: Use AOP with HTTPS protocol to ensure data encryption in transit. To run the server in HTTPS mode, provide valid paths for https_cert and https_key. Secure the HTTPS key with a passphrase using https_passphrase.
  • Disable Static Key Ciphers: Set disable_static_key_ciphers to true to prevent the use of less secure static key ciphers.
  • TLS Ciphers: Specify strong encryption ciphers in tls_ciphers to ensure secure HTTPS connections.
  • Enable HSTS: Set enable_hsts to true to enforce secure connections and protect against downgrade attacks.

Local Resources and Macro

  • Enable Local Resources: Set enable_local_resources to false to prevent unauthorized access to local files.
  • Enable Macro: Set enable_macro to false to avoid potential security risks associated with macros in documents.

Logging and Saving Data

  • Network Log: Set enable_networklog to true to log incoming requests and enhance security monitoring.
  • Print Job Log: Keep enable_printlog set to true to track printing activities.
  • Save Output: Only enable enable_save if necessary, and specify a secure directory for saving output files.

IP Whitelisting and Firewall

  • IP Whitelisting: Use ipwhitelist to restrict access to the server from trusted IP addresses only.
  • Firewall: Ensure the AOP server is behind a firewall and only accessible by the database server.

Performance and Security

  • Idle Timeout: Adjust idle_timeout and inactive_instance_timeout to balance performance and security.
  • Maximum Instances and Requests: Configure max_instances and max_outgoing_requests according to your infrastructure's capacity.
  • Memory Per Request: Set memory_per_request appropriately to prevent resource exhaustion.

Temporary Files and Cache

  • PDF Temp Folder: Use a secure and fast temporary storage location for pdf_temp_folder.
  • Temp File Removal: Set temp_file_removal_duration to regularly clean up temporary files.
  • Template Cache: Configure template_cache_folder and template_cache_removal_duration to manage cached templates securely.

Offline Activation

  • Offline Activation: If the server is offline, AOP will generate a license request file to facilitate offline activation.

Network and Connectivity

  • Non-Public Facing: The AOP on-premises server should not be public-facing. Only your database server should be able to connect to it.
  • Run Server in HTTPS Only Mode: Configure https_port appropriately and disable HTTP to enforce secure connections.
  • Run AOP in a Private Network: If handling sensitive data, place AOP in a private network without external internet access.
  • No External Internet Access Required: AOP does not require external Internet access.