Forward/reverse proxy chain losing headers

I have the following setup:
user(browser) -> proxy1 -> proxy2 -> webserver
This has both forward and reverse mappings. In proxy 1, I have an NSAPI plugin that appends a name/value(uid:userid) pair into the HTTP headers, at the end of my current header string . I use
const char *HEADERS = "full-headers"; //HEADER NAME
pblock_findval((char *)HEADERS, request->reqpb))
pblock_remove((char *)HEADERS, request->reqpb);
pblock_nvinsert((char *)HEADERS, (char*)"current list of NV pairs, uid: user123", request->reqpb);
In the previous proxy versions to 3.63, the second proxy and teh webserver receive my entire header string(full-headers) without any issue and just as I sent it.
With version 3.63, my UID is missing from the "
Protocol Request PB (rq->reqpb)" section along with some other info in my header string. I use sdump to view the headers, plus my backend app is not receiving the uid.
Has anyone else had the issue of their headers getting mangled, and or missing in Proxy 3.63 ?Or does anyone have any ideas to the issue?

Yep, good catch
There is a bug in the proxy : Proxy 3.6 SP3 removes "Proxy-authenticate:" HTTP header when forwarding requests to other proxies.
This is basically in adherence to RFC2616 clause
13.5.1 End-to-end and Hop-by-hop Headers:
For the purpose of defining the behavior of caches and non-caching
proxies, we divide HTTP headers into two categories:
- End-to-end headers, which are transmitted to the ultimate
recipient of a request or response. End-to-end headers in
responses MUST be stored as part of a cache entry and MUST be
transmitted in any response formed from a cache entry.
- Hop-by-hop headers, which are meaningful only for a single
transport-level connection, and are not stored by caches or
forwarded by proxies.
The following HTTP/1.1 headers are hop-by-hop headers:
- Connection
- Keep-Alive
- Proxy-Authenticate
- Proxy-Authorization
- TE
- Trailers
- Transfer-Encoding
- Upgrade
All other headers defined by HTTP/1.1 are end-to-end headers.
This somehow messed up the proxy chain configurations
This has been fixed in SP4 which will be released in a week or two
Thx
Maneesh

Similar Messages

Issue in configuring TMG as Forward/Reverse Proxy

I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:
Internal Networks:
10.2.1.0/24
10.3.1.0/24
DMZ (Perimeter) Network:
10.7.1.0/24   NAT relationship with external network e.g. Public IPs
I've setup one TMG node and selected "Back Firewall" as topology.
NIC 1 Config: (Internal)
IP:   10.2.1.20
Subnet: 255.255.255.0
DW:    Not defined
DNS:   10.2.1.5
NIC 2 Config: (Perimeter)
IP:   10.7.1.20
Subnet: 255.255.255.0
DW:    10.7.1.5
DNS:   Not Defined
During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.
I created Allow rule from internal to local host.
From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)
while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"
Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http
On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.
Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http
What am i missing please advise and what could be the work around to get this work from internal network.
Regards,

Hello Quan,
Thanks for your reply..
No it didn't work. I'm still using that as reverse proxy and unable to configure that as forward. :-)
Regards,
Farrukh

Forward parameters in reverse proxy configuration

Hi,
Looking at the detailed configuration in a reverse proxy rule in SJSWS, I have derived the following conclusions:
1) Where the SJSWS listener has SSL-enabled, reverse proxy works on a HTTPS in, HTTP out basis.
2) Details in the incoming request's SSL header, such as User DN, will be stripped out and remapped into the outgoing request as a custom header, e.g. "Proxy-user-dn".
Can anybody tell me if I have gotten anything wrong above?
We are currently switching over from an Apache/mod_proxy/mod_ssl --> Apache/mod_jk --> Apache Tomcat server setup to a hybrid model where SJSWS is the web server reverse proxying to Tomcat (old apps) and SJSAS (new apps).
My question:
All our apps use the User DN string as the user ID. Previously, we developed a custom module in Apache to read the DN at the Apache level and then rewrite it into the Basic Auth user name header in the outgoing request. The Tomcat webapp will then authenticate the user based on the Basic Auth user name property. Is it possible for me to remap it into something similar here in the SJSWS reverse proxy configuration?
Thanks!
Wong

I am not a reverse proxy expert, but this Object-type SAF should forward userdn
http://docs.sun.com/app/docs/doc/820-1062/6ncoqnq3b?l=en&a=view&q=forward-user-dn
You can look for more such SAFs in this document.

SJSWS 7 u4 reverse proxy setup with client ip forwarding

Hi,
I am trying to set up a reverse proxy to glassfish enterprise 2.1 so that it will pass on the client ip address.
I have added this line to my obj.conf file:
ObjectType fn="forward-ip" hdr="Client-ip"
Entire obj.conf below:
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/usr/webserver7/lib/icons" name="es-internal"
NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index-j2ee"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="forward-ip" hdr="Client-ip"
ObjectType fn="type-j2ee"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>And have added this property to the both of the glassfish http-listeners:
authPassthroughEnabled=true
However the when I use this piece of code:
System.out.println(FacesContext.getCurrentInstance().getExternalContext().getRequest().getRemoteAddr())I see this in my glassfish logs
[#|2009-03-26T17:32:47.457+1300|WARNING|sun-appserver2.1|org.apache.coyote.tomcat5.CoyoteRequest|_ThreadID=21;_ThreadName
=httpSSLWorkerThread-8181-2;_RequestID=11ab6ecf-254c-4255-98d3-48856ab99b61;|PWC4013: Unable to determine client remote a
ddress from proxy (returns null)|#]
[#|2009-03-26T17:32:47.457+1300|INFO|sun-appserver2.1|javax.enterprise.system.stream.out|_ThreadID=21;_ThreadName=httpSSL
WorkerThread-8181-2;|
127.0.1.1 ip address|#]
There are no messages in the webserver logs
Can anybody see something that I am doing wrong?
Thanks in advance for your help,
Gareth

If Admin server shows its enabled, then it is enabled.
You can add forward-ip line in obj.conf manually and restart the server just to be sure.
Look at [http://forums.sun.com/thread.jspa?threadID=5344683|http://forums.sun.com/thread.jspa?threadID=5344683]. It says (in glassfish)
"Add this property to all <http-listener> elements in your domain.xml:
{code}<property name="authPassthroughEnabled" value="true"/>"

My environment is 99% of the way there, but my ARR reverse proxy doesnt seem to be forwarding lyncdiscover properly. Can someone help?

I recently cut over from lync 2010 with an apache reverse proxy to a lync2013 deployment using microsoft ARR as the reverse proxy.
Last night i cut over to the new ARR reverse proxy but our lync 2013 mobility tests didnt go well. I also cant get the DIALIN.CONTOSO.COM page to show up externally. Only the https://MEET.CONTOSTO.COM site shows up properly from an external browser. I have
a feeling that the lync ARR server is only handling meet.contoso.com for some reason, although i followed the LYNC setup guides exactly. Please see the screenshots of my setup. Does anyone have an idea of why everything might be taken over by the MEET.CONTOSO.COM
Server Farm in ARR?
As you can see, the lyncdiscover.contoso.com server farm has no hits.
When I fire up the lync mobility app, the MEET.CONTOSO.COM server farm in ARR receives the hits. (and failures)
I followed the configuration exactly, here are my rewrite rules:
Any Ideas?

Hello All,
I had a professional service with Microsoft to fix the many issues with my Lync environment. It turns out that there were 2 major causes of the problem i was having. For one, I DID have the wrong cert set on the lync2013 FE server's external web interface.
I didn't realize this because there seems to be some sort of bug in the LYNC SERVER 2013 DEPLOYMENT WIZARD.
First, it is badly designed. There is actually a drop down that i didnt realize was a dropdown when deploying my environment that expands and shows the external web services certificate.
After I found that, i tried updating it to my godaddy cert but it left a BLANK in the deployment wizard. So i had to go into the IIS management console to update the bindings.
Once the FE server's external website certificate was installed properly, we moved on the the reverse proxy. We scrapped ALL of the ARR servers and rewrite rules and started from scratch. Instead of creating 4 server farms and using lync.contoso.com, meet.contoso.com
etc... we created one server farm that points at the IP ADDRESS of the lync front end server. We changed the PATTERN to (.*) using regular expressions and the HTTP_HOST rule to (lync.contoso.com|lyncdiscover.contoso.com|meet.contoso.com|dialin.contoso.com)
After this, we still had a problem with lync mobility for android 2013.
Our public DNS has a record *.contoso.com to capture all traffic and route it to our website. This was capturing lyncdiscoverinternal.contoso.com and the android devices were getting a certificate error. We now have lyncdiscoverinternal.contoso.com pointed
to the reverse proxy's external IP address to resolve that issue. The android lync mobility client also checks for an exchange record which isn't documented http://contoso.com/ews because of an autodiscover record, so our android clients still get a certificate
error once during the initial setup of the application. Our IOS devices don't show this error so we called the issue resolved.
Good luck all!

HCI/ECC connection issue with reverse proxy

Hi,
we are struggling to set up the connection from C4C to ECC using a reverse proxy (apache).
Thank you for any help!
Best Regards
Florian
Our apache config is as follows:
<VirtualHost *:443>
ServerName customer.reverseproxy.com
SSLEngine On
SSLProxyEngine On
ErrorLog /var/www/customer/log/error.log
Customlog /var/www/customer/log/access.log "common"
# TransferLog "<Apache_home>/logs/access.log"
# Offical SSL Certificate for customer.reverseproxy.com
SSLCertificateFile "/etc/apache2/ssl/customer/customer_cert.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/customer/customer_key_np.pem"
SSLCACertificateFile "/etc/apache2/ssl/customer/SSL123_CA_Bundle.pem"
# SSLCertificateChainFile "<Apache_home>/conf/proxy-server-ca.crt" # activate the client certificate authentication
#SSLCertificateChainFile "/etc/apache2/ssl/customer/SAP-CA.crt"
# Signing CA's for SAP client certificate (Baltimore CyberTrust Root & Verizon Public SureServer CA G14-SHA2 + more)
SSLCertificateChainFile "/etc/apache2/ssl/customer/SAPClientCA.pem"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +ExportCertData +StdEnvVars
# CA's from SAP and customer for backend connections between Proxy and SAP system (Baltimore CyberTrust Root & Verizon Public SureServer CA G14-SHA2 + more)
SSLProxyCACertificateFile "/etc/apache2/ssl/customer/SAP-CA.crt"
# SSLProxyMachineCertificateFile <Apache_home>/conf/proxy-client.pem
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_CERT ""
<Location />
 # add SSL_CLIENT_CERT header to forward real client certificate
 RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
 ProxyPass https://sap.internal.com:8300/
 ProxyPassReverse https://sap.internal.com:8300/
</Location>
</VirtualHost>
On the HCI we get the following error shown
Message Processing Log{
ContextName = com.sap.scenarios.cod2erp.customermaster.replicate
IntermediateError = true
MessageGuid = AFU2MVOblsS5yIwpSvYiCt7XnLaT
Node = vsaxxxxxx.od.sap.biz
OverallStatus = FAILED
ReceiverId = Q47_
StartTime = Tue Apr 21 11:15:31 UTC 2015
StopTime = Tue Apr 21 11:15:31 UTC 2015
Children [
 Invoked endpoint{
 Cxf.EndpointAddress = https://HCI.intaas.hana.ondemand.com/cxf/COD/ERP/BP_MASTER_REPLICATION
 Error = Inbound processing in endpoint at https://HCI.intaas.hana.ondemand.com/cxf/COD/ERP/BP_MASTER_REPLICATION failed with message "Sequential processing failed for number 0. Exchange[Message: [Body is not logged]]. Caused by: [org.apache.cxf.interceptor.Fault - Could not send Message.]", caused by "SunCertPathBuilderException:unable to find valid certification path to requested target"
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 Status = FAILED
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Entering Camel route route52{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 created in Endpoint[cxf://bean:my308416_]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in ref:encodingProcessor{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = process151
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in removeHeaders[*]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = removeHeaders52
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in setHeader[MessageId]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = setHeader76
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in sap-map-pi:COD_ERP_BusinessPartnerERPBulkReplicateRequest{
 Sent To URI = sap-map-pi://COD_ERP_BusinessPartnerERPBulkReplicateRequest
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = CallActivity_1
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Time Taken = 11
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in ref:idocOutboundRequest{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = process152
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 com.sap.sod.utils.idoc.soap.messageid= 00163E0CB1A01EE4BA82F713C72AD65B
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 in split[bean{idocPackageSplitter, method=split}]{
 Error = org.apache.camel.CamelExchangeException: Sequential processing failed for number 0. Exchange[Message: [Body is not logged]]. Caused by: [org.apache.cxf.interceptor.Fault - Could not send Message.], cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = CallActivity_2
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Successor Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 created with reference to Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in setHeader[SapIDocContentType]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = setHeader77
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[ssl_client_cert]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = removeHeader197
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[ssl_client_user]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = removeHeader198
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[operationName]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = removeHeader199
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in removeHeader[operationNamespace]{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = removeHeader200
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Children [
 Processing exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 in cxf:bean:Q47_{
 Error = org.apache.cxf.interceptor.Fault: Could not send Message., cause: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
 Sent To URI = cxf://bean:Q47_
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 StepId = MessageFlow_2
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Time Taken = 123
 Children [
 Sent message to endpoint{
 Cxf.EndpointAddress = https://customer.reverseproxy.com:443/sap/bc/srt/idoc?sap-client=310
 Error = Outbound processing in endpoint at https://customer.reverseproxy.com:443/sap/bc/srt/idoc?sap-client=310 failed with message "Could not send Message.", caused by "SunCertPathBuilderException:unable to find valid certification path to requested target"
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 Status = FAILED
 StopTime = Tue Apr 21 11:15:31 UTC 2015
 Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-39 failed{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 Status = FAILED
 Exchange ID-vsaxxxxxx-od-sap-biz-40387-1427614280233-51-38 failed{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
 Status = FAILED
 Children [
 Exiting Camel route route52{
 StartTime = Tue Apr 21 11:15:31 UTC 2015
ReceiverIds [
 Q47_

Hi Abinash,
now we are one step further and receive a HTTP 401 on the reverse proxy. It looks like the client cert from HCI is not handled correctly. Can you help?
Best Regards
Florian
HCI log
Sent message to endpoint{
Cxf.EndpointAddress = https://customer.reverse.com:443/sap/bc/srt/idoc?sap-client=310
Error = Outbound processing in endpoint at https://customer.reverse.com:443/sap/bc/srt/idoc?sap-client=310 failed with message "HTTP response '401: Unauthorized' when communicating with https://customer.reverse.com:443/sap/bc/srt/idoc?sap-client=310"
StartTime = Fri Apr 24 11:03:12 UTC 2015
Status = FAILED
StopTime = Fri Apr 24 11:03:12 UTC 2015
Apache config
<VirtualHost *:443>
ServerName cuscrm.webmail.cus.com
SSLEngine On
SSLProxyEngine On
ErrorLog /var/www/cuscrm/log/error.log
Customlog /var/www/cuscrm/log/access.log "common"
# TransferLog "<Apache_home>/logs/access.log"
# Offical SSL Certificate for cuscrm.webmail.cus.com
SSLCertificateFile "/etc/apache2/ssl/cuscrm/cuscrm_cert.pem"
SSLCertificateKeyFile "/etc/apache2/ssl/cuscrm/cuscrm_key_np.pem"
SSLCertificateChainFile "/etc/apache2/ssl/cuscrm/ThawteCAChain.pem"
# SAP Baltimore Cybertrust Chain for Client authentication
SSLCACertificateFile "/etc/apache2/ssl/cuscrm/SAPCybertrust.pem"
SSLVerifyClient require
SSLVerifyDepth 10
SSLOptions +ExportCertData +StdEnvVars
# CA's from SAP and Schunk for backend connections between Proxy and SAP system
#SSLProxyCACertificateFile "/etc/apache2/ssl/cuscrm/SAP-CA.crt"
SSLProxyCACertificateFile "/etc/apache2/ssl/cuscrm/SAPCHAIN.pem"
# SSLProxyMachineCertificateFile <Apache_home>/conf/proxy-client.pem
# initialize the special headers to a blank value to avoid http header forgeries
RequestHeader set SSL_CLIENT_CERT ""
<Location />
# add SSL_CLIENT_CERT header to forward real client certificate
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
ProxyPass https://internal.sap:8300/
ProxyPassReverse https://internal.sap:8300/
</Location>
</VirtualHost>

Lync Reverse Proxy Alternatives

When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.
TMG is way too expensive and complex for such a limited, simple use case.
I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
We decided to use Apache 2.2 on Windows Server 2008 R2.
Here's how we configured it:
Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.
http://technet.microsoft.com/en-us/library/gg398069.aspx
Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.
http://httpd.apache.org/download.cgi
We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
Use the Certificates MMC on your front end server to export the certificate and include the private key.
Transfer the resultant .pfx file to your reverse proxy server.
Use OpenSSL to convert your .pfx file to PEM:
openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes
Separate the private key from the certificate using notepad:
Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag.
Save that text to a new file named
yourcert.key.
Save
yourcert.pem, which should now only include the certificate.
Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
for storing the certificates.
Edit httpd.conf (typically in
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
(See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
for more information on each directive)
Uncomment the following lines, which will enable proxy and SSL:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Add the following lines to configure reverse proxy behavior:
#Be a reverse proxy, not a forward proxy
ProxyRequests Off
#Accept requests from any client to any URL
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
#Set the network buffer to improve throughput
ProxyReceiveBufferSize 4096
#Configure the Reverse Proxy to forward all requests to your front end server on 4443
ProxyPass / https://yourfrontend.domain.com:4443/
ProxyPassReverse / https://yourfrontend.domain.com:4443/
#Preserve Host Headers for Lync
ProxyPreserveHost On
Optionally, configure logging directives, bindings and server name.
Save and close httpd.conf
Edit httpd-ssl.conf (typically in conf\extra):
Configure the session cache:
Uncomment:
SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
Comment out:
SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
Locate the <VirtualHost _default_:443> tag and configure the following:
Add the following directive:
SSLProxyEngine On
Configure the path to your SSL Certificate saved in step 3-5 above:
SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
Configure the path to your private key saved in step 3-5 above:
SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
Optionally, configure logging directives.
Save and close httpd-ssl.conf
Restart the Apache2.2 service
Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
the reverse proxy to talk to the front end Lync server on 8080 and 4443.
From an external connection, test connectivity through the reverse proxy:
Test
https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.
You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.
See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
Hope this information is helpful and saves some of you some money and trouble.
Please contact me if you need further clarification or see any mistakes in my notes.
Best regards,
Kenneth Walden
Enterprise Systems Supervisor
GSD&M
Austin, TX

I'd like to thank you for this article. We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product. Anyways, your
blog saved me a LOT of headache. I owe you big time.
AWESOME JOB.
-Greg
*****EDIT***
Decided to come back in there and post good information. We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting. The "DIALUP" url was working fine but the "MEETING" url was broken. On our WFE servers we were getting
the event error as below. Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON". Once we put that in there ALL was good.
Notice that the MEET portion was the only thing that was really broken. So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER. Look for
http://10.x.x.x/meet/ or soemthing in the event logs.
Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 11/16/2011 1:26:35 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: OneofMyInternalWFEservers.local
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2011 1:26:35 PM
Event time (UTC): 11/16/2011 6:26:35 PM
Event ID: b2039ecd0a62482284030f62e1e639d8
Event sequence: 129
Event occurrence: 28
Event detail code: 0
Application information:
 Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
 Trust level: Full
 Application Virtual Path: /meet
 Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
 Machine name: MYWFE.local
Process information:
 Process ID: 14204
 Process name: w3wp.exe
 Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
 Exception type: HttpException
 Exception message: Server cannot append header after HTTP headers have been sent.
Request information:
 Request URL:
https://FQDN:4443/meet/MyName/456456
 User host address: gatewayIP
 User:
 Is authenticated: False
 Authentication Type:
 Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
 Thread ID: 7
 Thread account name: NT AUTHORITY\NETWORK SERVICE
 Is impersonating: False
 Stack trace: at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
 at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="ASP.NET 2.0.50727.0" />
 <EventID Qualifiers="32768">1309</EventID>
 <Level>3</Level>
 <Task>3</Task>
 <Keywords>0x80000000000000</Keywords>
 <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
 <EventRecordID>4483</EventRecordID>
 <Channel>Application</Channel>
 <Computer>XXXXXXXXXXXXXXXXXX</Computer>
 <Security />
</System>
<EventData>
 <Data>3005</Data>
 <Data>An unhandled exception has occurred.</Data>
 <Data>11/16/2011 1:26:35 PM</Data>
 <Data>11/16/2011 6:26:35 PM</Data>
 <Data>b2039ecd0a62482284030f62e1e639d8</Data>
 <Data>129</Data>
 <Data>28</Data>
 <Data>0</Data>
 <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
 <Data>Full</Data>
 <Data>/meet</Data>
 <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
 <Data>SNKXS300</Data>
 <Data>
 </Data>
 <Data>14204</Data>
 <Data>w3wp.exe</Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>HttpException</Data>
 <Data>Server cannot append header after HTTP headers have been sent.</Data>
 <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
 <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
 <Data>10.71.1.1</Data>
 <Data>
 </Data>
 <Data>False</Data>
 <Data>
 </Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>7</Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>False</Data>
 <Data> at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
 at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
</Data>
</EventData>
</Event>

Apache as reverse proxy - 400 Bad request

Hi all,
I'm configured apache as reverse proxy according to this blog:
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
When I try to navigate http://testcomp/irj I get "400 - Bad request"
See exception;
Message : User Guest, IP address
Cannot parse the http request. Http error response [400 Bad Request] will be returned. Request is [Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
GET /irj HTTP/1.1
Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
com.sap.engine.services.httpserver.exceptions.HttpIllegalArgumentException: Incompatible field content in the MIME header.
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaderField.parse(MimeHeaderField.java:364)
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaders.init(MimeHeaders.java:504)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.initialize(RequestAnalizer.java:196)
 at com.sap.engine.services.httpserver.server.Client.initialize(Client.java:84)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:143)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Severity : Error
Category :
Location : com.sap.engine.services.httpserver
Application :
Thread : SAPEngine_Application_Thread[impl:3]_32
Datasource : 9332850:C:usrsapPD9JC00j2eeclusterserver0logdefaultTrace.trc
Message ID : 000C29EFE9A300570000002D00000B9000043A81D3311894
Source Name : com.sap.engine.services.httpserver
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : 5359e85066e411dcbf6b000c29efe9a3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.engine.services.httpserver
ThreadObject : SAPEngine_Application_Thread[impl:3]_32
Transaction :
User : Guest
The lines I added to http.conf
#Enable reverse-proxying
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://testcomp/logon
I tried with apache version 2.2.3 & 2.0.59 with no success.
My J2EE/Portal version is 6.17.
Since this is a testing environment the two computers are under the same workgroup (no domain).
If I naviagte directly to the portal (without the reverse proxy) everything is working.
How can I solve it?
Regards,
Omri

Hi Jakub,
Thanks for the answer.
It's not working for me...
I'm attaching my httpd.conf file.
Also, what apache version do you use?
Can you send me your post your httpd.conf file?
Thanks,
Omri
httpd.conf
This is the main Apache HTTP server configuration file. It contains the
configuration directives that give the server its instructions.
See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
In particular, see
<URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
for a discussion of each configuration directive.
Do NOT simply read the instructions in here without understanding
what they do. They're here only as hints or reminders. If you are unsure
consult the online docs. You have been warned.
Configuration and logfile names: If the filenames you specify for many
of the server's control files begin with "/" (or "drive:/" for Win32), the
server will use that explicit path. If the filenames do not begin
with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
with ServerRoot set to "c:/apache" will be interpreted by the
server as "c:/apache/logs/foo.log".
NOTE: Where filenames are specified, you must use forward slashes
instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If a drive letter is omitted, the drive on which Apache.exe is located
will be used by default. It is recommended that you always supply
an explicit drive letter in absolute paths, however, to avoid
confusion.
ThreadsPerChild: constant number of worker threads in the server process
MaxRequestsPerChild: maximum number of requests a server process serves
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot: The top of the directory tree under which the server's
configuration, error, and log files are kept.
Do not add a slash at the end of the directory path. If you point
ServerRoot at a non-local disk, be sure to point the LockFile directive
at a local disk. If you wish to share the same ServerRoot for multiple
httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "c:/apache"
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, instead of the default. See also the <VirtualHost>
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#Listen 12.34.56.78:80
Listen 80
Dynamic Shared Object (DSO) Support
To be able to use the functionality of a module which was built as a DSO you
have to place corresponding `LoadModule' lines at this location so the
directives contained in it are actually available before they are used.
Statically compiled modules (those listed by `httpd -l') do not need
to be loaded here.
Example:
LoadModule foo_module modules/mod_foo.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
'Main' server configuration
The directives in this section set up the values used by the 'main'
server, which responds to any requests that aren't handled by a
<VirtualHost> definition. These values also provide defaults for
any <VirtualHost> containers you may define later in the file.
All of these directives may appear inside <VirtualHost> containers,
in which case these default settings will be overridden for the
virtual host being defined.
ServerAdmin: Your address, where problems with the server should be
e-mailed. This address appears on some server-generated pages, such
as error documents. e.g. [email protected]
ServerAdmin @@ServerAdmin@@
ServerName gives the name and port that the server uses to identify itself.
This can often be determined automatically, but we recommend you specify
it explicitly to prevent problems during startup.
If your host doesn't have a registered DNS name, enter its IP address here.
ServerName localhost:80
DocumentRoot: The directory out of which you will serve your
documents. By default, all requests are taken from this directory, but
symbolic links and aliases may be used to point to other locations.
DocumentRoot "c:/apache/htdocs"
Each directory to which Apache has access can be configured with respect
to which services and features are allowed and/or disabled in that
directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of
features.
<Directory />
 Options FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Satisfy all
</Directory>
Note that from this point forward you must specifically allow
particular features to be enabled - so if something's not working as
you might expect, make sure that you have specifically enabled it
below.
This should be changed to whatever you set DocumentRoot to.
<Directory "c:/apache/htdocs">
Possible values for the Options directive are "None", "All",
or any combination of:
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Note that "MultiViews" must be named explicitly --- "Options All"
doesn't give it to you.
The Options directive is both complicated and important. Please see
http://httpd.apache.org/docs/2.2/mod/core.html#options
for more information.
 Options Indexes FollowSymLinks
AllowOverride controls what directives may be placed in .htaccess files.
It can be "All", "None", or any combination of the keywords:
Options FileInfo AuthConfig Limit
 AllowOverride None
Controls who can get stuff from this server.
 Order allow,deny
 Allow from all
</Directory>
DirectoryIndex: sets the file that Apache will serve if a directory
is requested.
<IfModule dir_module>
 DirectoryIndex index.html
</IfModule>
The following lines prevent .htaccess and .htpasswd files from being
viewed by Web clients.
<FilesMatch "^\.ht">
 Order allow,deny
 Deny from all
</FilesMatch>
ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a <VirtualHost>
container, error messages relating to that virtual host will be
logged here. If you do define an error logfile for a <VirtualHost>
container, that host's errors will be logged there and not here.
ErrorLog logs/error.log
LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
<IfModule log_config_module>
The following directives define some format nicknames for use with
a CustomLog directive (see below).
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%You need to enable mod_logio.c to use %I and %Oi\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 <IfModule logio_module>
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %I %O" combinedio
 </IfModule>
The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a <VirtualHost>
container, they will be logged here. Contrariwise, if you do
define per-<VirtualHost> access logfiles, transactions will be
logged therein and not in this file.
 CustomLog logs/access.log common
If you prefer a logfile with access, agent, and referer information
(Combined Logfile Format) you can use the following directive.
 #CustomLog logs/access.log combined
</IfModule>
<IfModule alias_module>
Redirect: Allows you to tell clients about documents that used to
exist in your server's namespace, but do not anymore. The client
will make a new request for the document at its new location.
Example:
Redirect permanent /foo http://www.example.com/bar
Alias: Maps web paths into filesystem paths and is used to
access content that does not live under the DocumentRoot.
Example:
Alias /webpath /full/filesystem/path
If you include a trailing / on /webpath then the server will
require it to be present in the URL. You will also likely
need to provide a <Directory> section to allow access to
the filesystem path.
ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that
documents in the target directory are treated as applications and
run by the server when requested rather than as documents sent to the
client. The same rules about trailing "/" apply to ScriptAlias
directives as to Alias.
 ScriptAlias /cgi-bin/ "c:/apache/cgi-bin/"
</IfModule>
"c:/apache/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.
<Directory "c:/apache/cgi-bin">
 AllowOverride None
 Options None
 Order allow,deny
 Allow from all
</Directory>
Apache parses all CGI scripts for the shebang line by default.
This comment line, the first line of the script, consists of the symbols
pound (#) and exclamation followed by the path of the program that
can execute this specific script. For a perl script, with perl.exe in
the C:\Program Files\Perl directory, the shebang line should be:
 #!c:/program files/perl/perl
Note you mustnot_ indent the actual shebang line, and it must be the
first line of the file. Of course, CGI processing must be enabled by
the appropriate ScriptAlias or Options ExecCGI directives for the files
or directory in question.
However, Apache on Windows allows either the Unix behavior above, or can
use the Registry to match files by extention. The command to execute
a file of this type is retrieved from the registry by the same method as
the Windows Explorer would use to handle double-clicking on a file.
These script actions can be configured from the Windows Explorer View menu,
'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
button allows you to modify the Actions, of which Apache 1.3 attempts to
perform the 'Open' Action, and failing that it will try the shebang line.
This behavior is subject to change in Apache release 2.0.
Each mechanism has it's own specific security weaknesses, from the means
to run a program you didn't intend the website owner to invoke, and the
best method is a matter of great debate.
To enable the this Windows specific behavior (and therefore -disable- the
equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
The directive above can be placed in individual <Directory> blocks or the
.htaccess file, with either the 'registry' (Windows behavior) or 'script'
(Unix behavior) option, and will override this server default option.
DefaultType: the default MIME type the server will use for a document
if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is
a good value. If most of your content is binary, such as applications
or images, you may want to use "application/octet-stream" instead to
keep browsers from trying to display binary files as though they are
text.
DefaultType text/plain
<IfModule mime_module>
TypesConfig points to the file containing the list of mappings from
filename extension to MIME-type.
 TypesConfig conf/mime.types
AddType allows you to add to or override the MIME configuration
file specified in TypesConfig for specific file types.
 #AddType application/x-gzip .tgz
AddEncoding allows you to have certain browsers uncompress
information on the fly. Note: Not all browsers support this.
 #AddEncoding x-compress .Z
 #AddEncoding x-gzip .gz .tgz
If the AddEncoding directives above are commented-out, then you
probably should define those extensions to indicate media types:
 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
AddHandler allows you to map certain file extensions to "handlers":
actions unrelated to filetype. These can be either built into the server
or added with the Action directive (see below)
To use CGI scripts outside of ScriptAliased directories:
(You will also need to add "ExecCGI" to the "Options" directive.)
 #AddHandler cgi-script .cgi
For type maps (negotiated resources):
 #AddHandler type-map var
Filters allow you to process content before it is sent to the client.
To parse .shtml files for server-side includes (SSI):
(You will also need to add "Includes" to the "Options" directive.)
 #AddType text/html .shtml
 #AddOutputFilter INCLUDES .shtml
</IfModule>
The mod_mime_magic module allows the server to use various hints from the
contents of the file itself to determine its type. The MIMEMagicFile
directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
Customizable error responses come in three flavors:
1) plain text 2) local redirects 3) external redirects
Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
EnableMMAP and EnableSendfile: On systems that support it,
memory-mapping or the sendfile syscall is used to deliver
files. This usually improves server performance, but must
be turned off when serving from networked-mounted
filesystems or if support for these functions is otherwise
broken on your system.
#EnableMMAP off
#EnableSendfile off
Supplemental configuration
The configuration files in the conf/extra/ directory can be
included to add extra features or to modify the default configuration of
the server, or you may simply copy their contents here and change as
necessary.
Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
Language settings
#Include conf/extra/httpd-languages.conf
User home directories
#Include conf/extra/httpd-userdir.conf
Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
Various default settings
#Include conf/extra/httpd-default.conf
Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Note: The following must must be present to support
 starting without SSL on platforms with no /dev/random equivalent
 but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
ProxyPreserveHost On
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://sapportal:50000/irj
#ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://sapportal:50000/logon
#ProxyPassReverse /logon http://testcomp/logon

Reverse proxy setup problems

I am trying to setup a reverse proxy using iPlanet Web Proxy Server 3.6. I have followed the instructions in the manual which seems pretty straight forward but nothing is happening. I am getting no traffic at all between any of the boxes involved. I have been using apache before without any problems but wanted to move to something more scaleable as I would like to have multiple reverse proxys. Can anyone give any suggestions as to what might be wrong. Thanks.

Have you tried thius technote ===>
http://knowledgebase.iplanet.com/ikb/kb/articles/1173.html
The reverse proxy setup requires regular mappings and reverse mappings. Regular mappings re-map the requested URL to the actual origin
server. The reverse mappings re-map Location: headers coming back in 3xx redirections.
In some cases, customers have sent technical support obj.conf files with the mapping entries in the wrong order. All of the
"reverse-map" functions should be placed before the "map" functions.
There maybe two causes:
1.Hand editing of the obj.conf files
Use the admin interface to create reverse proxy map entires.
2.Old versions of Admin Server
There may have been problems with creating reverse proxy maps in Proxy 2.x, which used Admin Server 2.x. This problem doee not
occur with Admin 3.5.
Example:
NameTrans fn="reverse-map" from="http://www.news.com"
to="http://kwikimart.mcom.com:8080/news"
NameTrans fn="map" from="http://kwikimart.mcom.com:8080/news"
to="http://www.news.com"
NameTrans fn="map" from="/news" to="http://www.news.com"
Note the "reverse-map" function appears before the "map" functions.

Reverse Proxy Pbm Rewriting Location

Sun Java Web Proxy Server v4.0.7 is running on Windows 2003 Server.
The SJWP server is running as a reverse proxy for the following domains:
app.example1.com
appmgt.example1.com
I have configured the SJWP server to use Virtual Multihosting in Reverse Proxy:
app.example1.com --> app.example2.com
appmgt.example1.com --> appmgt.example2.com
The SJWP server routes all requests through another web proxy (squid), but this is acting a a forward proxy.
The SJWP server has a Content URL Rewriting filter (because all pages within example2.com use fixed path URLs, not relative ones):
Source Pattern: example2.com
Destination Pattern: example1.com
MIME Type: *
At one point, when trying to load a page from app.example1.com (app.example2.com) -- the page attempts to do a Location redirect from app.example1.com to app.example2.com, and this fails since the client does not know about example2.com.
The problem seems to be that the SJWP server is not rewriting the Location header.
What do I need to do to get the SJWP rewrite the Location header? Shouldn't the virtual multihosting config handle this?
Edited by: macdsg on Jul 31, 2008 10:41 AM

No, a virtual multihosting configuration does not do rewriting of "Location" headers.

Is this dynamic caching scenario possible with reverse proxy?

I'm considering using the Sun System Java Web Server as a reverse proxy in front of other SSJWS's running a java webapp. I'm creating a dynamic site where most of the pages change only occasionally. I'm wondering if the follow "dream compression/caching" scenario is possible:
- Origin web servers have a set of high traffic dynamic pages that change only occasionally. Other pages (could be partition in subdirs) should not be cached.
- These dynamic pages set cache and expires headers allowing browser and proxies to cache the content--say for hours or days. It's ok if users see a slightly stale page within this expiration period.
- Reverse proxy caches these pages as if they were static files. They also create gzipped versions on the fly and cache those. When requests comes in for these specific pages, they are served straight from proxy cache (either compressed or uncompressed depending on request header.)
- When the expiration date is reached, reverse proxy requests fresh pages from the origin server, creates a compressed version, and only servies these pages from cache.
- A certain set of pages shouldn't be cached and will have appropriate headers. They will probably also be in different subdirectories.
Is it possible to use the reverse proxy as a self-updating cache this way? (And it it possible to proactively invalidate the cache. Let's say I change a page on the origin and I want the proxy to refresh that cached page right away.)
Thank you,
Armando

I see. Thank you, this is very helpful.
I've take taken a look at Web Proxy 4. It seems it can do much of what I'd like. One downside I see is that it seems to be quite a big tool with all of the forward proxying features that I don't need. I just need a transparent reverse proxy/cache, so it would have been nice if the reverse proxy provided by Sun Web Server offered some of the caching features of Web Proxy 4.
Does Web Proxy 4 share code with Web Server? I haven't any seen any buzz, blogs, etc about it as I have with Sun Web Server. I see it now has a "modern HTTP core" and such but is performance on par with Web Server? (There are no trumpeted world records, and I don't see any architecture details, such as the ability to leverage event ports on Solaris...)
It looks like Web Proxy 4 can be configured as a reverse proxy to do sticky load balancing, caching with interval checks, and on the fly gzip compression. Can it: cache both a compressed and uncompressed version of the content? Run other filters on the content before caching, such as the sed content trip filter? I haven't really seen anything out there that can do all that. If this is possible, then Web Proxy 4 deserves more buzz!
If anyone has any good or bad experience using Web Proxy as a reverse proxy, I'd love to hear it!
Cheers!
Armando

Using reverse proxy and terminating ssl on them

Hello
I am trying to set up IAS 9.03 on 2 machines one holding the infrastructure and one holding the midtier.
We want to terminate the ssl traffic on reverse proxys on apache. I am not very good at this so i am looking for a solution i read that you can do this in the whitepapers on the subject IAS.
Much thanks for any answer.
Boris

1) So initially we had the following:
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="http://server-backend"
</Object>
... and when getting a 401 from the back-end server it would seem that entering credentials in the dialog prompt does not work as is OOB; had it worked we would not have attempted anything further and hence this post would not exist... if we directly access the back-end server our credentials work so that is not the issue.
2) I agree that the "set-basic-auth" directive should be removed - as it is clearly to supply a user id and password - what was provided was a far fetched attempt to get this to work and will clearly remove it as well as the "forward-proxy-agent" and "forward-proxy-auth"
When you configure Web Server 7.0 as a reverse proxy, basic auth should work out of the box. If it doesn't, I recommend looking at the HTTP messages to figure out what's gone wrong. If you don't know how to do that and you have a support contract, Sun support should be able to help you.That is interesting - is this OOB feature documented anywhere?
I'll turn up the log level on the RP and see what happens - if I turn it high enough should I be able to see the request headers being forwarded; I'll also try to look at the backend server logs. Is there anything else you suggest - i.e. should be trying to snoop the traffic....

Sun Web Server Reverse Proxy and Weblogic HTTP to HTTPS redirection

Hi,
I am currently testing reverse-proxy from SJSW 7.0 update 5 to Weblogic server but I have encountered an issue.
I have configured a context root to be forwarded to weblogic:
Web Server: www.server.com
URI: /path
Reverse Proxy URL: wlserver:9000
When I access https://www.server.com/path, I am getting the correct page. The issue is, the weblogic server is configured to redirect HTTP access to HTTPS, i.e., when I access http://www.server.com/path, it should be redirected to https://www.server.com/path. However, that is not the case. What happens is that I am being redirected instead to https://www.server.com/.
If I don't use reverse proxy, that is, if I use the libproxy.so from weblogic, I get the correct redirection.
Would appreciate it very much if someone can help me troubleshoot this issue.
Thanks in advance!
Edited by: agent_orange on Jul 29, 2010 2:30 AM
Edited by: agent_orange on Jul 29, 2010 2:31 AM

I am not sure, how you have configured your reverse proxy since you didn't attach / refer your current configuration file. this is how I would do it..
- create a new configuration (using web server 7 admin gui , within configuration wizard, disable java option if you plan to use web server 7 only for reverse proxy)
- select this new configuration and go to reverse proxy and try to reverse proxy / to the origin server.
that is all it should need.
your obj.conf or <hostname>-obj.conf depending on your configuration should look like following snippet
<Object name="default">
AuthTrans..
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</object>
<Object name="reverse-proxy-/">
Route fn=....
Service ..
</Object>
this is all you should need..
However, if you wanted to add complexity to your configuration, you could do some thing like
<Object name="default">
Auth..
<If defined $security>
NameTrans fn=map from="/" to="/path" name="reverse-proxy-/"
</If>
</Object>
<Object name="reverse-proxy-/">
Route...
</Object>

Sun Web server 7 - Reverse proxy to different

Hi All,
I have following scenario:
I have deploy my application into 2 dedicated weblogic servers, http://host1:7001/myapp and http://host2:7001/myapp. How can I configure the reverse proxy so whenever user enter the URL, webserver will forward different app server like below;
#1 - http://abc.com >> web server will forward to http://host1:7001/myapp
#2 - http://abc.com/controller>> web server will forward to http://host2:7001/myapp
I follow tutorial from this link >> http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
For requirement #1 it work perfectly since i put URI = /myapp and Server URL = http://host1:7001.
But for #2, it doesnt work since I put the URI=/controller.
We wanted to be like http://abc.com/controller, so it will forward to second app server which difference application.
Is it possible? or any other to do like that?
Thanks!

Hi Sriram,
I'm having similar problem with atehac, the only difference is that the web server
#1 http://domain.com/web1 >> forwarded to http://local-pc1.com:8080/
#2 http://domain.com/web2 >> forwarded to http://local-pc2.com:8080/
This is the setting that I've made in <vs>obj.conf :
NameTrans fn="map" from="/web1" name="reverse-proxy-/web1" to="http:/"
NameTrans fn="map" from="/" name="reverse-proxy-/web1" to="http:/"
NameTrans fn="map" from="/web2" name="reverse-proxy-/web2" to="http:/"
NameTrans fn="map" from="/" name="reverse-proxy-/web2" to="http:/"
<Object name="reverse-proxy-/web1">
Route fn="set-origin-server" server="http://local-pc1.com:8080"
</Object>
<Object name="reverse-proxy-/web2">
Route fn="set-origin-server" server="http://local-pc2.com:8080"
</Object>
But the problem is local-pc2 won't be able to be accessed, while for local-pc1 will be mapped, but it omit /web1
So it will be like http://domain.com/web1 at the beginning, but after I press enter it became like http://domain.com
What I wish is something like http://domain.com/web1 all the way.
Do you have any idea Sriram?
Regards,
Berry

How to configure SharePoint HNSC with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.

Could you please let me know how SharePoint HNSC can be configured with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.
In normal path based site collections/web applications, reverse proxy configuration can be done using alternate access mappings with Public URL = "proxy URL", internal = "HNSC Share Point URL" so that share point sends response back
to Public URL = "proxy URL".
In Host Named Site Collections, alternate access mappings are not supported. Each HNSC is designed to have only one URL in each zone. Zone is one of the five zones(Default,Intranet,Internet,Custom,Extranet) with each of which only one alternate
URL is associated. This is what we are able to get using power shell command "Set-SPSiteUrl", but this will not help us to get the response back to proxy URL after a request sent to share point because we could not find any mechanism in share
point HNSC to respond to a different URL(proxy URL). Consequently, Share Point URLs are exposed to external users.
Below share point article in MSDN blog is symmetrical to what we are observing with Share Point 2013 and Proxy Server. It mentions that internal HNSC URLs can’t be hidden using any proxy server. If hiding the internal Share Point URLS is a requirement,
it suggests to use a web application instead of host named site collections.
Though I’m also observing the same behavior with Share Point 2013 HNSC, Could you please confirm my understanding is correct.
http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx
Excerpt from above article-
"Host Named Site Collections Only Use One Host Name
Continuing on the discussion on AAMs and host named site collections, you cannot use multiple host names to address a site collection in SharePoint 2010. Because host-named site collections have a single URL, they do not support alternate access mappings and
are always considered to be in the Default zone. This is important if you are using a reverse proxy to provide access to external users. Products like Unified Access Gateway 2010 allow external users to authenticate to your gateway and access a site
as http://uag.sharepoint.com and forward the call to http://portal.sharepoint.com. Remember that URL rewriting is not permitted. Further, a site collection can only respond to one host name. This means if you are using a reverse proxy, it must forward the
calls to the same URL. If your networking team has a policy against exposing internal URLs externally, you must instead use web applications and extend the web application using an alternate access mapping."<u5:p></u5:p>

Hi Satish,
You are right that only one URL is allowed for each zone of the host-name site collections in both SharePoint 2010 and SharePoint 2013.
It is by design that each host-name site collection only support one URL for each zone.
The article below is about RTM version of SharePoint, and it is the same for SharePoint 2013 with the latest CU.
https://support.microsoft.com/en-us/kb/2826457
So to make the URL of HNSC not exposed to external users is not supported, you need to use path-based sites instead.
Best regards.
Thanks
TechNet Community Support
Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
[email protected]

Forward/reverse proxy chain losing headers

Similar Messages

Maybe you are looking for