CSM-S to Servers... Reverse proxy with authentication?

Using a CSM-S with a number of web servers behind it, can the CSM-S be configured to act as a reverse proxy for the servers with no other equipment or licenses to buy?

Reverse proxy with authentication.

Similar Messages

IIS Reverse Proxy with URL rewrite.

Hi all, hoping to leverage the wealth of knowledge contained here.
Any assistance would be very welcome.
I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
I need to redirect all requests with a specific virtual directory suffix only.
ie; https://domain.test.com/outbound/Content/query_etc
With /Outbound/ being the trigger.
This should be redirected to http://10.10.10.10/inbound/Content/query_etc
While at the same time, requests without the /outbound/ suffix should be handled locally.
I have configured the reverse proxy as described in a few articles, and have had no luck.
Here's a snippet from my (sanitized) web.config at the site level.
<rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
<action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="^outbound/(.*)" />
<action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
</rule>
</rules>
</rewrite>
To me, this looks correct, yet it doesn't work.
With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

Hi Andrew,
Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
By using URL Rewrite Module together with
Application Request Routing module you can have IIS 7 act as a
reverse proxy.
It seems like URL Rewrite can't re-route the request somewhere else out of the server.
Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc it will fail with 404.
Hosting multiple domain names under a single account using URL Rewrite.
It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
References:
How to create a url alias using IIS URL Rewrite:
http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
Reverse Proxy with URL Rewrite v2 and Application Request Routing:
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Regards,
Satyajit
Please“Vote As Helpful”
if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

Apache Reverse Proxy with Abap Web query

Hi to all
We are trying to configure apache 2 to work as a reverse proxy with web abap Netweaver installation.
From inside the network the web query is fine.
Running the query with the reverse proxy we have only the html code in the browser. All the scripts and css are not present.
We checked some messages inside the forum and we have tried a lot of stuff without success.
We use always linux (Fedora, Ubuntu with xampp or apache only) plus the html module or the publisher from http://apache.webthing.com.
Our installation is like this the reverse proxy in the dmz and the netweaver to the inside off coarse, and we don't have the same domain name, i don't know if this is important.
Any help/idea is valuable.
Thank you
Yiannis

Hi Olivier
I have seen your solution in other messages but i didn't try it because i was trying to work with the html_proxy module.
I read the documents you gave me plus some apache tutorials on the rewrite rule.
In any case i have my installation working now.
I did some extra changes in my config so now the rules are like that
ProxyVia On
ProxyBadHeader IsError
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /sap http://192.168.1.59:8001/sap
ProxyPassReverse /sap http://192.168.1.59:8001/sap
RewriteEngine On
RewriteRule ^/(sap\(.*) http://192.168.1.59:8001/$1 [P,L]
Thanks again for your help
Yiannis

Help not working behind proxy with authentication

Hello,
Clicking Help within a CS5 app brings up the error:
Our school is behind a proxy with authentication.
What I'd like to do is download the help files and put it on a local server.
Then I'd like to edit the main help config (where is this?) to point there.
I've seen posts where it talks about %appdata%\chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1\ but we have hundreds of users and editing anything in this path is not feasible.
Please could you help in showing me where the original files are that make up the appdata chc folder so that I can edit this config at SOURCE and that any user that logs on will have a correct CHC folder made up pointing to the correct location.
I appreciate anyone's help.
Thanks for your time,
Jonathan

Hi Jonathan: there is a list of HTML and PDF files for download here: http://blogs.adobe.com/premiereprotraining/2010/08/help-documents-for-creative-suite-5-pdf -and-html.html
The help config files are located in the directories indicated below -- however, you did mention that editing those files is not feasible. So, I'm not sure if this the right solution for you ... We are resolving this in the next CS release, however, I understand that this is not much of a consolation/solution for you right now.
Windows: %appdata%/chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1
Tip: To find this directory in Windows, copy the preceding phrase into the Windows Explorer file manager.
Mac OS: /[username]/Library/Preferences/chc.4875E02D9FB21EE389F73B8D1702B320485DF8CE.1

Connecting to DirectAccess server from a client behind proxy with authentication

Hi,
All our DA clients are working fine except those that are working from a client company where a proxy with authentication is used.
Our DA server is running Windows server 2012 and clients are running Windows 7.
I have found similar posts, where it states it is a known issue and it is fixed by a new feature in Windows 2012, however i cannot find more info:
http://technet.microsoft.com/en-us/library/hh831416.aspx
IP-HTTPS runs in a system context rather than a user context. This context can cause connection issues. For example, if a DirectAccess
client computer is located in the network of a partner company that uses a proxy for Internet access, and WPAD auto detection is not used, the user must manually configure proxy settings in order to access the Internet. These settings are configured in Internet
Explorer on a per user basis, and cannot be retrieved in an intuitive way on behalf of IP-HTTPS. In addition, if the proxy requires authentication, the client provides credentials for Internet access, but IP-HTTPS will not provide the credentials required
to authenticate to DirectAccess. In Windows Server 2012, a new feature solves these issues. Specifically, the user can configure IP-HTTPS to work when behind a proxy that is not configured using WPAD and IP-HTTPS will request and provide the proxy credentials
needed to IP-HTTPS request authenticated, and relay it to the DirectAccess server.

Hello,
As far as I know it's a feature of Windows 2012 URA with a Windows 8 client.
Unfortunatelly you will have trouble with proxy authentication with Windows 7 client I think
Regards,
Follow me on Twitter http://www.twitter.com/liontux | My Blog (French/English) :
http://security.sakuranohana.fr/

Initialize ipad behind proxy with authentication

It seems that an iPad is not capable to handle a HTTP proxy with authentication
during its intilization phase. Am I correct ?
Phase on some network trace I made, it does not generate any traffic as soon as
the proxy settings are configured, for which we are prompted after a while when
it "discovers"it cannot reach directly Internet.

hi..
configure transparent proxy at ur server. enter IP in the gateway and in DNS setting of proxy server .
not proxy in internet explorer.
hopefully it will work
Regard
Khan

Reverse Proxy with Sun Web Server 7 update 4

Hi All,
I've just migrating to Sun Java System Web Server 7.0U4 B12/02/2008 from Sun Java System Web Server 7.0-Technology-Preview-3 B09/13/2006. I've have the two web servers running side by side on separate machines. Both have a VS configured as a reverse proxy pointing to the same apache tomcat web server.
The Tech Preview 3 server works fine and has been doing since it was installed. However the Update 4 server doesn't. I can access the tomcat app via the U4 server in a browser, but not with the app on my mobile (sync ML). Snooping the traffic show me that the U4 server is sending a different response that the Tech Preview server. I'm thinking it may have to do with Transfer Encoding: chunked. I've looked around the web to see if I can turn this off in the U4 server, as I seem to recall having to do so at some point in my life, though I can't remember when and with what.
Does anybody have any clues they can throw at me?? Or anybody know what has change in the reverse proxy part of the web server from Tech Preview 3 to U4??
Both VS reverse proxies are congfigured exactly the same.
Thanks,
Stuart.

well, technology preview is what the name says .. i am surprised that u decided to stick with a technology preview release all these days.. in any case, there should not have any feature change between technology preview build and U4. but , there has been lot of bug fixes - so, unless we know the exact problem - we can't easily narrow down the change between tp3 build with U4 and find out how it is affecting u.
here is a related article on how to use chunked encoding within web server 7
http://developers.sun.com/webtier/reference/techart/chunked_req.html
now, to help you more appropriately, you need to provide us with errors (probably with log level set to finest within server.xml) and let us know with the error reported by web server when it is unable to send those requests to back end tomcat
you can set log level to finest by running the following command
/sun/webserver7/bin/wadm set-config-prop -user=admin --config=<hostname> log-level=finest
/sun/webserver7/bin/wadm deploy-config --user=admin <hostname>
http://docs.sun.com/app/docs/doc/820-4842/set-config-prop-1?a=view
(once you have identified the problem, you might want to set log level to info as setting to finest will cause your logs to grow humongous and also hurt performance
thanks
sriram

Reverse Proxy with Firewall on Portal R2

We are trying to configure Oracle Portal R2 in the reverse proxy mode. We have a Sun Enterprise 250 used in a single machine configuration. (Infr. and Mid tier on same machine)
The webcache server is listening on server.company.com:7781
The portal server is listening on server.company.com:7782
The login server is listening on server.company.com:7780
The proxy server is listening on www.company.com:81
According to the Oracle Portal Config Guide we have followed the steps to configure Apache (inclusion of the virtual hosts, etc) and run the ptlasst script to reconfigure portal. While portal responds correctly on www.company.com:81 when i try to log on using the login link I get redirected to server.company.com:7780/...
Obviously everything seems to be ok from within the LAN since i can see server.company.com, but via internet it doesnt work.
Here is how we run the script:
./ptlasst.csh -mode MIDTIER -host www.company.com -port 81 -chost server.company.com -cport_i 4007 -i custom -c server.company.com:1521:iasdb -pwd xxxxxx
How can we correct this problem? Do we need to run any other script?

Hi Suraj,
The following is the problem.
We have Sun Enterprise 450 on which Oracle 9iAS Release 2 installed and we are trying to use reverse proxy plugin with iplanet, being installed on windows machine. In the hosts file i have mentioned the following required parameters ie.,
oproxy.serverlist=ias1
oproxy.ias1.hostname=http://192.168.1.12 - where Oracle 9iAS is installed
oproxy.ias1.port=7779
oproxy.ias1.urlrule=/*
oproxy.ias1.alias=http://myoracleportal.peesh.com
oproxy.ias1.stripcontext=false
and whenever i restart iplanet server after this, here is the following log information.
06/26/2002 11:57:52 AM: [op_nsapi_plugin.c (296)]: op_init: log_file=e:/iPlanet/https-pncl-hcl028-053.pinnacle.com/logs/oproxy.log server_file=e:/iPlanet/https-pncl-hcl028-053.pinnacle.com/config/servers/oracleProxyPluginInfo.conf
06/26/2002 11:57:52 AM: [op_uri_map.c (128)]: Into op_uri_map_t::uri_map_alloc
06/26/2002 11:57:52 AM: [op_uri_map.c (162)]: Into op_uri_map_t::uri_map_open
06/26/2002 11:57:52 AM: [op_worker_list.c (37)]: op_worker_list_init: propfile=e:/iPlanet/https-pncl-hcl028-053.pinnacle.com/config/servers/oracleProxyPluginInfo.conf p=0x00DC8828 l=0x00DBDA70
06/26/2002 11:57:52 AM: [op_worker_list.c (45)]: op_worker_list_init: numservers=1
06/26/2002 11:57:52 AM: [op_worker_list.c (57)]: op_worker_list_init: inside loop, serverlist[0]=ias1
06/26/2002 11:57:52 AM: [op_worker_list.c (73)]: op_worker_list_init: hostname=http://192.168.1.12
06/26/2002 11:57:52 AM: [op_worker_list.c (82)]: op_worker_list_init: port=7779
06/26/2002 11:57:53 AM: [op_uri_map.c (192)]: op_uri_map_t::uri_map_open, rule map size is 0
06/26/2002 11:57:53 AM: [op_uri_map.c (325)]: op_uri_map_t::uri_map_open, done
06/26/2002 11:57:53 AM: [op_nsapi_plugin.c (304)]: op_init: exiting
I have a feeling that "oracle_proxy_nes.dll" maintains all the .conf file information in a stack, whose size is 0.
pls see interpret this log the way you see.
thanks in advance,
gupta

Sun One 6.1 reverse proxy with multiple certs

We are using Sun One Web Server 6.1sp6 as a reverse proxy without the passthrough plugin. We also have multiple certs and not a global cert and what we are seeing is the data getting "staged" on the web server before moving on to the destination (which obviously halves throughput). Some research tells us that this staging is happening because it needs to re-encrypt the packets for the next cert.
Is there any way besides having a global cert that we can get around this? Would using the passthrough plugin help?
Thanks,
Don

The thing is that it apparently doesn't do it on the fly, which is why I was wondering if the passthrough plug in would help. In other words, if I am sending a 10mb file through to the destination server (there's a weblogic server on the back end with a different cert that I want to do the real processing), the web server waits until it gets all 10mb then resends it. Seems it should do the encrypt/decrypt on a packet level to me.
As far as the config, I didn't set it up, I'm just trying to get it to work :)
Here are the configs, if it would help. If there's something set up wrong here, please feel free to point it out!
Thanks,
Don
magnus.conf
# The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
# They will not be supported in future releases of the Web Server.
NetsiteRoot /iplanet/servers
ServerName rpserver.testdomain.com
ServerID https-rpserver.testdomain.com
RqThrottle 256
DNS off
Security on
PidLog /iplanet/servers/https-rpserver.testdomain.com/logs/pid
User iplanet1
StackSize 131072
TempDir /tmp/https-rpserver.testdomain.com-a9dd9515
PostThreadsEarly off
KernelThreads off
ChunkedRequestBufferSize 0
LogVerbose on
LogVsId off
AsyncDNS off
KeepAliveTimeout 10
UseNativePoll on
Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/iplanet/servers/plugins/nsapi/wls923/libproxy128_61.so
Init fn="wl_init"
Init fn="load-modules" shlib="/iplanet/servers/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
Init fn="stats-init" profiling="on"
obj.conf
# The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
# They will not be supported in future releases of the Web Server.
NetsiteRoot /iplanet/servers
ServerName rpserver.testdomain.com
ServerID https-rpserver.testdomain.com
RqThrottle 256
DNS off
Security on
PidLog /iplanet/servers/https-rpserver.testdomain.com/logs/pid
User iplanet1
StackSize 131072
TempDir /tmp/https-rpserver.testdomain.com-a9dd9515
PostThreadsEarly off
KernelThreads off
ChunkedRequestBufferSize 0
LogVerbose on
LogVsId off
AsyncDNS off
KeepAliveTimeout 10
UseNativePoll on
Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/iplanet/servers/plugins/nsapi/wls923/libproxy128_61.so
Init fn="wl_init"
Init fn="load-modules" shlib="/iplanet/servers/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
Init fn="stats-init" profiling="on"
server.xml
<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///iplanet/servers/bin/https/dtds/sun-web-server_6_1.dtd">
<SERVER qosactive="false">
<PROPERTY name="docroot" value="/iplanet/servers/docs"/>
<PROPERTY name="accesslog" value="/iplanet/servers/https-rpserver.testdomain.com/logs/access"/>
<PROPERTY name="user" value=""/>
<PROPERTY name="group" value=""/>
<PROPERTY name="chroot" value=""/>
<PROPERTY name="dir" value=""/>
<PROPERTY name="nice" value=""/>
<LS id="ls1" port="443" servername="rpserver.testdomain.com" defaultvs="https-rpserver.testdomain.com" security="on" ip="any" blocking="false" acceptorthreads="2">
<SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>
</LS>
<MIME id="mime1" file="mime.types"/>
<ACLFILE id="acl1" file="/iplanet/servers/httpacl/generated.https-rpserver.testdomain.com.acl"/>
<VSCLASS id="vsclass1" objectfile="obj.conf" rootobject="default" acceptlanguage="false">
<VS id="https-rpserver.testdomain.com" connections="ls1" mime="mime1" aclids="acl1" urlhosts="rpserver.testdomain.com" state="on">
<PROPERTY name="docroot" value="/iplanet/servers/docs"/>
<USERDB id="default"/>
<SEARCH>
<WEBAPP uri="/search" path="/iplanet/servers/bin/https/webapps/search" enabled="true"/>
</SEARCH>
</VS>
</VSCLASS>
<JAVA javahome="/iplanet/servers/bin/https/jdk" serverclasspath="/iplanet/servers/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/iplanet/servers/bin/https/jar/webserv-ext.jar:/iplanet/servers/bin/https/jar/webserv-jstl.jar:/iplanet/servers/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" nativelibrarypathprefix="" debug="false" debugoptions="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n" dynamicreloadinterval="-1">
<JVMOPTIONS>-Djava.security.auth.login.config=/iplanet/servers/https-rpserver.testdomain.com/config/login.conf</JVMOPTIONS>
<JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
<JVMOPTIONS>-Xmx256m</JVMOPTIONS>
<SECURITY defaultrealm="native" anonymousrole="ANYONE" audit="false">
<AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
<PROPERTY name="file" value="/iplanet/servers/https-rpserver.testdomain.com/config/keyfile"/>
<PROPERTY name="jaas-context" value="fileRealm"/>
</AUTHREALM>
<AUTHREALM name="native" classname="com.iplanet.ias.security.auth.realm.webcore.NativeRealm">
<PROPERTY name="jaas-context" value="nativeRealm"/>
</AUTHREALM>
<AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
<PROPERTY name="directory" value="ldap://localhost:389"/>
<PROPERTY name="base-dn" value="o=isp"/>
<PROPERTY name="jaas-context" value="ldapRealm"/>
</AUTHREALM>
</SECURITY>
<RESOURCES/>
</JAVA>
<LOG file="/iplanet/servers/https-rpserver.testdomain.com/logs/errors" loglevel="info" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
</SERVER>

Reverse proxy with apache2

Hi folks,
I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
And ny the way, the portal itself works perfectky when connected directly.
Kind regards,
   Christian Guenther
Reverse proxy configuration ############################################
NameVirtualHost 172.30.210.96
<VirtualHost 172.30.210.96>
   ServerAdmin [email protected]
   ServerName host.external.de
SSL is turned off at the moment
   SSLEngine Off
   SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
   SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
Set up as a proxy for internal SAP systems
   ProxyRequests Off
   ProxyPreserveHost Off
   <Proxy *>
      Order deny,allow
      Allow from all
   </Proxy>
IRJ
<Location /irj/>
    ProxyPass http://host.internal.lan:8001/irj/
    ProxyPassReverse http://host.internal.lan:8001/irj/
rewriting rules for proxy
    RewriteEngine On
    RewriteCond % \.jsp
    RewriteRule ^(.+) % [P]
    RewriteCond % \.servlet
    RewriteRule ^(.+) %
Portal
rewriting rules for proxy
[P]
</Location>
<Location />
    ProxyPass http://host.internal.lan:8001/
    ProxyPassReverse http://host.internal.lan:8001/
    RewriteEngine On
    RewriteCond % \.jsp
    RewriteRule ^(.+) % [P]
    RewriteCond % \.servlet
    RewriteRule ^(.+) % [P]
</Location>
</VirtualHost>

This is a valid configuration for an Apache Reverse Proxy:
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot /usr/local/apache2
Listen 443
#LoadModule dir_module modules/mod_dir.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule include_module modules/mod_include.so
#LoadModule autoindex_module modules/mod_autoindex.so
LoadModule access_module modules/mod_access.so
#LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule mime_module modules/mod_mime.so
#LoadModule env_module modules/mod_env.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin [email protected]
ServerName your.servername.com
UseCanonicalName Off
make sure zou include these with valid entries...
Include conf/log.conf
Include conf/mime.conf
Include conf/default.conf
Include conf/ssl.conf
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
this is for the MS IE SSL bug
BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
force-response-1.0
Header add P3P CP="NOI"
Proxy with caching
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
CacheRoot /usr/local/apache2/Cache
CacheEnable disk /
CacheDirLevels 5
CacheDirLength 3
<VirtualHost *:443>
    ServerName your.servername.com
    ServerAdmin [email protected]
Set the level of log entries - debug produces A LOT of messages
    LogLevel debug
    ErrorLog logs\error.log
    LogFormat "%h %l %u %t \"%r\" %>s %b" common
    CustomLog logs\access.log common
NEVER turn this On, it would create a forward proxy
    ProxyRequests Off
    ProxyPreserveHost On
it is important that the proxy uses active protocol used in the
internet section of the request
    RequestHeader set ClientProtocol https
    Header add P3P CP="NOI"
we need to answer HTTPS requests, so we need an ssl engine
    SSLEngine On
and a cipher suite plus certificate
    SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
    SSLProtocol all -SSLv2
of course these entries have to be adopted
    SSLCertificateFile conf/certs/server.crt
    SSLCertificateKeyFile conf/certs/server.key
    SSLOptions +StdEnvVars
this is for the bloody MS IE - I don't know why, but they seem to
have trouble learning in redmond
    BrowserMatch ".MSIE." \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
    CustomLog logs/ssl_request.log \
          "%t %h %x %x \"%r\" %b"
below are the proxied hosts - you always need ProxyPass
AND ProxyPassReverse otherwise it will not work correctly
ITS
    #ProxyPass /iac/               http://itsserver:8081/iac/
    #ProxyPassReverse /iac/          http://itsserver:8081/iac/
direct portal connection              this ought to be the IP
    ProxyPass /irj/               http://10.8.1.14:50000/irj/
    ProxyPassReverse /irj/          http://10.8.1.14:50000/irj/
    ProxyPass /logon/               http://10.8.1.14:50000/logon/
    ProxyPassReverse /logon/          http://10.8.1.14:50000/logon/
Rewrite Rule in case ICM puts session information in URL
NEVER REALLY HARMS
    RewriteEngine On
    RewriteRule ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
    #ProxyPass /chooselogin/          http://10.8.9.0:50000/chooselogin/
    #ProxyPassReverse /chooselogin/     http://10.8.9.0:50000/chooselogin/
</VirtualHost>

Apache Reverse proxy with SSL

Hi,
I'm trying to install Apache Reverse proxy which will support both HTTP and HTTPS request.
<b>What do I need to activate to support the HTTPS requests?</b>
I installed Apache 2.0.53 Released and trying to activate the mod_ssl.
From Where can I get the mod_ssl.so?
I saw that there are 2 projects:
Apache Interface to OpenSSL (mod_ssl)
Apache-SSL
Do I need to use them in case I want to use HTTPs?
Regards,
Yael

Get the latest oppenssl compile it. before you compile apache, execute ./configure --help in the apache directory. It will give you the commands that you need to use to activate and deactivate various things in apache.
mine is as follows:
./configure --with-layout=GNU --enable-proxy --enable-ssl --with-ssl=/usr/lo
cal/src/apachessl/openssl-0.9.7f/ --enable-vhost-alias --enable-rewrite --enable
-so --enable-proxy-http --enable-proxy-connect --enable- headers
then make and make install.
hope it helps.
Jai

Sophos Firewall\Reverse Proxy With Lync 2013

We currently have Lync 2013 deployed internally and working like a champ for about 5 months now. We are in the process of trying to get this rolled out externally and running into issues.
It seems we have the ports opened up properly but the MS remote connectivity analyzer comes back with certificate error "The certificate couldn't be validated because SSL negotiation wasn't successful.
I'm pretty certain our certificates are correct for the external edge server and the external firewall\Reverse proxy. From the Lync planning tool we have been following it and so far successful until the certificates. The certificates tool shows we should
have the following certs assigned: (keep in mind we have 2 separate certificates assigned)
Edge Server External
Subject name: lyncaccess.domain.com
SAN:webcon.domain.com and sip.domain.com
Reverse Proxy:
rp0100.domain.com (reverse proxy FQDN does resolve)
SAN: dialin.domain.com, meet.domain.com, and temwac.domain.com (office web apps server)
We requested the certificates from Go daddy and have them installed and the SANs are in there correct. The connectivity analyzer is able to get to our server using autodiscover over port 443, we see the traffic come in through the firewall and nothing is
blocked just the certificate could not be validated.
Has anyone deployed Lync using the Sophos UTM as a reverse Proxy any other ideas as to what we are missing with these certificates?
The certificate couldn't be validated because SSL negotiation wasn't successful.
The certificate couldn't be validated because SSL negotiation wasn't successful.

lyncdiscover.domain.com does not resolve. Discovery is working fine through the connectivity analyzer. We actually figured that part out about the SSL. It seems we had the firewall and Reverse proxy rules in place on the Sophos appliance but the firewall
rules leaving the edge server were being blocked. It took us about 1.5 days to figure that part out.
The connectivity analyzer now is able to authenticate the certificates successfully. Of course it wouldn't be a Lync roll out without the next issue coming up.
The next issue we have is the connectivity analyzer reaching the AV service. Which we are going to assume is a routing issue as well and are currently troubleshooting it:
Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
Error Type: RegisterException.
Deregister Reason: None.
Response Code: 504.
Response Text: Server time-out.
http://social.technet.microsoft.com/Forums/lync/en-US/f95c47cc-f8eb-4646-bdac-6c7244b26ff1/couldnt-sign-in-error-error-message-the-endpoint-was-unable-to-register-new-deployment?forum=ocsplanningdeployment
Wish me luck.

Reverse Proxy with Coldfusion 8

Has anyone set up Sun Java Web Server 7 to reverse proxy Coldfusion 8 (also running under SJWS7)? I can reverse proxy static HTML and SHTML content with SJWS7, but not Coldfusion content.
Thanks in advance for any help, tips, etc.
--Frank

Thanks for replying, MV -- I've been out for a while -- sorry for the delay. Below are obj.conf and <vs> obj.conf:
obj.conf
# Copyright 2006 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# You can edit this file, but comments and formatting changes # might be lost when you use the administration GUI or CLI.
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/webserver7/lib/icons" name="es-internal"
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index-j2ee"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="type-j2ee"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>
<Object name="send-precompressed">
PathCheck fn="find-compressed"
</Object>
<Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"
</Object>
wwwproxy-obj.conf
# Copyright 2007 Sun Microsystems, Inc. All rights reserved.
# Use is subject to license terms.
# You can edit this file, but comments and formatting changes # might be lost when you use the administration GUI or CLI.
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/webserver7/lib/icons" name="es-internal"
NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index-j2ee"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="type-j2ee"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>
<Object name="send-precompressed">
PathCheck fn="find-compressed"
</Object>
<Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"
</Object>
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="www.water.ca.gov"
</Object>
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
</Object>

RDS 2012 - Using a reverse proxy with the Gateway server on the internal LAN

Hi there,
I'm looking to introduce an RDS 2012 farm and would like to put the RDS Gateway server on the internal LAN (due to it's AD requirements etc).
What are the best practise options for using a reverse proxy to forward traffic to the gateway server and is it better to do this than just forward 443 traffic from the DMZ through to the Gateway directly?
Thanks,
Paul.

Hi Paul,
It is generally considered more secure to have a reverse proxy in front of RDG. I don't know of a proxy that will handle the RDG UDP traffic, so you will need to consider using direct server return for that or not having the benefit of UDP. Whether
or not it is acceptable to simply forward TCP 443/UDP 3391 directly to your internal RDG is up to your security policies. Many companies are fine with it while many other companies think it is unacceptable and require a reverse proxy or other method
to provide an extra layer of protection.
-TP

Border manager as reverse proxy with Sharepoint 2007

hello
need to implement an extranet based solution of Windows Sharepoint 2007, clients may need to traverse a BM reverse proxy server in order to hit the sharepoint environment. have a few questions
1. does it work well? or at all?
2. is the SSL session from the client terminated at the BM level
3. will be using SSL, can i install certs at the BM level for the site?
any other tips??

Originally Posted by phxazcraig
In article <[email protected]>, Gwelsh123 wrote:
> 1. does it work well? or at all?
Should work.
> 2. is the SSL session from the client terminated at the BM level
Yes, if you use proxy, sessions are always between client and proxy,
and another session between proxy and origin server.
> 3. will be using SSL, can i install certs at the BM level for the
> site?
I'm not quite sure what you mean. If you want to encrypt the data, I
think you would be best off doing a generic tcp proxy for port 443, and
have the cert on the endpoint (sharepoint) server, but perhaps that
would give cert errors due to the addressing.
Craig Johnson
Novell Support Connection SysOp
*** For a current patch list, tips, handy files and books on
BorderManager, go to Craig Johnson Consulting - BorderManager, NetWare, and More ***
Im sure when using ISA as the reverse proxy, you install the SSL certs on the ISA box, and then you can use an internally generated cert on the web servers.
I also read somewhere that BM dosent support webdav?
do novell provide any documentation on this sort of configuration
we have a BM server already, there is an external firewall which forwards traffic to various websites to a specific port on the BM server, which then proxies the requests internall. it dosent seem particularly smart, more like a glorified port forwarder?

CSM-S to Servers... Reverse proxy with authentication?

Similar Messages

Maybe you are looking for