Network & SSL
Configure service addresses, ports, and HTTPS for your Inspire deployment. This page manages the network layer connecting the three core services: Edge, Renderer, and DataPool.
Pairing and display traffic should be exposed over HTTPS wherever possible. If browsers or signage devices access Edge over plain HTTP, session cookies, pairing tokens, and authenticated display access can be intercepted or replayed by attackers on the same network segment.
Navigate to Settings > Network.
Requires the Admin role and the ON_PREMISE_DEPLOYMENT entitlement (Professional plan and above).
Service Status
The top of the page shows connectivity status for all three services:
| Service | Purpose | Default Port |
|---|---|---|
| Edge | Main application server — handles UI, API, and device connections | 80 |
| Renderer | Generates visual output for display devices | 8080 |
| DataPool | Data ingestion, connectors, and real-time data distribution | 8080 |
Each service shows a green “Connected” or amber “Unreachable” indicator.
Configuring Service Addresses
Edge Service
| Field | Description |
|---|---|
| Port | The HTTP port Edge listens on |
| Public URL | The URL that external clients use to reach Edge (e.g. https://inspire.example.com) |
Trusted Reverse Proxies
If Edge is deployed behind nginx, Traefik, Caddy, HAProxy, or another reverse proxy, configure the proxy addresses here so Edge only honors forwarded client metadata from trusted peers.
| Field | Description |
|---|---|
| Trusted proxy IP addresses | Exact proxy IPs, one per line. Use for fixed reverse proxy hosts such as 127.0.0.1 or a dedicated load balancer address. |
| Trusted proxy CIDR networks | Proxy subnets in CIDR notation, one per line, such as 10.0.0.0/24. Use when proxies run on a known internal subnet. |
Edge only applies X-Forwarded-For, X-Forwarded-Proto, and X-Forwarded-Host when the immediate peer matches one of these configured entries.
Do not add broad client networks here. Only add addresses used by your reverse proxy or load balancer. Otherwise clients on those networks could spoof their source IP, scheme, or host.
Typical examples:
- Single-host deployment with local reverse proxy:
127.0.0.1 - Docker or VM load balancer subnet:
10.0.0.0/24 - Dual fixed proxies: one IP per line in Trusted proxy IP addresses
Renderer Service
| Field | Description |
|---|---|
| Host | The hostname or IP where the Renderer service runs |
| Port | The port the Renderer listens on |
DataPool Service
| Field | Description |
|---|---|
| Host | The hostname or IP where the DataPool service runs |
| Port | The port DataPool listens on |
For single-server deployments, both Renderer and DataPool typically run on 127.0.0.1. For distributed deployments, set the appropriate internal addresses.
For on-prem HTTP deployments, this means the traffic is functional but not confidential on the local network. Treat HTTP device access as trusted-LAN-only.
SSL Certificate
Inspire supports HTTPS through a single SSL certificate (.pfx or .p12 format) that is deployed across all services.
Uploading a Certificate
- Drag and drop a
.pfxor.p12file onto the upload zone, or click to browse - Enter the certificate password in the dialog that appears
- Click Upload
Once uploaded, the certificate details are displayed:
| Field | Description |
|---|---|
| Subject | The CN (Common Name) the certificate was issued for |
| Issuer | The Certificate Authority that issued it |
| Valid from / Valid to | Certificate validity period |
| Thumbprint | SHA-1 fingerprint for verification |
| File | The uploaded filename |
| Status | Valid, Expired, Expiring Soon, or Unreadable |
Enabling HTTPS
After uploading a certificate:
- Toggle the Enable HTTPS switch
- Configure per-service HTTPS bindings:
| Service | Default Bind Address | Default HTTPS Port |
|---|---|---|
| Edge | 0.0.0.0 | 5001 |
| Renderer | 0.0.0.0 | 8443 |
| DataPool | 0.0.0.0 | 8444 |
- Click Save Changes
HTTPS is the recommended mode for all device-facing traffic, including /pair, /display/*, /renderer/*, SignalR display connections, and authenticated admin access.
Certificate Management
- Test — Click the shield icon to verify the certificate is readable and valid
- Replace — Click “Replace certificate” at the bottom of the certificate card
- Remove — Click the delete icon to remove the certificate (disables HTTPS)
Certificate Status Indicators
| Status | Meaning |
|---|---|
| Valid (green) | Certificate is current and readable |
| Expiring Soon (amber) | Certificate expires within 30 days |
| Expired (red) | Certificate has expired |
| Unreadable (red) | Certificate file could not be read (possibly wrong password) |
Automating Certificate Deployment
For automated certificate renewal (e.g. from Let’s Encrypt), use the API:
# Login and save session
curl -c cookies.txt -X POST https://your-instance/api/Authenticate \
-H 'Content-Type: application/json' \
-d '{"provider":"credentials","userName":"admin@inspire.local","password":"..."}'
# Upload certificate
curl -b cookies.txt -X POST https://your-instance/api/network/certificate \
-F "file=@server.pfx" \
-F "password=cert-password"Saving Changes
A sticky bar appears at the bottom when you have unsaved network configuration changes. Click Save Changes to apply or Discard to revert.
Changing ports or enabling HTTPS may require a service restart to take effect. Ensure your firewall rules, load balancer configuration, and trusted proxy allowlist match the new network layout.