Caching in reverse proxy

We are using the Sun Proxy Server v4.0.5 as a reverse proxy with the browser side listening in http. Caching is enabled in the default object block. Most of the proxy mappings are going to http destinations, but some are to https content. I have noticed that even though the proxy is able to make the ssl connection and retrieve the content it does not cache any of it which hurts performance. Since the content gets decrypted by the proxy to be sent out to the browser it would look like any other http content so shouldn't it be considered for caching? Is there any way to get the content to be cached by the reverse proxy to improve performance?

Thanks for the suggestion, it looks like that works. Please note that it doesn't look like this option is listed in the Configuration file reference for 4.0.5. However after your suggestion I found that it is the value that is inserted by the admin console under the Caching -> Set Caching Configuration screen (the admin console is not used often as manual edits to the config files are preferred). Can we expect an effort to get the "undocumented" config values documented?

Similar Messages

  • CSM - Reverse Proxy Cache

    Please, let me know how to configure the reverse proxy cache on CSM.
    Thanks in advance.

    I think that the following URL has all the steps you are looking for to configure reverse proxy cache. http://www.cisco.com/univercd/cc/td/doc/product/webscale/uce/acns42/cnfg42/rproxy.htm

  • SWF verification behind a reverse proxy cache

    Hi!
    If I place an set of FMS servers behind some reverse proxy caches, will I get problem with SWF verification if the cache layer caches the .f4m meta data file with the SWF verification data? Is there any documented best practice on the requirements to build large scale deployment with security enabled?
    best regards
    Johan Acevbedo

    Hello Johan,
    Is in your case drm is embedded inside the f4m??
    HLS-VOD
    Set the TTL for your f4m to max equal to an interval at which you are expecting the swf hashes to update.
    For example, if you expect, you may add/remove swf hashes at interval of say 1 hr, then set the TTL for the f4m as say 50 min (10 min taken as allowed error in your estimation of swf hash update).
    You may set HttpStreamingF4MMaxAge under hds-vod (if that is hds vod case) as per your required TTL. Most proxy cashes should ideally respect the TTL dictated by origin response an should re-request the f4m after that period.
    HDS-LIVE
    Otherwise if this is hds-live case, then I don't think drm is embedded into the f4m. Just verify. Drm is a serperate request. In that case, you can set TTL on drm (HttpStreamingDrmmetaMaxAge) request also under hls-live in httpd.conf.
    Read more about these configs http://help.adobe.com/en_US/flashmediaserver/devguide/WSd391de4d9c7bd609a95b3f112a373a7115 -7fff.html#WSae20eaa80bf612516499f756131e06fb583-7fff
    You can also set the drm update interval time in the recording section of the  application.xml as per your need. Read more about the config at http://help.adobe.com/en_US/flashmediaserver/devguide/WSd391de4d9c7bd609a95b3f112a373a7115 -7fff.html#WSc1a546382286f18f-4a910076130ddc59d17-7ffe . Config setting will only update drm on the disk. But you will still have to set the proper TTL in Apache httpd.conf for the request of the DRM to be sent by the proxy to the origin to fetch it.
    -Nitin

  • Reverse Proxy and Transparent Caching

    I've seen a couple threads on these particular subjects, and I'm still a little curious. I understand that it is possible to have both of these configured, but what is the proper method of accomplishing this?
    For example, our setup is similar to the configuration in the configuration guide for clients and content engines on different subnets, so the transparent part seems pretty simple where the "ip wccp web-cache redirect out" command will be on the interface connected to the internet.
    However, for the reverse proxy portion, can I also configure reverse proxy on the same internet-connected interface with "ip wccp 99 redirect in"? Or does the transparent caching take precendence even though they are for different conditions? If that is the case, do I then need to use the "ip wccp 99 redirect out" command on the interface that would be pointing back towards the origin servers?
    I'd just like to clarify because we don't have test devices to play around with, so we would be modifying production devices.
    As a completely different question, if only transparent caching is configured, is it still possible to use the CE590 as a proxy server? The reason I am asking is that we recently shut down wccp because we were seeing excessive traffic at odd hours. A stroll through the transaction logs revealed that most of this traffic was destined for foreign subnets. It appeared that the CE590 was acting as a proxy for these foreign IPs because the source IP address as well as the data being retrieved were foreign to our network.
    If anyone can help with my questions, it would be greatly appreciated.
    David

    According to this thread,
    http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&CommCmd=MB%3Fcmd%3Ddisplay_location%26location%3D.ee8a89a
    if you are redirecting both the services on the same interface, One service takes precedence over the other and I believe transparent web-cache redirect takes precedence over reverse-proxy.I think you need to use the "ip wccp 99 redirect out" command on the interface that would be pointing back towards the origin servers.
    For details refer:
    http://www.cisco.com/en/US/partner/products/sw/conntsw/ps491/products_configuration_guide_chapter09186a00800af658.html#19607
    I'm not too sure about the CE 590 but i know that the CE 560 can be used as a proxy for transparent caching using WCCP.

  • CSS Reverse Proxy Rule problem if caches suspended breaks web site

    Hi
    Another perplexing problem we've had tonight:
    2 x CSS11000 with 2 x CE560's providing Reverse Proxy Cache to a front end web server. During testing we had both CE services "suspended" but not the RCP content rule. So in my theory this rule couldn't work because it's services were not available. However, the CSS continued to hit this content rule and hence broke the web side. We then suspended the RPC rule, all traffic was forced to use the directtoserver rule and things worked again.
    The question this poses, and we will be testing this on Monday is....if the caches are "down" rather than "suspended" does the same thing happen....and is this a bug (because I cant help thinking thats not what ithe CSS should be doing) or something else.
    Anyone come across this ?
    Thanks
    Simon

    Simon,
    I think the answer to your question comes down to whether the content rule is considered "down" or not. When the caches are down, what does a "show rule" show as a status of the content rule. If the rule is down, the CSS should not even respond to the clients request via the vip unless there is another content rule containing the same vip (L3, L4 etc..)
    Maybe the keepalive types need to be changed. For example, using icmp for a keepalive type and shutting down port 80 on a webserver will NOT signify to the CSS that the services is down.
    If the rule is down and still increasing hit counts, then this would be some type of bug.
    Regards
    Pete Knoops
    Cisco Systems

  • How to setup CSS as reverse proxy server without cache server

    Hi, question regarding CSS capabilities.
    Is there a way to setup CSS (11000 series or 11500) to act as a reverse proxy server without caching server in place? Or is it possible for CSS to cache contents on its own?
    And what is disk space on CSS used for?
    Thank you.

    Thank you for clarification on disk usage on CSS. I have gone through sample config for reverse proxy caching
    http://www.cisco.com/warp/customer/117/CSS_CEreverseproxy.html
    Does this mean only way to have CSS to do reverse proxying is to have cache engine in conjunction with CSS?
    Thank you again in advance.

  • Is this dynamic caching scenario possible with reverse proxy?

    I'm considering using the Sun System Java Web Server as a reverse proxy in front of other SSJWS's running a java webapp. I'm creating a dynamic site where most of the pages change only occasionally. I'm wondering if the follow "dream compression/caching" scenario is possible:
    - Origin web servers have a set of high traffic dynamic pages that change only occasionally. Other pages (could be partition in subdirs) should not be cached.
    - These dynamic pages set cache and expires headers allowing browser and proxies to cache the content--say for hours or days. It's ok if users see a slightly stale page within this expiration period.
    - Reverse proxy caches these pages as if they were static files. They also create gzipped versions on the fly and cache those. When requests comes in for these specific pages, they are served straight from proxy cache (either compressed or uncompressed depending on request header.)
    - When the expiration date is reached, reverse proxy requests fresh pages from the origin server, creates a compressed version, and only servies these pages from cache.
    - A certain set of pages shouldn't be cached and will have appropriate headers. They will probably also be in different subdirectories.
    Is it possible to use the reverse proxy as a self-updating cache this way? (And it it possible to proactively invalidate the cache. Let's say I change a page on the origin and I want the proxy to refresh that cached page right away.)
    Thank you,
    Armando

    I see. Thank you, this is very helpful.
    I've take taken a look at Web Proxy 4. It seems it can do much of what I'd like. One downside I see is that it seems to be quite a big tool with all of the forward proxying features that I don't need. I just need a transparent reverse proxy/cache, so it would have been nice if the reverse proxy provided by Sun Web Server offered some of the caching features of Web Proxy 4.
    Does Web Proxy 4 share code with Web Server? I haven't any seen any buzz, blogs, etc about it as I have with Sun Web Server. I see it now has a "modern HTTP core" and such but is performance on par with Web Server? (There are no trumpeted world records, and I don't see any architecture details, such as the ability to leverage event ports on Solaris...)
    It looks like Web Proxy 4 can be configured as a reverse proxy to do sticky load balancing, caching with interval checks, and on the fly gzip compression. Can it: cache both a compressed and uncompressed version of the content? Run other filters on the content before caching, such as the sed content trip filter? I haven't really seen anything out there that can do all that. If this is possible, then Web Proxy 4 deserves more buzz!
    If anyone has any good or bad experience using Web Proxy as a reverse proxy, I'd love to hear it!
    Cheers!
    Armando

  • Lync Reverse Proxy Alternatives

    When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services. 
    TMG is way too expensive and complex for such a limited, simple use case.
    I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
    We decided to use Apache 2.2 on Windows Server 2008 R2. 
    Here's how we configured it:
    Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy. 
    http://technet.microsoft.com/en-us/library/gg398069.aspx
    Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server. 
    http://httpd.apache.org/download.cgi
    We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
    Use the Certificates MMC on your front end server to export the certificate and include the private key.
    Transfer the resultant .pfx file to your reverse proxy server.
    Use OpenSSL to convert your .pfx file to PEM:
    openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes 
    Separate the private key from the certificate using notepad: 
    Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag. 
    Save that text to a new file named
    yourcert.key. 
    Save
    yourcert.pem, which should now only include the certificate.
    Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
    for storing the certificates.
    Edit httpd.conf (typically in
    C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
    (See  http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
     for more information on each directive)
    Uncomment the following lines, which will enable proxy and SSL:
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule ssl_module modules/mod_ssl.so
    Include conf/extra/httpd-ssl.conf
    Add the following lines to configure reverse proxy behavior:
    #Be a reverse proxy, not a forward proxy
    ProxyRequests Off
    #Accept requests from any client to any URL
    <Proxy *>
    Order Deny,Allow
    Allow from all
    </Proxy>
    #Set the network buffer to improve throughput
    ProxyReceiveBufferSize 4096
    #Configure the Reverse Proxy to forward all requests to your front end server on 4443
    ProxyPass / https://yourfrontend.domain.com:4443/
    ProxyPassReverse / https://yourfrontend.domain.com:4443/
    #Preserve Host Headers for Lync
    ProxyPreserveHost On
    Optionally, configure logging directives, bindings and server name.
    Save and close httpd.conf
    Edit httpd-ssl.conf (typically in conf\extra):
    Configure the session cache:
    Uncomment:
    SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
    Comment out:
    SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
    Locate the <VirtualHost _default_:443> tag and configure the following:
    Add the following directive:
    SSLProxyEngine On
    Configure the path to your SSL Certificate saved in step 3-5 above:
    SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
    Configure the path to your private key saved in step 3-5 above:
    SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
    Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
    Optionally, configure logging directives.
    Save and close httpd-ssl.conf
    Restart the Apache2.2 service
    Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
    the reverse proxy to talk to the front end Lync server on 8080 and 4443.
    From an external connection, test connectivity through the reverse proxy:
    Test
    https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
    Test the Lync Web App by setting up an online meeting and following the URL to join the meeting. 
    You can force the use of the web app by appending ?sl= to the end of the meet.company.com link. 
    See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
    Hope this information is helpful and saves some of you some money and trouble.
    Please contact me if you need further clarification or see any mistakes in my notes.
    Best regards,
    Kenneth Walden
    Enterprise Systems Supervisor
    GSD&M
    Austin, TX

    I'd like to thank you for this article.  We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product.  Anyways, your
    blog saved me a LOT of headache.  I owe you big time. 
    AWESOME JOB. 
    -Greg
    *****EDIT***
    Decided to come back in there and post good information.  We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting.  The "DIALUP" url was working fine but the "MEETING" url was broken.  On our WFE servers we were getting
    the event error as below.   Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON".  Once we put that in there ALL was good.
    Notice that the MEET portion was the only thing that was really broken.  So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER.  Look for
    http://10.x.x.x/meet/ or soemthing in the event logs. 
    Log Name:      Application
    Source:        ASP.NET 2.0.50727.0
    Date:          11/16/2011 1:26:35 PM
    Event ID:      1309
    Task Category: Web Event
    Level:         Warning
    Keywords:      Classic
    User:          N/A
    Computer:      OneofMyInternalWFEservers.local
    Description:
    Event code: 3005
    Event message: An unhandled exception has occurred.
    Event time: 11/16/2011 1:26:35 PM
    Event time (UTC): 11/16/2011 6:26:35 PM
    Event ID: b2039ecd0a62482284030f62e1e639d8
    Event sequence: 129
    Event occurrence: 28
    Event detail code: 0
    Application information:
        Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
        Trust level: Full
        Application Virtual Path: /meet
        Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
        Machine name: MYWFE.local
    Process information:
        Process ID: 14204
        Process name: w3wp.exe
        Account name: NT AUTHORITY\NETWORK SERVICE
    Exception information:
        Exception type: HttpException
        Exception message: Server cannot append header after HTTP headers have been sent. 
    Request information:
        Request URL:
    https://FQDN:4443/meet/MyName/456456
        User host address: gatewayIP
        User: 
        Is authenticated: False
        Authentication Type: 
        Thread account name: NT AUTHORITY\NETWORK SERVICE
    Thread information:
        Thread ID: 7
        Thread account name: NT AUTHORITY\NETWORK SERVICE
        Is impersonating: False
        Stack trace:    at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
       at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
    Custom event details:
    Event Xml:
    <Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
      <System>
        <Provider Name="ASP.NET 2.0.50727.0" />
        <EventID Qualifiers="32768">1309</EventID>
        <Level>3</Level>
        <Task>3</Task>
        <Keywords>0x80000000000000</Keywords>
        <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
        <EventRecordID>4483</EventRecordID>
        <Channel>Application</Channel>
        <Computer>XXXXXXXXXXXXXXXXXX</Computer>
        <Security />
      </System>
      <EventData>
        <Data>3005</Data>
        <Data>An unhandled exception has occurred.</Data>
        <Data>11/16/2011 1:26:35 PM</Data>
        <Data>11/16/2011 6:26:35 PM</Data>
        <Data>b2039ecd0a62482284030f62e1e639d8</Data>
        <Data>129</Data>
        <Data>28</Data>
        <Data>0</Data>
        <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
        <Data>Full</Data>
        <Data>/meet</Data>
        <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
        <Data>SNKXS300</Data>
        <Data>
        </Data>
        <Data>14204</Data>
        <Data>w3wp.exe</Data>
        <Data>NT AUTHORITY\NETWORK SERVICE</Data>
        <Data>HttpException</Data>
        <Data>Server cannot append header after HTTP headers have been sent.</Data>
        <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
        <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
        <Data>10.71.1.1</Data>
        <Data>
        </Data>
        <Data>False</Data>
        <Data>
        </Data>
        <Data>NT AUTHORITY\NETWORK SERVICE</Data>
        <Data>7</Data>
        <Data>NT AUTHORITY\NETWORK SERVICE</Data>
        <Data>False</Data>
        <Data>   at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
       at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
       at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
       at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean&amp; completedSynchronously)
    </Data>
      </EventData>
    </Event>

  • How to set up reverse proxy to allow user access portal site from internet

    Hi all,
    I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
    http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
    Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
    Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
    Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
    I am confused to which option to use. Also i went through the metalink document 270160.1
    Please help me which option to choose to do this.
    Thanks.

    Hi Hozy,
    May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
    I appreciate your feedback.
    Thanks
    Krish

  • Unable to set session in Oracle Portal useing reverse proxy

    I have deployed a reverse proxy (using Oracle HTTP Server) in front of a Oracle Portal Install (version 10.1.2.0.2). The steps followed to set this up came from the following documents:
    Steps mentioned in Section 9.2 Configuring a Reverse Proxy for OracleAS Portal and OracleAS Single Sign-On for a reverse proxy on a Oracle HTTP Server.
    http://download-west.oracle.com/docs/cd/B14099_15/core.1012/b13998/variants.htm#ASTED005
    Also performed steps mentioned in -> Section 5.3.7 - Step 7: Enable Session Binding on OracleAS Web Cache of the Oracle® Application Server Portal Configuration Guide 10g Release 2 (10.1.2) -- B14037-03.
    My current (example names shown only)setup details are as follows:
    Reverse Proxy for SSO server (running on internal.oracle.com:7777): proxy.oracle.com:7777
    Reverse Proxy for Portal server (running on internal.oracle.com:7778): proxy.oracle.com:7778
    With the above steps completed, I can successfully use the http://proxy.oracle.com:7777/pls/orasso for login into SSO without any issues.
    Users get authenticated successfully.
    I can also use http://proxy.oracle.com:7778/pls/portal for viewing pages on the portal fine . All self referencing links have also been successfully modified to point to proxy.oracle.com:7778.
    However, an attempt to login in the portal is not successful. Clicking on the 'Login' link successfully redirects to the SSO login page (http://proxy.oracle.com:7777/<login-page>). However, after successful authentication, the success page fails to show up and the user gets shown the initial login portal home page again.
    There are no error messages shown on the screen.But it seems that user session is failing to be initiated/set correctly, as shown by the log file (in $PORTAL_ORACLE_HOME/j2ee/OC4J_Portal/application-deployments/portal/OC4J_Portal_default_island_1/application.log ):
    06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] Repository Gateway: LWUser: PUBLIC, Cookie: oracle.uix=0^^GMT+10:00;
    portal=9.0.3+en-au+us+AUSTRALIA+22BC75924EEAD8A2E040007F010019F7+8DAC5E3559C95F5E0090A6F56FFA58192CB0F437CA57A9102A6394F1EB7FAB5DEE3BFA12C65
    91C0C009B6......
    06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] ERROR: Repository Gateway error: Database Error: ORA=20001 ORA-20001:
    Unable to obtain session information from the cookie. Please close your browser and reconnect.
    ORA-06512: at "PORTAL.WPG_SESSION", line 149
    ORA-06512: at line 22
    Any help with this will be appreciated.
    Thanks.

    Hi Chris,
    The begin of the expection stack gives you the reason:
    06/11/03 09:13:59 java.sql.SQLException: The method 'setSavepoint' cant be called when a global transaction is active
    The reason is, that either the whole global transaction must be commited or rollbacked.
    I don't know your actual configuration, but between the methods begin() and commit()/rollback() of the UserTransaction instance, OC4J/OracleAS uses a global transaction (= XA transaction) in your configuration. The state of a global transactions is completely under the control of the application server and several restrictions must be considered. One of them is, that you can't use the method setSavePoint/. E.g. you can't also call the method setAutoCommit(true) in this state, or change the transaction isolation level via setTransactionIsolation(newLevel).
    This is NOT a limitation of the OC4J/OracleAS but is true for ALL application servers.
    P.S. I can successfully set savepoints and rollback to savepoints in weblogic 9.0This means, that WebLogic 9.0 doesn't use a global transaction in this case.
    Because I don't know your configurations (Oracle and WebLogic) I can't say, why the behave different in this situation.
    Best,
    Manfred

  • Reverse Proxy Configuration Help

    I am running OFM 11.1.1.6.
    Web Cache is running on port 8888.
    Portal's OHS (the WebCache origin server) is running on 7777.
    Reports' OHS (for /reports/rwservlet) is running on 8890.
    Non-Oracle Apache 2.2 is running as a reverse SSL proxy for Portal on port 443.
    I want to configure this reverse proxy so that it appears to the end user that the reports server is also running in HTTPS on port 443, instead of on port 8890. Can anyone please give me a tip on how to set this up?
    In my httpd.conf for my Apache reverse proxy server, I have this within my main SSL virtual host:
    ProxyPassReverse / http://hostname:8888/
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule ^/(.*) http://hostname:8888/$1 [P]Do I need to add an additional virtual host for the proxy to the reports server? Or can I include it in this same virtual host? I've tried the following, but couldn't get it to work:
    ProxyPassReverse /reports/rwservlet/ http://hostname:8890/reports/rwservlet/
    ProxyPassReverse / http://hostname:8888/
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule ^/reports/rwservlet/(.*) http://hostname:8890/reports/rwservlet/$1 [P]
    RewriteRule ^/(.*) http://hostname:8888/$1 [P]Any guidance is appreciated.

    In case anyone finds this, this is how I got it all working:
    In httpd.conf for the Apache reverse proxy:
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule ^/reports/(.*) http://hostname:8890/reports/$1 [P]
    ProxyPassReverse /reports http://hostname:8890/reports
    RewriteRule ^/(.*) http://hostname:8888/$1 [P]
    ProxyPassReverse / http://hostname:8888/In the Portal OHS's httpd.conf:
    NameVirtualHost *:7777
    <VirtualHost *:7777>
         ServerName https://hostname
         RewriteEngine On
         RewriteOptions inherit
         UseCanonicalName On
         OssoConfigFile E:/ora11/product/portal_instance/config/OHS/ohs1/osso/osso_ssl.conf
         OssoIpCheck off
         OssoSecureCookies off
         OssoIdleTimeout off
    </VirtualHost>In the reports server's httpd.conf:
    NameVirtualHost *:8890
    <VirtualHost *:8890>
         ServerName https://hostname
         RewriteEngine On
         RewriteOptions inherit
         UseCanonicalName On
         OssoConfigFile E:/ora11/product/reports_instance/config/OHS/ohs1/osso.conf
         OssoIpCheck off
         OssoSecureCookies off
         OssoIdleTimeout off
    </VirtualHost>You can use the same osso.conf for both reports and portal. Make sure to register with SSO specifying https://hostname as the registered URL.

  • Reverse Proxy

    Hi,
    Does it make sense to use a reverse proxy in the scenario below ?
    I am trying to access a web based internal application (ports not opened up to the outside world) through a reverse proxy using the Oracle HTTP server that is installed with OAS 10.1.2.
    My aim would be that I would be able to access the web based application through my Portal from the outside world without having to open up the ports. The Portal is available to the outside world and the web based app runs on a difference machine.
    Is this possible or am I taking an incorrect approach ?
    Thanks,
    Message was edited by:
    user535862
    Message was edited by:
    user535862

    You can use a reverse proxy in this scenario. Web Cache will also be able to fulfill that role.

  • Reverse proxy rule

    Hi,
    I have confiugure apache 2.2 as reverse proxy which will be interacting with my portal as well as ECC ITS. Everything is working fine but the problem is when user gives the path:
    http://<hotst>/sap/bc/its/gui/sap/webgui he able to access logon page of ECC which i want to block.
    I want one redirect rule  which should block the request which come with request http://<host>/sap/bc/its/gui/sap/webgui through reverse proxy. It should allow only when request comes in this format :
    http://<host>/sap([some cache])/bc/its/gui/sap/webgui. where [some_cache] is automatically generated by SAP.
    What could be the syntax of rewrite rule.

    User 2 layers of Reverse proxies to resolve the issue

  • Reverse proxy with apache2

    Hi folks,
    I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the  portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
    I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
    And ny the way, the portal itself works perfectky when connected directly.
    Kind regards,
       Christian Guenther
    Reverse proxy configuration ############################################
    NameVirtualHost 172.30.210.96
    <VirtualHost 172.30.210.96>
       ServerAdmin [email protected]
       ServerName host.external.de
    SSL is turned off at the moment
       SSLEngine Off
       SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
       SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
    Set up as a proxy for internal SAP systems
       ProxyRequests Off
       ProxyPreserveHost Off
       <Proxy *>
          Order deny,allow
          Allow from all
       </Proxy>
    IRJ
      <Location /irj/>
        ProxyPass http://host.internal.lan:8001/irj/
        ProxyPassReverse http://host.internal.lan:8001/irj/
    rewriting rules for proxy
        RewriteEngine On
        RewriteCond %  \.jsp
        RewriteRule ^(.+) % [P]
        RewriteCond % \.servlet
        RewriteRule ^(.+) %
    Portal
    rewriting rules for proxy
    [P]
      </Location>
      <Location />
        ProxyPass http://host.internal.lan:8001/
        ProxyPassReverse http://host.internal.lan:8001/
        RewriteEngine On
        RewriteCond %  \.jsp
        RewriteRule ^(.+) % [P]
        RewriteCond % \.servlet
        RewriteRule ^(.+) % [P]
      </Location>
    </VirtualHost>

    This is a valid configuration for an Apache Reverse Proxy:
    ThreadsPerChild 250
    MaxRequestsPerChild  0
    ServerRoot /usr/local/apache2
    Listen 443
    #LoadModule dir_module modules/mod_dir.so
    LoadModule rewrite_module modules/mod_rewrite.so
    LoadModule include_module modules/mod_include.so
    #LoadModule autoindex_module modules/mod_autoindex.so
    LoadModule access_module modules/mod_access.so
    #LoadModule auth_module modules/mod_auth.so
    LoadModule log_config_module modules/mod_log_config.so
    #LoadModule mime_module modules/mod_mime.so
    #LoadModule env_module modules/mod_env.so
    #LoadModule headers_module modules/mod_headers.so
    #LoadModule setenvif_module modules/mod_setenvif.so
    LoadModule alias_module modules/mod_alias.so
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule negotiation_module modules/mod_negotiation.so
    LoadModule ssl_module modules/mod_ssl.so
    ServerAdmin [email protected]
    ServerName your.servername.com
    UseCanonicalName Off
    make sure zou include these with valid entries...
    Include conf/log.conf
    Include conf/mime.conf
    Include conf/default.conf
    Include conf/ssl.conf
    BrowserMatch "Mozilla/2" nokeepalive
    BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
    BrowserMatch "RealPlayer 4\.0" force-response-1.0
    BrowserMatch "Java/1\.0" force-response-1.0
    BrowserMatch "JDK/1\.0" force-response-1.0
    BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
    BrowserMatch "MS FrontPage" redirect-carefully
    BrowserMatch "^WebDrive" redirect-carefully
    BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
    BrowserMatch "^gnome-vfs" redirect-carefully
    BrowserMatch "^XML Spy" redirect-carefully
    BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
    this is for the MS IE SSL bug
    BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
    force-response-1.0
    Header add P3P CP="NOI"
    Proxy with caching
    LoadModule cache_module modules/mod_cache.so
    LoadModule disk_cache_module modules/mod_disk_cache.so
    CacheRoot /usr/local/apache2/Cache
    CacheEnable disk /
    CacheDirLevels 5
    CacheDirLength 3
    <VirtualHost *:443>
        ServerName your.servername.com
        ServerAdmin [email protected]
    Set the level of log entries - debug produces A LOT of messages
        LogLevel debug
        ErrorLog logs\error.log
        LogFormat "%h %l %u %t \"%r\" %>s %b" common
        CustomLog logs\access.log common
    NEVER turn this On, it would create a forward proxy   
        ProxyRequests Off
        ProxyPreserveHost On
    it is important that the proxy uses active protocol used in the
    internet section of the request
        RequestHeader set ClientProtocol https
        Header add P3P CP="NOI"
    we need to answer HTTPS requests, so we need an ssl engine   
        SSLEngine On
    and a cipher suite plus certificate
        SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
        SSLProtocol all -SSLv2
    of course these entries have to be adopted
        SSLCertificateFile conf/certs/server.crt
        SSLCertificateKeyFile conf/certs/server.key
        SSLOptions +StdEnvVars
    this is for the bloody MS IE - I don't know why, but they seem to
    have trouble learning in redmond
        BrowserMatch ".MSIE." \
             nokeepalive ssl-unclean-shutdown \
             downgrade-1.0 force-response-1.0
        CustomLog logs/ssl_request.log \
              "%t %h %x %x \"%r\" %b"
    below are the proxied hosts - you always need ProxyPass
    AND ProxyPassReverse otherwise it will not work correctly
    ITS
        #ProxyPass /iac/               http://itsserver:8081/iac/
        #ProxyPassReverse /iac/          http://itsserver:8081/iac/
    direct portal connection              this ought to be the IP
        ProxyPass /irj/               http://10.8.1.14:50000/irj/
        ProxyPassReverse /irj/          http://10.8.1.14:50000/irj/
        ProxyPass /logon/               http://10.8.1.14:50000/logon/
        ProxyPassReverse /logon/          http://10.8.1.14:50000/logon/
    Rewrite Rule in case ICM puts session information in URL
    NEVER REALLY HARMS
        RewriteEngine On
        RewriteRule  ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
        #ProxyPass /chooselogin/          http://10.8.9.0:50000/chooselogin/
        #ProxyPassReverse /chooselogin/     http://10.8.9.0:50000/chooselogin/
    </VirtualHost>

  • ACE 4710, reverse proxy?

    Hello All,
    Please forgive my ignorance but can the ACE appliance behave as a reverse proxy for http and ssl traffic? I would assume it can given how it does SLB but SLB is not a requirement at this time. Thanks for your input.

    Hi Mate,
    The reverse proxy servers can perform many tasks, like:
    Note: this info from Wikipedia: http://en.wikipedia.org/wiki/Reverse_proxy
    Reverse proxies can hide the existence and characteristics of the origin server(s), The ACE will do that.
    Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult, The ACE has some built-in security features, you can refer to this document for full detail:
    http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/security/guide/securgd.html
    In the case of secure websites, the SSL encryption is sometimes not performed by the web server itself, but is instead offloaded to a reverse proxy that may be equipped with SSL acceleration hardware. The ACE can do this:
    http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/ssl/guide/sslgd.html
    A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource. The ACE can do that perfectly.
    A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content. Proxy caches of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the origin server(s). Another term for this is web accelerator. A reverse proxy can optimize content by compressing it in order to speed up loading times. Please check this link for more detail about ACE Application Acceleration and Optimization:
    http://www.cisco.com/en/US/partner/docs/app_ntwk_services/data_center_app_services/ace_appliances/vA3_2_7/configuration/app_acc_and_opt/guide/appaccoptgd.html
    Best regards,
    Ahmad

Maybe you are looking for

  • Chapter id for material

    Hi, When creating a material master type consumable or other type  after that made a po without any tax then done migo witiout any posting of excise through j1iex. J1ID is not maintained for  that material after that when updating the excise register

  • Subtotal and grand total for two fields(iseg-buchm and iseg-erfmg)

    hi experts,     how to do subtotal and grand total for two fields (iseg-buchm and iseg-erfmg).please help me on solving the problem.

  • Waiting for a new version of Oracle Express Edition?!

    I'm waiting for Oracle XE 11g database, any information about release date? Isn't time for that?

  • Javascript and Flash AC fix

    I'm in the process of upgrading an older site with Flash content and have run into an issue with the Active Content 'fix' script. I have a Flash movie that pauses on load and only plays when the user clicks an HTML page button which triggers the Play

  • File Sharing to Non Admin Users ?

    I would like to share directories on an external Firewire drive to other Apple network users. Normally only users with admin privileges can 'see' external drives. My unix is pretty rusty but I've been told that you can set the ownership to 'everyone'