In case your back-end logic is not too complex, I would suggest to migrate your back-end code to some other technology (we have great experience with node.js), and use Caché just as a datastore, not as a rendering engine. You have a variety of options on how to connect to Caché (REST, RabbitMQ etc ...)

Then your license units will limit just the number of concurrent datastore connections, not total number of connected clients.

In case you choose some popular language (node.js), this has an added benefit that you can draw from the wealth of libraries the node.js ecosystem provides. No more re-inventing the wheel in Caché.

You mention rendering html on the backend -- there is about a gazillion javascript templating libraries out there. Also, you get to work in some more modern language than COS, and, possibly, with more mature development tools.

That is just how I would do things after working with Caché for four years. Sorry InterSystems. On the other hand, I still think the database is blazing fast :)

Greetings,

I have been dealing with the problem of securing the Portal on our Linux server a while ago, so I am pasting my notes on the necessary steps below. Hopefully, they will be of some use.

httpd for SSL-enabled Caché Management Portal

Download necessary tarballs:

wget http://mirror.dkm.cz/apache//httpd/httpd-2.4.25.tar.gz
wget http://apache.miloslavbrada.cz//apr/apr-util-1.5.4.tar.bz2
wget http://mirror.hosting90.cz/apache//apr/apr-1.5.2.tar.gz

Extract

tar xvvf ./httpd-2.4.25.tar.gz
tar xvvf ./apr-util-1.5.4.tar.bz2
tar xvvf ./apr-1.5.2.tar.gz

Copy Apache Portable Runtime sources in apache srclib directory

cp -r ./apr-1.5.2 ./httpd-2.4.25/srclib/apr
cp -r ./apr-util-1.5.4 ./httpd-2.4.25/srclib/apr-util

Configure

cd httpd-2.4.25

./configure --prefix=/cachesys/httpd --enable-ssl --enable-so --with-included-apr \
--enable-mods-static="log_config mime alias unixd authz_core rewrite ssl" --without-gdbm \
--without-ndbm --without-berkeley-db --with-expat=builtin --with-mpm=worker --disable-shared

Compile

make

Kill the original httpd

kill `cat /cachesys/httpd/logs/httpd.pid`

Backup the old httpd

sudo mv /cachesys/httpd /cachesys/httpd.old

Install the new httpd

sudo make install

Change /cachesys/httpd/conf/httpd.conf to look like this:

ServerRoot "/cachesys/httpd"
DocumentRoot "/cachesys/csp"

CSPModulePath /cachesys/csp/bin/

LoadModule csp_module_sa /cachesys/csp/bin/CSPa24.so

User cacheusr
Group cacheusr

<Location />
    CSP On
    SetHandler csp-handler-sa
</Location>

ServerName localhost
PidFile logs/httpd.pid
TraceEnable off
Timeout 300
KeepAlive On
MaxKeepAliveRequests 0
KeepAliveTimeout 120

UseCanonicalName Off

<VirtualHost *:57772>
        Redirect "/" "https://your.server.name:57782/"
</VirtualHost>

<VirtualHost *:57782>
        SSLEngine On
        SSLCertificateFile  "/path/to/your/public.key"
        SSLCertificateKeyFile "/path/to/your/private.key"
        <Directory />
            Options MultiViews FollowSymLinks
            AllowOverride None
            Require all granted
            <FilesMatch "\.(log|ini|pid|exe|so)$">
                Require all denied
            </FilesMatch>
        </Directory>
        <Location "/csp/bin/Systems/">
            SetHandler csp-handler-sa
        </Location>
        <Location "/csp/bin/RunTime/">
            SetHandler csp-handler-sa
        </Location>
        AddHandler csp-handler-sa csp cls cxw zen
</VirtualHost>

TypesConfig conf/mime.types
HostnameLookups Off

ErrorLog logs/error.log
LogLevel error
LogFormat "%h %l %u %t \"%r\" %>s %b" common
#CustomLog logs/access.log common

StartServers          1
MinSpareThreads       5
MaxSpareThreads      15
ThreadLimit          25
ThreadsPerChild       5
MaxClients           25
MaxRequestsPerChild 200

ServerTokens Prod

Listen 57772
Listen 57782

Finally, launch the new httpd

/cachesys/httpd/bin/httpd -d /cachesys/httpd -c "Listen 57772"

That's it.

IMO, SSL really should be on by default in 2017.

Jiri