HTTP authentication via reverse proxy

Similar Messages

• How to Displaying Employee Photo in ESS Who's Who via Reverse Proxy?

  Dear Gurus,
  I have a bit of problem to displaying employee's photo in ESS Who's Who via Reverse Proxy.
  In my landscape, end-users are only able to reach the Reverse Proxy server, not the actual SAP server itself.
  In Who's Who, when displaying the employee's info, the URI for the photo is generated using the actual SAP server name.
  Illustration:
  - the URI we expect: https://portal.domain.com/sap/bc/contentserver?.....
  - the URI we get: http://r3server.domain.com/sap/bc/contentserver?....
  Does anyone know where/how I can set the URL (hostname and protocol part) to refer to my reverse proxy?
  Or is it because SAP is using an absolute path rather than the relative one?
  How do we go about it?
  Thanks in advance.

  Dear Barinbhai,
  How are you? We are fine at here!!!
  Following URL generated thru Portal
  System generated : http://p30app06.ril.com:8000/sap/bc/contentserver/430?get&pVersion=0046&contRep=7N&docId=4D2155EB6C32545BE10000000A42163F&accessMode=r&authId=CN%3DQ10&expiration=20110215052004&secKey=MIIBkwYJKoZIhvcNAQcCoIIBhDCCAYACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAV8wggFbAgEBMBMwDjEMMAoGA1UEAxMDUTEwAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTAyMTQwNTIwMDRaMCMGCSqGSIb3DQEJBDEWBBTJCER2r9%2BifbQPOtCqJdAoJ99NTzCBpgYFKw4DAhswgZwCQQCJ%2FPuWmHE5m%2Bd1vtX464doAJIsN2SmIpBAUe7jLGtmAD7F6ElSWOtC6uMuXUPisyKr3lRQ6IOC1ZhVPsnnXJsZAhUAtGAwyGWTqdJdd7nwrXKA7T%2B3GVcCQBUQxMBImvHdAsIyF3DmBtPwHcPpyCyBbJ737ivcuw2qjdJeGttSqR8GGuPn0DmzF36%2BUSnLRxZVNPn6nUbnPx0ELjAsAhR7G1vGjngjoll50RhWKcDlBTvVKgIUZ1NlQXMe61LXcqsTGsz7r28Kzh0%3D
  Photo opening directly on following URL:::
  Desired URL : http://ess.ril.com/sap/bc/contentserver/430?get&pVersion=0046&contRep=7N&docId=4D2155EB6C32545BE10000000A42163F&accessMode=r&authId=CN%3DQ10&expiration=20110215052004&secKey=MIIBkwYJKoZIhvcNAQcCoIIBhDCCAYACAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHATGCAV8wggFbAgEBMBMwDjEMMAoGA1UEAxMDUTEwAgEAMAkGBSsOAwIaBQCgXTAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xMTAyMTQwNTIwMDRaMCMGCSqGSIb3DQEJBDEWBBTJCER2r9%2BifbQPOtCqJdAoJ99NTzCBpgYFKw4DAhswgZwCQQCJ%2FPuWmHE5m%2Bd1vtX464doAJIsN2SmIpBAUe7jLGtmAD7F6ElSWOtC6uMuXUPisyKr3lRQ6IOC1ZhVPsnnXJsZAhUAtGAwyGWTqdJdd7nwrXKA7T%2B3GVcCQBUQxMBImvHdAsIyF3DmBtPwHcPpyCyBbJ737ivcuw2qjdJeGttSqR8GGuPn0DmzF36%2BUSnLRxZVNPn6nUbnPx0ELjAsAhR7G1vGjngjoll50RhWKcDlBTvVKgIUZ1NlQXMe61LXcqsTGsz7r28Kzh0%3D
  Pls sugget..
  Hitesh Khatri
  SAP -HR
  RIL - Navi Mumbai....

• Cannot access the content producer portal via reverse proxy

  Hi all,
  I hope my post is in the right forum
  We have an FPN environment using RRA with our EP (NW 7.0 SPS18) as the consumer and our BI portal (NW 7.0 SPS18) as the content producer.  The consumer is registered with the producer using HTTP protocol.  Everything works as expected.
  We're trying to implement an Apache reverse proxy for our FPN with SSL termination so that we can access the portals from the Internet with HTTPS protocol while keeping HTTP protocol for the internal users.
  Through the reverse proxy, we can access the consumer portal and we can access the producer portal directly without any problem.  The only problem is that, if we logged onto the consumer via the reverse proxy, we cannot access the content from the producer.  We'd get the browser security warning message
  "Although this page is encrypted.  The information you have entered will be sent over an unencrypted connection. ..."
  When we hit the Continue button, we'd get the eror 404 Not Found - The request resource does not exist.
  Our Unix admin tried both Apache and SAP Web Dispatcher but we couldn't get it to work properly.  We went through a lot of blogs and documents and we are at our wits end.  We would greatly appreciate if someone can point out where we should look at.
  Thank you very much in advance.
  Dao

  Hi Kevin,
  Unfortunately, our Unix admin thinks you missed the point because my question was not clear enough
  We do not have problems with the "correct name" in the reverse proxy and our main SSL termination works fine. 
  It's just that the consumer is registered with the producer using HTTP protocol; as a result, the producer's URL link is 'hard-coded' to use HTTP protocol in the consumer portal since we are not using SSL in the internal network.  Hence, we'd like to know if there's any way to change them to HTTPS for the Internet clients while keeping the HTTP protocol for the internal users.
  I hope I made it clearer this time
  Regards,
  Dao

• Windows Intergrated Authentication with reverse proxy issue with Safari

  Hi All
  I having a application which has Windows Integrated Authentication, for Internet users we are having a reverse proxy which has a IIS server which will authenticate using basic authentication then redirected to the actual application, every thing works as expected in IE and firefox but in safari there is a second login dialog box appears. When I did a packet capture using wireshark I noticed that in IE and FF the basic authentication which is carried forward to the actual application from IIS server but in Safari there is a NTLM negotiation in between because there is a 401 response so my application asks for on more login dialog. Dose any one knows why safari is behaving like this?
  Thanks & Regards
  Karthikeyan Vaithilingam

  I found a related post https://discussions.apple.com/thread/3274071?start=0&tstart=0. There is an issue with basic authentication and Http Redirect.

• How to use logon group of backend systems via reverse proxy

  Hi
  we have setup EP 6.0 in DMZ2 and connected backend servers in INTERNAL network. We have another firewall for DMZ1. In order to provide access to EP and respective backend systems, we have installed two reverse proxy servers on Apache, one in DMZ1 and another in DMZ2. We could able to reach to the backend system successfully in this setup by using proper rewrite rule for virtual systems in order to connect to multiple systems.
  However we have observed that connection for backend systems is established only to respective CI and not to any of the application server, even though we have created "Load Balancing" systems in EP and used the same logon group of backend systems.
  Kindly suggest us if there is any option using which we can establish connection via Load balancing option in this current setup of ours.
  Thanks
  Pradeep

  Hi Mechael/Dutt
  We r using Integrated ITS in WAS 6.40. and we r maintaing seperate entries for each systems in rewrite rule.
  Thanks
  PRadeep

• HTTP tunneling and reverse proxy server

  We're currently using Windows Media Services (WMS) to stream
  video on our website. There is an option WMS to use the HTTP
  protocol and to specify the port you'd like to use. This has
  allowed us to stream video through our external firewall, through
  our reverse proxy server, and through our internal firewall to our
  media server. I've been trying for two days now to get Flash Media
  Server (FMS) to do the same thing. For some reason the HTTP
  tunneling (RTMPT) protocol doesn't appear to be acting like the
  HTTP protocol that WMS is using. Anyone have some tips on this
  configuration. I've scoured web resources and documentation as best
  I could. Any help would be greatly appreciated.
  Thanks.

  To give a better picture, here's a more complete description of set up and goals
  Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
  DMZ server is running IIS 8. Here are what some of the sites look like.
  jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
  email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
  media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
  other stuff like this -> 10.1.10.x port 80 or others
  All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
  What do I need to do in IIS to have those sites get directed to the proper internal locations?
  Thanks!!

• Redirecting all HTTP traffic to HTTPS that will reverse proxy specific URI

  -- Requirement --
  I have a Sun web server 6.1 SP4 that sits in a DMZ that must securely reverse proxy traffic to an internal application server listening on 443.
  The web server instance has two listen sockets, 80 and 443.
  The web server instance must accept traffic on port 80 but re-direct it to 443 so all subsequent traffic with the client happens over HTTPS.
  HTTPS traffic for "www.mydomain.com/myapp/" must be reverse proxied to the internal app server, "https://myapp.mydomain.com/myapp/".
  -- Current set-up --
  The server reverse proxies both HTTP and HTTPS traffic with the indicated URI.
  How can I constrain the reverse proxying to HTTPS traffic?
  Thanks for your help,
  Jez

  Thanks Chris that worked perfectly.
  Aside
  Before your solution I had (unsuccessfully) tried the following obj.conf directive
  <Client security="false">
  NameTrans fn="redirect" from="/" url-prefix="https://www.mydomain.com/"
  </Client>However, it didn't work - is it not possible to use the <Client security="false"> in this manner?

• HTTP authentication via ACS TACACS+.

  Hi.
  I configure a router for tacacs+ access and the console and CLI work fine.
  HTTP access continually prompts for password and I can never gain access via web.
  I have tried the various cli combinations of IP HTTP AUTHENTICATION, but still does not seem to work with tacacs+.
  Debug authentication and authorization are ok (PASS)!
  Any suggestions??
  Thanks.
  Andrea.

  Hi Andrea,
  Make sure that you have privilege level 15, for your account, as telnet can work without it, but for http its a must.
  You can configure it for Group, under whihc you have your user account or per user basis too.
  Select group > Edit Settings > TACACS+ section
  Check "Shell" and "Privilege level" and in box in front of privilege level, put number "15".
  Also if you have configured enable authentication via TACACS+ ,amake sure under your user account you have selected "Use CiscoSecure..." option under TACACS+ enable password if you have your account configured on ACS, of select other as appropriate.
  Let me know if it helps :)
  I suppose you have "ip http authentiaction aaa" command configured.

• HTTP Filtering and Reverse Proxy + DMZ

  Hello all, I'm consolidating a number of my services and securing up my network.
  To give some context I have 1 static IP, several websites in the form of subdomain.domain.com where domain.com is the same but there are numerous subdomains which reside on different servers. Until recently we were just using port forwarding, etc. to access
  these remotely (subdomain.domain.com:9090, subdomain2.domain.com:9091) etc. but I would like to clean this up.
  We have a 5505 ASA which our static IP is natted to. That has a static route to an IIS server in the 'DMZ' portion of our network. I would like to find a way to have this server see 'subdomain1.domain.com' and send it to the server hosting that service, and
  so on for the other services. 
  I think I want to use Reverse-Proxy but I have never delved in to IIS 8 before and the extent of my reverse proxy experience was using nginx to host several web services for a friend. 
  If I could get any advice on 1) how to filter the url requests and direct them to the right server (some are non-windows servers) and 2) how to do this securely from the DMZ to the internal lan?
  Thanks SO much for any help!

  To give a better picture, here's a more complete description of set up and goals
  Static IP hits external interface of ASA. ASA has a static nat rule to forward it to my DMZ server.
  DMZ server is running IIS 8. Here are what some of the sites look like.
  jira.xxxxx.com -> 10.1.10.21 (ubuntu server) | port 80
  email.xxxxx.com - > 10.1.10.16 (domain joined server 2012) port 80, 443
  media.xxxxx.com -> 10.1.10.14 (domain joined server 2012) port 80, 443
  other stuff like this -> 10.1.10.x port 80 or others
  All of the A records for those domain names point to the static which routes to the ASA and then is NAT'd to the DMZ server. 
  What do I need to do in IIS to have those sites get directed to the proper internal locations?
  Thanks!!

• Getting client IP Address via reverse proxy

  We're using APEX 4.2.1. I've configured APEX to recognise the X-Forwarded-For header so I can use owa_util.get_cgi_env ('X-Forwarded-For') when available to get the IP address of the client. Does APEX provide a safer way to access this header?
  In the APEX Instance Security configuration settings you can specify a comma separated list of proxy servers. This works fine for internal APEX logs, but how do I tap into this in my apps?
  What I'm looking for is a function that returns the X-Forwarded-For header when the client IP is in the proxy list or otherwise it returns the REMOTE_ADDR header, without having to maintain a list of trusted proxy IP's elsewhere. I don't want the two sources to inadvertently get out of sync.

  Also it may not be any use, e.g. if it is a 192.*.*.* or 10.*.*.* address allocated via NAT. For example it may not be unique among all poossible clients. If you need a client identity it is best to generate it yourself.

• Digest http authentication via CalDAV with non-ASCII login

  When I creating new CalDAV calendar with login that contains non-ASCII characters, iCal calendar doesn't sent Authorization header in a request package.
  When I use ascii login http request contains header like:
  Authorization: Digest username="Art", realm="TeamWox", nonce="DFEBA3CD93184f389CAAAE84F1E0177D", uri="/caldav", response="511573b614eff34270e7b99b4b8a7b9b", cnonce="1b3aae2d7cd48bfa8aceadc62ff56006", nc=00000001, qop="auth"\r\n
  If I add non-ASCII charcters I didn't receive it.
  Can You explain this, please?

  Digest autification send information in UTF-8.
  When I analyze packages with WireShark I see that for example Windows WebDAV sends this text in UTF-8 encoding, and all characters were sended correctly regardless of language.
  iCal just doesn't send Authorization header if characters no in ASCII (0-127).

• Distributing load via reverse proxy

  I was going through the forums and saw postings which recommended listing certain origin servers multiple times if that server can handle the load i.e, server1.com, server1.com, server2.com will cause 66% of the requests will directed towards server1.com.
  Is there a better way to do this using weights?

  Please contact Sun/Oracle support for this. We have an RFE "6416838 set-origin-server should distribute load based on weights" for this.

• Reverse proxy settings crashing ML Server

  I have a few IP cameras I'm attempting to expose externally via reverse proxy. I've created a site on my Mini ML Server and password protected it under a subdomain. This allows me to drop my own custom UI on the camera controls so they work better with my iPhone etc. It's working great on my laptops local virtual host. However, the reverse proxy settings seem to kill apache on the ML server. If I remove the lines in blue below, it seems to work, but i get double authentication requests. Anyone have any experience with this? My Apache knowledge is minimal at best
  ProxyRequests off
  ProxyPass /camera1/ http://192.168.0.1/
  ProxyPass /camera2/ http://192.168.0.2/
  ProxyPass /camera3/ http://192.168.0.3/
  ProxyHTMLURLMap http://192.168.0.1 /camera1
  ProxyHTMLURLMap http://192.168.0.2 /camera2
  ProxyHTMLURLMap http://192.168.0.3 /camera3
  <Location /camera1/>
  ProxyPassReverse /
  ProxyHTMLEnable On
  ProxyHTMLURLMap  /      /camera1/
  RequestHeader    unset  Accept-Encoding
  </Location>
  <Location /camera2/>
  ProxyPassReverse /
  ProxyHTMLEnable On
  ProxyHTMLURLMap  /      /camera2/
  RequestHeader    unset  Accept-Encoding
  </Location>
  <Location /camera3/>
  ProxyPassReverse /
  ProxyHTMLEnable On
  ProxyHTMLURLMap  /      /camera3/
  RequestHeader    unset  Accept-Encoding
  </Location>

  The following setup took care of my issue...
  ProxyRequests off
  ProxyPass /camera1/ http://192.168.0.30/
  ProxyPass /camera2/ http://192.168.0.32/
  ProxyPass /camera3/ http://192.168.0.34/
  ProxyPass /camera4/ http://192.168.0.36/
  ProxyPassReverse /camera1 http://192.168.0.30
  ProxyPassReverse /camera2 http://192.168.0.32
  ProxyPassReverse /camera3 http://192.168.0.34
  ProxyPassReverse /camera4 http://192.168.0.36

• Reverse Proxy from Apache to portal to 2 different ITS Systems

  We're using Apache 2 webserver and we've enabled reverse proxy from our proxy server to our Enterprise Portal 7.0.  We have transaction iviews for different systems, an ECC 6.0 and CRM 5.0.  We are using the integrated ITS for these systems provided with basis version 7.0.  We have all the necessary ports open in the firewall.  I know how to configure the proxy when there's only one ITS server, but how would I do it for two (the ECC and CRM system)?

  We have integrated ITS.  I am not sure I understand where you are going with globalr.srvc file.  We have two systems that we want to hit from the portal via reverse proxy.  One is the ECC system and the other CRM 5.0.  In our portal we use the integrated ITS for each system:
  ECC sytem:
  http://ecc.system.com:8001/sap/bc/gui/its/sap/webgui
  CRM sytem:
  http://crm.system.com:8001/sap/bc/gui/its/sap/webgui
  The issue is how would I map to both ITS from the Apache reverse proxy

• Apache reverse proxy setting for access to Backend

  Hi experts,
  we have set up apache reverse proxy to make available our NW portal (and SRM functions)over the internet.
  Our settings look something like this:
  ProxyRequests Off
  <VirtualHost *:80>
       ServerName myportal.portalhosto.com
       ProxyPreserveHost On
       ProxyPass /irj/ http://myportal.portalhost.com:53200/irj/
       ProxyPass /webdynpro/ http://myportal.postalhost.com:53200/webdynpro/
       ProxyPassReverse /irj/  http://myportal.portalhost.com:53200/irj/
       ProxyPassReverse /webdynpro/  http://myportal.portalhost.com:53200/webdynpro/
       ErrorLog logs/myportal.portalhost.com-error.log
       CustomLog logs/myportal.portalhost.com-custom.log combined
  RewriteEngine On
       RewriteRule ^/sap/(.*)$ http://mybackend.backendhost.com:8020/sap/$1 [P,NC]
  </VirtualHost>
  Problem:
  when we access the portal from the internal network(either by using the internal URL or external URL) things work fine.
  But we access the portal from internet, we are able to login to the portal and acess all webdynpro Java related applications.But when we try to acess the BSP/WD abap application running on a backend SRM system, we get 'host not found' message with the INTERNAL url of the SRM backend application displayed.
  Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
  Any help in resolving this would be greatly appreciated.
  regards,
  Kiran

  Hi,
  Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
  Yes , you have to expose your backend system using reverse proxy ...
  When user access the portal and when he clicks on BSP/WD , the URL get re-directed to backend system.
  But , as your backend system is not expose on internet , you get an error as host not found.
  So, to solve your problem you have to expose your backend system on internet. It is in general pratice to expose on internet.
  Thanks
  Anil