Non-Oracle Apache as Front-end/reverse proxy?
Hi,
The question I have is kind of OID-related, but I think is more relevant to OAS, so I hope that I'm posting this in the right forum.
We have an existing OID instance, using the Apache 1.3-based OHS, and up till now, users have been accessing the OID/OIDDAS web-interface directly, e.g., by going to http:<hostname>:7777/oiddas, then signing in.
We also have a (non-Oracle OHS) enterprise-wide Apache 2.x-based reverse-proxy, and they want to be able to reverse-proxy through this Apache 2.x to the OID web interface.
We tried adding the <Location> sections to the Apache 2.x reverse proxy, e.g.:
<Location /oiddas>
ProxyPass http://<hostname>:7777/oiddas
ProxyPassReverse http://<hostname>:7777/oiddas
</Location>
<Location /pls>
ProxyPass http://<hostname>:7777/pls
ProxyPassReverse http://<hostname>:7777/pls
</Location>
Then, when we go to http://<apache-2.0-reverse-proxy-hostname>/oiddas, we get the initial page with the "Login" link. But, when we click on the "Login" link, we are getting a "Forbidden" error (HTTP 403 error).
Has anyone configured something like this before? What else do we need to configure in the Apache 2.x reverse-proxy?
Thanks,
Jim
Hi,
I just stood up a new test instance of 10gAS (only one I had the install files for), and I can access the oiddas via port 7777, i.e., http://<hostname>:7777/oiddas.
I setup a reverse-proxy to it on a separate Apache 2.x instance, and it looks like at least part of the problem is that when I access via the proxy, the 10gAS sends back redirects (HTTP 302) responses with Location headers with the original <10gAS_hostname>:7777.
In other words, I do the original access using http:<proxy_hostname>/oiddas, but then when I click the "Login" link, the 10gAS redirects my browser to http://<10gAS_hostname>:7777/pls/orasso (to go to the SSO server).
This doesn't explain why were were seeing the 403 errors at work, but I think that, as suggested in that webpage that I linked earlier, there are re-directs that may not be totally visible going on, i.e., you can't "just" setup the Apache reverse-proxy with the <Location> directives.
Thus far, I haven't been able to replicate the 403 error problem that we had...
Jim
Similar Messages
-
Setting apache as a front end host-proxy web server for weblogic 10.3.3
Hi ,
i have installed apache 2.2.21 in the red hat linux 6 environment.Now i am trying to set that apache web server as a front end host ,proxy web server for my weblogic 10.3 application server cluster. My apache is listening to the port 8080.
What changes i had to made in admin console of my server as well as in the httpd.conf file of apache.
Can any one guide me how to proceed ?
Any help is highly appreciated......Thanks Ravi,
i have already gone through http://docs.oracle.com/cd/E12840_01/wls/docs103/plugins/apache.html.
In my case "mod_wl_22.so" was not available but i downloaded this p10051826_1033_Generic.zip file from where i got that file and make it available in the modules directory, changed the file permissions (using chmod 755 mod_wl_22.so) and also changed the httpd.conf file as below :
LoadModule weblogic_module modules/mod_wl_22.so
<IfModule mod_weblogic.c>
WebLogicCluster wlserv1:7001,wlserv2.com:7001
MatchExpression *.jsp
</IfModule>
By using /bin/ls command i checked the following :
/bin/ls: ELF 64-bit LSB executable, x86-64, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.18, stripped
Using file mod_wl_22.so i checked the following:
mod_wl_22.so: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, not stripped
My problem is when i used ./apachectl -t i got the following error :
httpd: Syntax error on line 112 of /u40/app/apache/conf/httpd.conf:
Cannot load /u40/app/apache/modules/mod_wl_22.so into server: libstdc++.so.5:
cannot open shared object file: No such file or directory
So can u please guide me where my problem is and how to rectify it ? Its urgent. please help me.
Thanks
Jyoti Ranjan -
Reverse Proxy Configuration - Apache as an SSL reverse-proxy
Hi,
We have EP 6.0 SP 14 installed with SSL configured.
We are in need to open the application to internet.
For the same we have set up a reverse proxy server (Apache as SSL
Reverse Proxy).
Our requirement is to open the application to the internet with
web address https://abc.domain.com.
The issue is we are able to access the application from internet only when
https://abc.domain.com/irj/potal is typed.
(ie.) Mapping is working fine for
https://abc.domain.com/irj/portal to
our EP Portal address https://abc2.domain.com:50001/irj/portal
And not working for mapping https://abc.domain.com to our EP Portal
address https://abc2.domain.com:50001/irj/portal
We have been working on to resolve this issue for days together but have been really unsuccessful
Kindly help us in resolving the same asap.
Note : The references we used are:
1. SAP's document:
"Apache Reverse Proxy Configuration for J2ee 6.20 and 6.40 Web Applications"
2. Weblogs:
The Reverse Proxy Series -- Part 1: Introduction
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
The Reverse Proxy Series -- Part 3.1: Apache as an SSL reverse-proxy
Regards,
venkat.Thanks much for the feedback. We're using the default settings on the HTTP rule we have set up for the portal on the ISA server. We'll be looking into the details of what the default rule settings are, however we did find a note in the Microsoft Knowledge base detailing with the ISA server screening high bits in URL strings for Outlook Web Access (OWA). This generates a similar error message. Here is the link to the detailed note on the Microsoft web site:
http://support.microsoft.com/?scid=kb;en-us;837865
Also,we are going to be applying the SP1 upgrade to the ISA server (released in March) to see if this might be some type of issue that may have been identified and corrected by the service pack. We'll see what happens with that.
One area where we can recreate the problem at will is when we set up the system landscape configuration. We can navigate to a system configuration object, however when we attempt to right click to edit the object we get the error. There are other circumstances where we get errors but that is one that occurs for sure. Anyone have any idea as to what might be special about that type of transaction??
Thanks again.
Rich -
Is it a good idea or bad idea to integrate Apex Oracle 10g SE1 on Windows to a production instance Apache (Windows) from a source other than Oracle's Companion CD? Any good guides or tips?
Hi Jes,
I am a newbie to apex and apache.
I’d like to build an apex application for account administrators to sporadically manage the look-up reference data. We already have apache, tomcat and jboss running for the primary application and I’d like to use the same server and services to keep from buying a new machine or stealing from resources (RAM & CPU) because of setting up a second companion instance of apache.
Is there a compatibility issue with using a non-Oracle version of apache? Will it play fair with existing apache applications? Am I better off installing the Companion CD apache on the database server to reduce network I/O; or will it steal resources from the dbms? I'd also like to keep complexities to a minimum so I can stay focused on my DBA role.
TIA,
Steve -
URGENT:Running oracle form in front end
hi,
i have created a form in form builder and compiled successfully in server.i registered the form in apps and i have added responsibility also.what is the next step to run that form in apps.Do we need to create concurrent program and executable and add to the request group?Please help.
Thanks in advanceDo we need to create concurrent program and executable and add to the request group?Depends if you have custom concurrent programs. If so, then here are the steps:
To create a Custom Program:
- Login to System Administrator Responsibility
- Navigate to Concurrent > Program > Define
- Define your program
To add the Concurrent Program to the Request Group:
- Login to System Administrator Responsibility
- Navigate to Security > Responsibility > Request
- Query your Request Group
- Under Requests, select "Program" under "Type", enter the name of the Concurrent Program under "Name" -
Front End Server Certificate Renewal
I would like to see if someone could offer simple clarification to a hopefully simple question. My OAuth and Default Certificates are expiring soon.
Can I request a certificate, using the wizard (which has worked before so no issues there) and effectively "stage" it to later assign during my scheduled maintenance window so I can simply assign and reboot?
It isn't exactly imperative that this works in exactly this way, it would just be nice to request the certificate and ease my workload later, sort of like staging system patches but with certs, ha ha.
Thanks.That's exactly how you'd do it. Request it and stage it, confirm that you can assign it but don't. Then, during your maintenance window you'd assign it and restart.
oAuth you'd only assign once to a primary Front End, that should replicate out on it's own. The other certs you'd need to assign individually to each front end, reverse proxy, etc.
Please remember, if you see a post that helped you please click "Vote As Helpful" and if it answered your question please click "Mark As Answer".
SWC Unified Communications
This forum post is based upon my personal experience and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs. -
Example of a successful reverse proxy to APEX using Apache and Oracle HTTP
If this helps anyone, I was able to set up a reverse proxy to APEX with Apache running on the reverse proxy server and Oracle HTTP server and APEX 3.2 on the APEX hosting server. I want to post this due to there is no
documentation on this that I can find. Oracle Metalink could not produce any "How To" document either.
On the reverse proxy server in the httpd.conf file:
ProxyRequests Off
SetEnv force-proxy-request-1.0.1
SetEnv proxy-nokeepalive 1
ProxyPassReverse /pls/apex/ http://apex_server:8080/pls/apex/
ProxyPass /pls/apex/ http://apex_server:8080/pls/apex/
ProxyPassReverse /i/ http://apex_server:8080/i/
ProxyPass /i/ http://apex_server:8080/i/
AddType text/xml .xbl
AddType text/x-component .htc
OR
ProxyRequests off
RewriteEngine On
RewriteRule ^/pls/apex/(.*)$ http://apex_server:8080/pls/apex/$1 [P,NE]
ProxyRequests off
ProxyPassReverse /i/ http://apex_server:8080/i/
RewriteEngine On
RewriteRule ^/i/(.*)$ http://apex_server:8080/i/$1 [P,NE]
And in the Oracle HTTP server httpd.conf file of the APEX hosting server:
NameVirtualHost 999.99.99.9:8080
<VirtualHost 999.99.99.9:8080>
ServerAdmin [email protected]
DocumentRoot "/u01/app/ora11g/product/11.1.0/http_1/ohs/htdocs"
ServerName reverse_proxy_server.com
</VirtualHost>Here is what I saw :
I have one Web Server 7.0 instance with the following obj.conf :
<Object name="default">
<If $uri =~ "/xyz">
NameTrans fn="map" from="/" name="reverse-proxy-/xyz" to="/"
</If>
<ElseIf $uri =~ "/abc">
NameTrans fn="map" from="/" name="reverse-proxy-/abc" to="/"
</ElseIf>
</Object>
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server="http://server1.sun.com:80"
</Object>
<Object name="reverse-proxy-/xyz">
Route fn="set-origin-server" server="http://server2.sun.com:80"
</Object> ...When I send a request to URI :
/abc/test1.html : the request gets served from server1 from docs/abc/test1.html.
/xyz/test2.html : the request gets served from server2 from docs/xyz/test2.html
Where as when you change obj.conf to (note the change in "from" parameter in "map" SAF)
<Object name="default">
<If $uri =~ "/xyz">
NameTrans fn="map" from="/xyz" name="reverse-proxy-/xyz" to="/"
</If>
<ElseIf $uri =~ "/abc">
NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="/"
</ElseIf>
</Object>
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server="http://server1:80"
</Object>
<Object name="reverse-proxy-/xyz">
Route fn="set-origin-server" server="http://server2:80"
</Object> ...In this case when I send a request to URI :
/abc/test1.html : the request gets served from server1 from docs/test1.html.
/xyz/test2.html : the request gets served from server2 from docs/test2.html. -
Apache as a reverse proxy for E-recruiting
We are trying to use apache as a reverse procy for e-recruting. The call to the web proxy is being forwareded correctly but whereas if the page is opened directly on the e-recruiting box it opens a page with a bsp generated logon screen, when using the portal it generates a window dialog for logon and i the get the following message :
BSP Exception: Das Objekt sap/bc/bsp/sap/hrrcf_start_int/sap/bc/bsp/sap/hrrcf_start_int/application.do in der URL /sap/bc/bsp/sap/hrrcf_start_int/sap/bc/bsp/sap/hrrcf_start_int/sap/bc/bsp/sap/hrrcf_start_int/application.do?sap-client=100&sap-language=EN&BspClient=100&BspLanguage=EN&rcfSpId=0003&rcfContext=LMUGEN ist nicht gültig.
Has anyone done apache as a proxy for e-recruting who can share an example or offer any advice?
ThanksHi Richard,
you can take this link as a starting point: /people/sap.user72/blog/2006/04/18/the-reverse-proxy-series--part-32-apache-as-a-complex-reverse-proxy
In your case it seems to me that "/sap/bc/bsp/sap/hrrcf_start_int" gets concatenated 2 more times in your URL than it should.
That looks like a loop resp. an apache directive which gets executed too often.
regards, Norbert -
Issues in ssl configuration with apache server (using reverse proxy)
Hi,
I am able to use apache server as a reverse proxy to connect to Portal. When I enter the web server url as https://mywebserver.com, I am able to connect to the http url of the Portal. But the moment I try to connect to the https url of Portal with this https url, I am not able to connect to the Portal. Thus I am not able to use apache as a proxy server for https connections it makes. What must I do. I read that mod_proxy_connect needs to be used, but how do I use this?
The second problem is that I need to use more than one kind of mapping.
For example I must be redirected to the Portal even if I use http://webserver.com , or even if I use https://webserver.com or even if I use http://webserver.com/irj or https://webserver.com/irj or http://ipaddress-websserver/irj etcI have SSLCertificateFile and
and SSLCertificateKeyFile .
My problem is with regard to ssl/CertificateChainFile?
what is this? Also how do I upload my J2EE Certificate into apache.
The problem is with Apache handshake is not happening.
I am forwarding the entire log during . I have put what I consider important in bold.Please have a look.
<b>----
</b>
Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1769): OpenSSL: Handshake: start
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: before/connect initialization
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv2/v3 write client hello A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 7/7 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 16 03 01 04 1a 02 ...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 0007 - <SPACES/NULS>
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 1048/1048 bytes from BIO#629160 [mem: 47855af] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 00 36 03 01 44 74 67 cb-38 b5 8e 42 3b 59 c3 6c .6..Dtg.8..B;Y.l |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0010: 23 5c 07 d0 8b 24 89 89-11 2e 0d 80 ed 1a 06 ea #
...$.......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0020: 1d 10 b0 59 10 28 7c b4-02 cb d6 08 a8 e4 ea 5a ...Y.(|........Z |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0030: e5 88 5c 5d 90 00 39 00-0b 00 01 cc 00 01 c9 00 ..
]..9......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0040: 01 c6 30 82 01 c2 30 82-01 2b a0 03 02 01 02 02 ..0...0..+...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0050: 04 36 0b 23 72 30 0d 06-09 2a 86 48 86 f7 0d 01 .6.#r0...*.H.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0060: 01 04 05 00 30 14 31 12-30 10 06 03 55 04 03 13 ....0.1.0...U... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0070: 09 6c 6f 63 61 6c 68 6f-73 74 30 1e 17 0d 30 33 .localhost0...03 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0080: 31 30 30 32 30 37 32 35-30 30 5a 17 0d 30 35 31 1002072500Z..051 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0090: 30 30 32 30 37 32 35 30-30 5a 30 14 31 12 30 10 002072500Z0.1.0. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00a0: 06 03 55 04 03 13 09 6c-6f 63 61 6c 68 6f 73 74 ..U....localhost |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00b0: 30 81 9f 30 0d 06 09 2a-86 48 86 f7 0d 01 01 01 0..0...*.H...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00c0: 05 00 03 81 8d 00 30 81-89 02 81 81 00 ef d6 ff ......0......... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00d0: a6 39 e1 64 a5 d3 fb 16-de 4e ee 1d 81 84 31 bc .9.d.....N....1. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00e0: e6 b7 96 07 3e 81 b9 94-d1 c1 e0 f9 00 3a 84 e8 ....>........:.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 00f0: 7a 30 11 cd 41 26 d6 6c-95 90 93 95 17 e0 1a b7 z0..A&.l........ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0100: 00 0f 59 33 7d 1d f3 a0-83 17 c5 f3 7e b3 ad ed ..Y3}.......~... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0110: c9 60 ac af 9e 31 d2 ec-42 71 f9 c3 98 2e 93 f9 .`...1..Bq...... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0120: 9d c3 c4 3d b3 7d 9b 97-83 1c 6b bd c0 75 cc 96 ...=.}....k..u.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0130: dc b9 a0 1b 00 79 85 e4-19 1f 61 42 54 db 91 94 .....y....aBT... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0140: d8 1d 72 13 08 36 22 49-3b fb 05 dc 33 02 03 01 ..r..6"I;...3... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0150: 00 01 a3 21 30 1f 30 1d-06 03 55 1d 0e 04 16 04 ...!0.0...U..... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0160: 14 ed ed 02 af 94 13 59-1c 42 e6 69 40 e5 80 dd .......Y.B.i@... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0170: a4 e9 33 91 02 30 0d 06-09 2a 86 48 86 f7 0d 01 ..3..0...*.H.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0180: 01 04 05 00 03 81 81 00-2c 22 08 bd 71 b6 80 43 ........,"..q..C |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0190: 5a 2a 8b e8 62 34 b4 b4-84 8a 47 4b 97 5e bf dd Z*..b4....GK.^.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01a0: 17 4c 0a 1c b7 0e cd c5-d1 cc d8 77 cd 38 10 ef .L.........w.8.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01b0: 22 02 f0 02 7f a2 39 2b-53 eb 31 b6 18 49 37 a0 ".....9+S.1..I7. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01c0: 50 47 f2 34 ab 33 eb 5f-ec 5a f9 f7 53 5f 27 eb PG.4.3._.Z..S_'. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01d0: 02 7f b4 28 3e e8 b1 c7-59 df 2c 93 25 c5 34 14 ...(>...Y.,.%.4. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01e0: 7a 34 7c 45 b4 eb 6b 34-93 26 98 51 37 d3 e6 b0 z4|E..k4.&.Q7... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 01f0: 7f 83 e3 a9 04 d3 47 b3-3d de 43 57 27 45 82 c0 ......G.=.CW'E.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0200: 4d 48 bf c0 a7 2f 66 0c-0c 00 02 08 00 80 af 76 MH.../f........v |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0210: 1f f5 f6 48 a0 01 0f ed-55 4c 53 9a 7c 07 7a ba ...H....ULS.|.z. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0220: c7 9d 77 e8 8b c7 66 8f-80 03 18 c5 1f 4f 2a a0 ..w...f......O*. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0230: 08 6f 9f e3 13 94 30 56-e7 2f 96 7c 26 97 ba 12 .o....0V./.|&... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0240: aa fd 3e 43 e1 46 c2 d1-32 94 56 45 52 c0 24 6f ..>C.F..2.VER.$o |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0250: 38 e0 93 0f 3a f8 0a 7c-41 0e 4c 54 4f 5a 7e d4 8...:..|A.LTOZ~. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0260: 62 e6 71 cd a0 dc 1e 9b-17 e5 10 71 3c 9d c6 39 b.q........q<..9 |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0270: 05 50 b6 15 37 0b 68 4f-24 50 74 47 13 1c 74 d8 .P..7.hO$PtG..t. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0280: 81 27 81 71 3a 4a c5 26-7d b8 e6 21 b3 d9 00 80 .'.q:J.&}..!.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0290: 4f 6f 5d e6 2d dc 77 46-e6 77 b1 94 3d 65 5b b0 Oo].-.wF.w..=e[. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02a0: 3d 39 7a 6c a2 c7 0b e3-27 08 fa 48 8d 75 1a fe =9zl....'..H.u.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02b0: 32 e6 13 d1 31 65 7d d5-11 34 21 78 38 d1 11 fb 2...1e}..4!x8... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02c0: ea 59 8e 24 79 5a 4b c2-f7 98 22 51 9f a7 4d 2b .Y.$yZK..."Q..M+ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02d0: 15 98 fe d4 43 4b 34 25-b3 9b b3 ae 57 d1 ea 69 ....CK4%....W..i |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02e0: 6e 02 7e 61 d7 80 b6 73-6a 3e ac eb 69 38 67 8f n.~a...sj>..i8g. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 02f0: a9 2a dc 93 3d 22 f3 6e-6a 5d 51 1f b1 b1 10 5e .*..=".nj]Q....^ |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0300: 82 28 48 0d 5a 78 f8 17-61 e0 c5 43 61 7a 42 6a .(H.Zx..a..CazBj |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0310: 00 80 42 fa 7e 11 b2 77-3a 8c de f1 52 5a e1 18 ..B.~..w:...RZ.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0320: d4 e7 8f ee 2c e0 06 ef-d5 37 87 62 07 14 d1 5a ....,....7.b...Z |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0330: ca 30 be fd dd 76 47 8f-ed f4 5f f3 64 6c 32 a9 .0...vG..._.dl2. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0340: d5 07 e2 9b f1 29 a3 bf-33 4a ed 72 6b 2e c3 0f .....)..3J.rk... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0350: 30 bd 13 a1 42 d8 f7 1d-58 8a 1c 53 d6 c3 c8 6e 0...B...X..S...n |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0360: 0e 51 e3 f5 a0 37 68 0d-04 c6 0e c4 4d cc ed 7c .Q...7h.....M..| |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0370: ef 8f 81 b3 52 34 0c 60-eb f8 01 19 cc 95 31 55 ....R4.`......1U |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0380: 7d 16 bf 0c df b8 e0 3d-8f 7c 7a 4a 64 98 93 59 }......=.|zJd..Y |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0390: eb ae 00 80 ef cb bc 38-ab 16 0e a2 b2 2d fa 0f .......8.....-.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03a0: da 55 2d 67 a8 b8 34 1b-bf 39 d9 d6 da 65 f2 8f .U-g..4..9...e.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03b0: 6f a2 b1 1d db bb d5 dd-ab cf 9e 63 00 e4 57 a5 o..........c..W. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03c0: 18 4a dc 60 b0 97 5d 67-34 96 bf a2 43 2b 7d 70 .J.`..]g4...C+}p |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03d0: d6 99 d2 31 d2 11 f4 f2-19 b8 0c 41 7d bf b1 7c ...1.......A}..| |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03e0: fb 31 cb 3e c2 0a e2 26-1a 7e 63 50 9b 62 c3 82 .1.>...&.~cP.b.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 03f0: ca cd 36 82 0c 56 5f 26-f6 cc c6 6f 03 92 cc f5 ..6..V_&...o.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0400: 6b 55 1a d6 92 f9 5b 59-18 c2 62 21 eb d8 a4 ea kU....[Y..b!.... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0410: fd b6 3e f7 0e ..>.. |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1488): | 1048 - <SPACES/NULS>
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server hello A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1207): Certificate Verification: depth: 0, subject: /CN=localhost, issuer: /CN=localhost
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server certificate A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server key exchange A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 read server done A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write client key exchange A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write change cipher spec A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 write finished A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1777): OpenSSL: Loop: SSLv3 flush data
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 5/5 bytes from BIO#629160 [mem: 47855a8] (BIO dump follows)
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 15 03 01 00 02 ..... |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1512): OpenSSL: read 2/2 bytes from BIO#629160 [mem: 47855ad] (BIO dump follows)
Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1459): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1484): | 0000: 02 28 .( |
[Wed May 24 07:03:54 2006] [debug] ssl_engine_io.c(1490): ----
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1782): OpenSSL: Read: SSLv3 read finished A
[Wed May 24 07:03:54 2006] [debug] ssl_engine_kernel.c(1801): OpenSSL: Exit: failed in SSLv3 read finished A
[Wed May 24 07:03:54 2006] [info] SSL Proxy connect failed
[Wed May 24 07:03:54 2006] [info] SSL Library Error: 336151568 error:14094410:SSL routines:SSL3_READ_BYTES:sslv3 alert handshake failure
[Wed May 24 07:03:54 2006] [info] Connection to child 249 closed with abortive shutdown(server apacheserver:443, client j2eeserver)
[Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserver)
[<b>Wed May 24 07:03:54 2006] [error] (20014)Error string not specified yet: proxy: pass request body failed to j2eeserver:50001 (j2eeserve) from apacheserver ()
[Wed May 24 07:04:10 2006] [debug] ssl_engine_io.c(1523): OpenSSL: I/O error, 5 bytes expected to read on BIO#612610 [mem: 62ac80]
[Wed May 24 07:04:10 2006] [info] (OS 10060)A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. : SSL input filter read failed.
[Wed May 24 07:04:10 2006] [debug] ssl_engine_kernel.c(1787): OpenSSL: Write: SSL negotiation finished successfully
[Wed May 24 07:04:10 2006] [info] Connection to child 249 closed with standard shutdown(server apacheserver:443, client apacheserver)
</b> -
Reverse Proxy Configuration Help
I am running OFM 11.1.1.6.
Web Cache is running on port 8888.
Portal's OHS (the WebCache origin server) is running on 7777.
Reports' OHS (for /reports/rwservlet) is running on 8890.
Non-Oracle Apache 2.2 is running as a reverse SSL proxy for Portal on port 443.
I want to configure this reverse proxy so that it appears to the end user that the reports server is also running in HTTPS on port 443, instead of on port 8890. Can anyone please give me a tip on how to set this up?
In my httpd.conf for my Apache reverse proxy server, I have this within my main SSL virtual host:
ProxyPassReverse / http://hostname:8888/
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/(.*) http://hostname:8888/$1 [P]Do I need to add an additional virtual host for the proxy to the reports server? Or can I include it in this same virtual host? I've tried the following, but couldn't get it to work:
ProxyPassReverse /reports/rwservlet/ http://hostname:8890/reports/rwservlet/
ProxyPassReverse / http://hostname:8888/
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/reports/rwservlet/(.*) http://hostname:8890/reports/rwservlet/$1 [P]
RewriteRule ^/(.*) http://hostname:8888/$1 [P]Any guidance is appreciated.In case anyone finds this, this is how I got it all working:
In httpd.conf for the Apache reverse proxy:
ProxyPreserveHost On
RewriteEngine On
RewriteRule ^/reports/(.*) http://hostname:8890/reports/$1 [P]
ProxyPassReverse /reports http://hostname:8890/reports
RewriteRule ^/(.*) http://hostname:8888/$1 [P]
ProxyPassReverse / http://hostname:8888/In the Portal OHS's httpd.conf:
NameVirtualHost *:7777
<VirtualHost *:7777>
ServerName https://hostname
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
OssoConfigFile E:/ora11/product/portal_instance/config/OHS/ohs1/osso/osso_ssl.conf
OssoIpCheck off
OssoSecureCookies off
OssoIdleTimeout off
</VirtualHost>In the reports server's httpd.conf:
NameVirtualHost *:8890
<VirtualHost *:8890>
ServerName https://hostname
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
OssoConfigFile E:/ora11/product/reports_instance/config/OHS/ohs1/osso.conf
OssoIpCheck off
OssoSecureCookies off
OssoIdleTimeout off
</VirtualHost>You can use the same osso.conf for both reports and portal. Make sure to register with SSO specifying https://hostname as the registered URL. -
Front-end/back-end cluster question
[att1.html]
Patrick Power wrote:
> Thanx for your reply Prasad. I was surprised none of the Bea engineers
> wished to touch this one. What do you suppose is up with that? Either
> they are too busy, or possibly my question is too dumb.
>
I am from BEA so its not that we are not responding ;).
>
> Back to the issue: Yes, we will NES bridge/proxy into servlet front-end
> cluster, potentially with Directors on the very front of the topology for
> balancing. Your diagram as such:
>
> <Netscape/IIS/Apache/WLS FRONT END> ----- <CLUSTER OF WEBLOGIC SERVER
> > SERVING SERVLETS> --- <CLUSTER OF WEBLOGIC SERVERS SERVING EJB>
>
> 1) Does <Netscape/IIS/Apache/WLS FRONT END> mean NES with proxy shared lib,
> with a WLS service definition into cluster in obj.conf? I assume yes.
Yes.
>
> 2) I would assume that <CLUSTER OF WEBLOGIC SERVERS SERVING SERVLETS> would
> need the WLS HttpClusterServlet to the <CLUSTER OF WEBLOGIC SERVERS SERVING
> EJB> all the way in the back.
No. I was splitting presentation logic (namely servlets and jsp) and business
logic (ejb) into two layers. Again you don't have to split it into two. You can
colocate them both together. You could use NES or IIS or Apache or WLS. You
don't need HttpClusterServlet.
Lets get this straight.
1. You need our proxy plugin for failover and to load balance the request that
are going to presentation logic.
2. From presentation logic layer, when you talk to backend business logic
providers (like ejb cluster), if you use stateless session beans we provide
failover and load balancing. In future we will support clustered stateful
session beans as well. Therefore you don't need load balancer here.
3. HttpClusterServlet should run only in front of presentation logic cluster and
also it supports http only.
Hope this helps.
- Prasad
> The NES proxy would only proxy into the f/e
> cluster, right? You're not suggesting an external proxy of some type, are
> you? The HttpClusterServlet is for WLS cluster-to-cluster proxies.
> 3) A load balancer between the wls f/e and wls b/e clusters? That doesn't
> seem applicable here. Once again, it should be HttpClusterServlet for WLS
> cluster-to-cluster proxies.
> 4) "use two or three proxy servers to avoid single point of failure."
> Hmmm, once again - are we talking the WLS HttpClusterServlet proxy? Well,
> that's the inital question: Can I have more than one HttpClusterServlet
> proxy in the front-end cluster, proxying to the back-end cluster?
> Otherwise, internally from this WLS architecture perspective, it is a single
> point of failure.
>
> An example: 10 instances in f/e cluster. can more than one of these
> instances have the WLS HttpClusterServlet proxy to the b/e cluster? Or, are
> there instances of WLS HttpClusterServlet proxy in all 10 f/e cluster
> instances?
>
> Cheers, Pat
>
> Prasad Peddada <[email protected]> wrote in message
> news:[email protected]...
> >
> >
> > Patrick Power wrote:
> >
> > > I know that this topic was addressed to some degree here in an earlier
> > > posting, but I still have a question regarding the architecture
> > > design:
> > >
> > > If configuring a front-end cluster for servlets/sessions and a
> > > back-end cluster for remote services -- you route requests to the
> > > back-end using the WLS proxy servlet. ok, got that part.
> >
> > Not quite. The typical scenario is
> >
> > <Netscape/IIS/Apache/WLS FRONT END> ----- <CLUSTER OF WEBLOGIC SERVER
> > SERVING SERVLETS> --- <CLUSTER OF WEBLOGIC SERVERS SERVING EJB>
> >
> > You don't proxy and serve servlets from the same server.
> >
> > >
> > > The question: Is there a single instance of the wls proxy servlet in
> > > the front-end cluster? Or, is it on every instance in the front-end
> > > cluster? What is the failover mechanism, in the case of a single
> > > instance of proxy servlet in the f-e cluster failing?
> >
> > To prevent that you need to use some kind of h/w or software load
> > balancer and then use two or three proxy servers to avoid single point
> > of failure.
> >
> > > Is it a single point of failure between the 2 clusters?
> > >
> > > Thanx in advance for your help.
> > >
> > > BTW, I think Wei, Kumar and the other Bea folks cruising this group
> > > have been doing a bang-up job of providing badly-needed detail on this
> > > subject area - material this largely absent from the documentation.
> > > Good job.
> > >
> > >
> >
> > --
> > Cheers
> >
> > - Prasad
> >
> >
-
Reverse Proxy with Firewall on Portal R2
We are trying to configure Oracle Portal R2 in the reverse proxy mode. We have a Sun Enterprise 250 used in a single machine configuration. (Infr. and Mid tier on same machine)
The webcache server is listening on server.company.com:7781
The portal server is listening on server.company.com:7782
The login server is listening on server.company.com:7780
The proxy server is listening on www.company.com:81
According to the Oracle Portal Config Guide we have followed the steps to configure Apache (inclusion of the virtual hosts, etc) and run the ptlasst script to reconfigure portal. While portal responds correctly on www.company.com:81 when i try to log on using the login link I get redirected to server.company.com:7780/...
Obviously everything seems to be ok from within the LAN since i can see server.company.com, but via internet it doesnt work.
Here is how we run the script:
./ptlasst.csh -mode MIDTIER -host www.company.com -port 81 -chost server.company.com -cport_i 4007 -i custom -c server.company.com:1521:iasdb -pwd xxxxxx
How can we correct this problem? Do we need to run any other script?Hi Suraj,
The following is the problem.
We have Sun Enterprise 450 on which Oracle 9iAS Release 2 installed and we are trying to use reverse proxy plugin with iplanet, being installed on windows machine. In the hosts file i have mentioned the following required parameters ie.,
oproxy.serverlist=ias1
oproxy.ias1.hostname=http://192.168.1.12 - where Oracle 9iAS is installed
oproxy.ias1.port=7779
oproxy.ias1.urlrule=/*
oproxy.ias1.alias=http://myoracleportal.peesh.com
oproxy.ias1.stripcontext=false
and whenever i restart iplanet server after this, here is the following log information.
06/26/2002 11:57:52 AM: [op_nsapi_plugin.c (296)]: op_init: log_file=e:/iPlanet/https-pncl-hcl028-053.pinnacle.com/logs/oproxy.log server_file=e:/iPlanet/https-pncl-hcl028-053.pinnacle.com/config/servers/oracleProxyPluginInfo.conf
06/26/2002 11:57:52 AM: [op_uri_map.c (128)]: Into op_uri_map_t::uri_map_alloc
06/26/2002 11:57:52 AM: [op_uri_map.c (162)]: Into op_uri_map_t::uri_map_open
06/26/2002 11:57:52 AM: [op_worker_list.c (37)]: op_worker_list_init: propfile=e:/iPlanet/https-pncl-hcl028-053.pinnacle.com/config/servers/oracleProxyPluginInfo.conf p=0x00DC8828 l=0x00DBDA70
06/26/2002 11:57:52 AM: [op_worker_list.c (45)]: op_worker_list_init: numservers=1
06/26/2002 11:57:52 AM: [op_worker_list.c (57)]: op_worker_list_init: inside loop, serverlist[0]=ias1
06/26/2002 11:57:52 AM: [op_worker_list.c (73)]: op_worker_list_init: hostname=http://192.168.1.12
06/26/2002 11:57:52 AM: [op_worker_list.c (82)]: op_worker_list_init: port=7779
06/26/2002 11:57:53 AM: [op_uri_map.c (192)]: op_uri_map_t::uri_map_open, rule map size is 0
06/26/2002 11:57:53 AM: [op_uri_map.c (325)]: op_uri_map_t::uri_map_open, done
06/26/2002 11:57:53 AM: [op_nsapi_plugin.c (304)]: op_init: exiting
I have a feeling that "oracle_proxy_nes.dll" maintains all the .conf file information in a stack, whose size is 0.
pls see interpret this log the way you see.
thanks in advance,
gupta -
Reverse Proxy only in DMZ Node
Hi Everyone,
We are implementing reverse only proxy in DMZ in R12.1.1 option 2.4 in DMZ note. I have few doubts regarding the setup. I would appreciate if anyone could clarify those.
I have a reverse proxy server in DMZ with a public IP and internal IP( We have built apache from souce as reverse proxy)
I have a MT(Linux box) with Two IP's one for Internal Webentry (port 8001)and second IP for external webentry(port 8002). These two have been registered in DNS the first ip would resolve to appsmt and second one would resolve to appsrp
We have Created packet filter rule allowing reverse proxy to communicate explicitly with MT(appsrp) on second IP (for external webentry) over TCP port 8002
As per DMZ note 726953.1 or 380490.1
1)what should I give when it prompts for host name when I run adclonectx.pl Step 5.9.1
Target System Hostname (virtual or normal) [dcoll12xc] :
should I give reverse proxy hostname or second host name on the MT for the external webentry
2) What should I give values for below
s_webentryhost
s_webentrydomain
s_active_webport
s_server_ip_address
should they be reverse proxy hostname/Ip or second host name/Ip on the MT for the external webentry?
ThanksHi user;
Please follow Oracle E-Business Suite R12 Configuration in a DMZ [ID 380490.1]
For your question 1 please check upper note part *5.9.1: Create a new context file for the external Web Entry Point* , it is explain there what you have to enter
For your question 2 please check upper note part *5.4.1: Update Oracle E-Business Suite Applications Context File*, it is explain there what you have to enter
Hope it helps
Regard
Helios -
How to set up reverse proxy to allow user access portal site from internet
Hi all,
I have installed 10g(10.1.2.0.2) AS on same machine(single IP for both mid and infra with different users respectively). there is a DMZ on which windows IIS is working through which we need to redirect the request to application server such that users access portal page from internet (within intranet all URLs are working fine). I have went through technet documentation where i found 3 ways : through this link
http://download.oracle.com/docs/cd/B14099_19/core.1012/b13998/variants.htm
Section 9.2.1.1, "Configuring OracleAS Web Cache as a Reverse Proxy"
Section 9.2.1.2, "Configuring the Oracle HTTP Server as a Reverse Proxy"
Section 9.2.1.3, "Configuring Internet Information Services as a Reverse Proxy"
I am confused to which option to use. Also i went through the metalink document 270160.1
Please help me which option to choose to do this.
Thanks.Hi Hozy,
May be it's too late, I am thinking to go in the same route for our sap portal access to external customers. Please can you share your experience , like what are the challenges have you faced? what is the complexity? what are all the resources we need to configure this?
I appreciate your feedback.
Thanks
Krish -
Hi,
I have confiugure apache 2.2 as reverse proxy which will be interacting with my portal as well as ECC ITS. Everything is working fine but the problem is when user gives the path:
http://<hotst>/sap/bc/its/gui/sap/webgui he able to access logon page of ECC which i want to block.
I want one redirect rule which should block the request which come with request http://<host>/sap/bc/its/gui/sap/webgui through reverse proxy. It should allow only when request comes in this format :
http://<host>/sap([some cache])/bc/its/gui/sap/webgui. where [some_cache] is automatically generated by SAP.
What could be the syntax of rewrite rule.User 2 layers of Reverse proxies to resolve the issue
Maybe you are looking for
-
Orange Firefox Button Is No Longer Aligned With Tabs In Firefox 28
A few days ago I was extremely happy with the browser that I was using, although after I was forced into upgrading to what was probably one of the ugliest and most unusable interfaces ever conceived (really, what is it with the internet and thinking
-
Is there any way to edit and save an existing spreadsheet file that was not created from my iPad? I get excel spreadsheets emailed to me and would love to edit them on my iPad and not ever use my PC.
-
I've just bought Final Cut Express 4 so am very new to this program. I have imported (old) footage originally from an AVCHD camera but now in .mov format. In the browser window the frame size shows as 1920x1080. However the sequence frame size shows
-
Hi,<BR><BR>A colleague of mine is going abroad on business and she needs to be able to have access to EAS 7.1.3 to load and re-pull data, but our IT dept have said that this is not possible. We know we have the possibility to dial in but we need to b
-
I am getting this error, while doing import of MDL file. Anybody has had this error. Query : insert into pctree values(?, ?, ?, ?) isUpdatable : false isBatch : trueSQL Error : ORA-00001: unique constraint (REPOWNR2.IDX_PCTREE_CHILDID) violated Query