Reverse Proxy Configuration - Apache as an SSL reverse-proxy

Similar Messages

• Automatic Proxy Configuration keeps getting disabled for Manual Proxy Configuration

  When ever I launch Firefox 3.6.13, the connection settings get reset to Manual Proxy Configuration. I switch the connection settings to automatic proxy configuration and all works fine. Upon closing and re-launching Firefox the Connection Setting is set back to manual proxy configuration.

  See http://kb.mozillazine.org/Preferences_not_saved

• Configuring Apache HTTP as an RPS

  Longback i configured Apache HTTP as an Reverse proxy to weblogic for singlesignon with OAM.
  that time i downloaded the Apache HTTP server Plugin from the below link
  http://e-docs.bea.com/wls/docs92/plugins/apache.html
  but after oracle aquiring the oracle i can not able to find the link for Apache plugin .
  can any one please upadte the new url to download APACHE HTTP server plugin

  Hi,
  You can download the latest apache plugins from the below link.
  http://www.oracle.com/technology/software/products/ias/htdocs/wls_main.html
  Click on the "see all files" options of the Oracle WebLogic Server 10.3, and you can download the same under the
  Mandatory for 10.3 installers.
  Cheers,
  Raj

• Configuring Apache HTTP as an RPS to weblogic for SSO on PSFT

  Longback i configured Apache HTTP as an Reverse proxy to weblogic for singlesignon with OAM.
  that time i downloaded the Apache HTTP server Plugin from the below link
  http://e-docs.bea.com/wls/docs92/plugins/apache.html
  but after oracle aquiring the oracle i can not able to find the link for Apache plugin .
  can any one please upadte the new url to download APACHE HTTP server plugin

  It seems the WebLogic Server plug-ins for Apache web server are available for download only through My Oracle Support (MetaLink)
  Check below:
  http://www.oracle.com/technology/deploy/security/wls-security/2793.html
  The page mentions that the web server plug-in is available for download via Doc ID # 7825156.
  You can also have a look at http://www.oracle.com/technology/deploy/security/alerts/alert_cve2008-3257.html
  Hope this helps.

• Help with Apache Reverse Proxy configuration with SAP Portal and SAP Webgui

  Dear Experts,
  I have an issue configuring Apache to work with SAP Portal and ERP webgui. Accessing Portal through Reverse Proxy is working fine. But the problem arises when we try to open an iView ERP webgui transaction page from Portal with the Reverse Proxy. Have anyone implemented similar requirements and could advice on the configuration required on the Apache side? Thank you

  hi,
  pls check the below links for reference:
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/24396589-0a01-0010-3c8c-ab2e3acf6fe2
  searchsap.techtarget.com/searchSAP/downloads/chapter-december.pdf
  1)Learn to implement the reverse proxy filter and portal gateway in SAP Enterprise Portal 6.0 on Web Application Server 6.40.
  https:/.../irj/sdn/nw-portalandcollaboration?rid=/webcontent/uuid/006efe7b-1b73-2910-c4ae-f45aa408da5b
  .2 )Configuring the Portal for Your Reverse Proxy Filter Solution . ... This document describes the reverse proxy filter mechanism in SAP Enterprise ...
  https://www.sdn.sap.com/irj/sdn/go/portal/prtroot/docs/library/uuid/32ad9b90-0201-0010-3c8a-c900cd685f8f
  3)have full reverse proxy functionality. Possibly. filter. requests. Internet ... Reverse proxy (optionally with authentication etc.) ...
  https://www.sdn.sap.com/irj/servlet/prt/portal/prtroot/docs/library/uuid/c066c390-0201-0010-3cba-cd42dfbcc8be
  Note:please reward points if solution found helpfull
  Regards
  Chandrakanth.k

• How To configure Apache As Reverse Proxy for SharePoint Application

  Hi,
  I recently integrated Apache as ReverseProxy for SharePoint 2010. When accessing the SharePoint application via the reverse proxy url  e.g. http://<reverse-proxy-url>/SitePages/Home.aspx the images/css and JavaScript files does not comeup
  fine.
  I had defined the following mapping in the httpd.conf file.
  ProxyPass /SitePages  http://<actual-url>/SitePages
  <Location /SitePages>
  ProxyPassReverse http://<actual-url>/SitePages
  SetEnv force-nokeepalive 1
  </Location>
  Regards,
  Bunty Ray

  Hi Trevor,
  I did not understand your point. Currently i tried the following in the httpd.conf as well, but still did not help
  ######Mapping SharePoint Server#######
   ProxyPass /SitePages http://<actual-url>/SitePages
   ProxyPass /WebResource.axd http://<actual-url>/WebResource.axd
   ProxyPass /ScriptResource.axd http://<actual-url>/ScriptResource.axd
   <Location /SitePages>
    SetOutputFilter INFLATE;proxy-html;DEFLATE
    ProxyHTMLMeta On
    ProxyHTMLEnable On
    ProxyHTMLExtended On
    ProxyHTMLLogVerbose On
    ProxyPassReverse http://<actual-url>/SitePages
    ProxyHTMLURLMap /SitePages http://<actual-url>/SitePages ec
    ProxyHTMLURLMap http://<actual-url>/SitePages /SitePages ec
   SetEnv force-nokeepalive 1
   SetEnv force-proxy-request-1.01
   SetEnv proxy-initial-not-pooled 1
   </Location>
   <Location /ScriptResource.axd>
    SetOutputFilter INFLATE;proxy-html;DEFLATE
    ProxyHTMLMeta On
    ProxyHTMLEnable On
    ProxyHTMLExtended On
    ProxyHTMLLogVerbose On
    ProxyPassReverse  http://<actual-url>/ScriptResource.axd
    ProxyHTMLURLMap /ScriptResource.axd http://<actual-url>/ScriptResource.axd ec
    ProxyHTMLURLMap http://<actual-url>/ScriptResource.axd /ScriptResource.axd ec
    SetEnv force-proxy-request-1.01
    SetEnv force-nokeepalive 1
    SetEnv proxy-initial-not-pooled 1
    </Location>
   <Location /WebResource.axd>
    SetOutputFilter INFLATE;proxy-html;DEFLATE
    ProxyHTMLMeta On
    ProxyHTMLEnable On
    ProxyHTMLExtended On
    ProxyHTMLLogVerbose On
    ProxyPassReverse  http://<actual-url>/WebResource.axd
    ProxyHTMLURLMap /WebResource.axd http://<actual-url>/WebResource.axd ec
    ProxyHTMLURLMap http://<actual-url>/WebResource.axd /WebResource.axd ec
    SetEnv force-proxy-request-1.01
    SetEnv force-nokeepalive 1
    SetEnv proxy-initial-not-pooled 1
    </Location>
   <Location /_layouts>
    SetOutputFilter INFLATE;proxy-html;DEFLATE
    ProxyHTMLMeta On
    ProxyHTMLEnable On
    ProxyHTMLExtended On
    ProxyHTMLLogVerbose On
    ProxyPassReverse  http://<actual-url>/_layouts
    ProxyHTMLURLMap /_layouts/1033/styles/Themable http://<actual-url>/_layouts/1033/styles/Themable ec
    ProxyHTMLURLMap http://<actual-url>/_layouts/1033/styles/Themable /_layouts/1033/styles/Themable ec
    SetEnv force-proxy-request-1.01
    SetEnv force-nokeepalive 1
    SetEnv proxy-initial-not-pooled 1
    </Location>
  Regards,
  Bunty Ray

• Forward parameters in reverse proxy configuration

  Hi,
  Looking at the detailed configuration in a reverse proxy rule in SJSWS, I have derived the following conclusions:
  1) Where the SJSWS listener has SSL-enabled, reverse proxy works on a HTTPS in, HTTP out basis.
  2) Details in the incoming request's SSL header, such as User DN, will be stripped out and remapped into the outgoing request as a custom header, e.g. "Proxy-user-dn".
  Can anybody tell me if I have gotten anything wrong above?
  We are currently switching over from an Apache/mod_proxy/mod_ssl --> Apache/mod_jk --> Apache Tomcat server setup to a hybrid model where SJSWS is the web server reverse proxying to Tomcat (old apps) and SJSAS (new apps).
  My question:
  All our apps use the User DN string as the user ID. Previously, we developed a custom module in Apache to read the DN at the Apache level and then rewrite it into the Basic Auth user name header in the outgoing request. The Tomcat webapp will then authenticate the user based on the Basic Auth user name property. Is it possible for me to remap it into something similar here in the SJSWS reverse proxy configuration?
  Thanks!
  Wong

  I am not a reverse proxy expert, but this Object-type SAF should forward userdn
  http://docs.sun.com/app/docs/doc/820-1062/6ncoqnq3b?l=en&a=view&q=forward-user-dn
  You can look for more such SAFs in this document.

• WebServer 6.1 SP3 SSL reverse proxy to Sun One Application Server 7

  I have an application in the appserver7 that requires SSL authentication. I have already installed a self cert in the appserver7, and the authentication works fine when I browse directly to the appserver.
  The appserver7 has both listener for port 80 and 443 enabled.
  I'm currently setting up a webserver (WebServer 6.1 SP3) to act as a reverse proxy to the appserver7. The reverse proxy for the basic jsp pages found in the appserver worked fine.
  When I try to access the login page, in the appserver, in ssl mode, I am unable to do so. I then try changing the obj.conf to the following, from http to https:
  <Object name="passthrough">
  ObjectType fn="force-type" type="magnus-internal/passthrough"
  Service fn="service-passthrough" method="(GET|HEAD|POST)" servers="https://172.2
  8.48.53"
  However, it still doesn't work.
  Do I need to install a self cert in the webserver and enable the ssl listener as well?
  Do I need to install any reverse proxy addon for the appserver? Any
  setup for the obj.conf in the appserver?
  Any ideas how to get this done?
  Thanks.
  Mac.

  The Web Server 6.1 SP3 Reverse Proxy Plugin is supported, but it sounds like you're trying to do something that simply isn't possible.
  If you want the Reverse Proxy Plugin to perform SSL mutual authentication with the Application Server using the client's certificate, that's impossible due to the nature of SSL mutual authentication. If the plugin could impersonate the client, then SSL would be vulnerable to MITM (Man In The Middle Attacks). Fortunately, SSL isn't vulnerable to such attacks because the plugin doesn't know the client's private key.
  If you simply want the Reverse Proxy Plugin to pass information about the client's certificate along to the Application Server, that hapens automatically. There's nothing special to configure. Note that the plugin will not authenticate to the Application Server in this case. Rather, it will simply copy the X.509 certificate into the proprietary Proxy-auth-cert: HTTP request header.
  The application running on the Application Server can inspect the Proxy-auth-cert: header using standard Servlet APIs. Alternatively, you can use Application Server 7's auth-passthrough AuthTrans SAF to cause the contents of the Proxy-auth-cert: header to be copied to the javax.servlet.request.X509Certificate Servlet attribute.

• Non-Oracle Apache as Front-end/reverse proxy?

  Hi,
  The question I have is kind of OID-related, but I think is more relevant to OAS, so I hope that I'm posting this in the right forum.
  We have an existing OID instance, using the Apache 1.3-based OHS, and up till now, users have been accessing the OID/OIDDAS web-interface directly, e.g., by going to http:<hostname>:7777/oiddas, then signing in.
  We also have a (non-Oracle OHS) enterprise-wide Apache 2.x-based reverse-proxy, and they want to be able to reverse-proxy through this Apache 2.x to the OID web interface.
  We tried adding the <Location> sections to the Apache 2.x reverse proxy, e.g.:
  <Location /oiddas>
  ProxyPass http://<hostname>:7777/oiddas
  ProxyPassReverse http://<hostname>:7777/oiddas
  </Location>
  <Location /pls>
  ProxyPass http://<hostname>:7777/pls
  ProxyPassReverse http://<hostname>:7777/pls
  </Location>
  Then, when we go to http://<apache-2.0-reverse-proxy-hostname>/oiddas, we get the initial page with the "Login" link. But, when we click on the "Login" link, we are getting a "Forbidden" error (HTTP 403 error).
  Has anyone configured something like this before? What else do we need to configure in the Apache 2.x reverse-proxy?
  Thanks,
  Jim

  Hi,
  I just stood up a new test instance of 10gAS (only one I had the install files for), and I can access the oiddas via port 7777, i.e., http://<hostname>:7777/oiddas.
  I setup a reverse-proxy to it on a separate Apache 2.x instance, and it looks like at least part of the problem is that when I access via the proxy, the 10gAS sends back redirects (HTTP 302) responses with Location headers with the original <10gAS_hostname>:7777.
  In other words, I do the original access using http:<proxy_hostname>/oiddas, but then when I click the "Login" link, the 10gAS redirects my browser to http://<10gAS_hostname>:7777/pls/orasso (to go to the SSO server).
  This doesn't explain why were were seeing the 403 errors at work, but I think that, as suggested in that webpage that I linked earlier, there are re-directs that may not be totally visible going on, i.e., you can't "just" setup the Apache reverse-proxy with the <Location> directives.
  Thus far, I haven't been able to replicate the 403 error problem that we had...
  Jim

• Printing Issue from ITS with a Reverse Proxy Configured

  Hi experts,
  We have an enterprise portal landscape which  can be accessed from the internet. The URLs are mapped using apache server as a reverse proxy. Also, we have configured the reverse proxy settings for accessing R/3 systems.
  When the users try to take the print out from the ITS Web GUI accessed through the enterprise portal, the page redirects itself to an only internally resolvable host name of the R/3 ITS.
  Due to this issue, users are not able to take prints from internet.
  I would like to know if there is any way by which i can change this to my externally resolvable reverse proxy host address, which in turn can be mapped internally to the original host name at the reverse proxy level.
  Can any one help me out in this?
  Thanks a lot
  Shobin

  Hi Shobin,
  SAP note 1145306 might provide some help about directives to be used.
  Regards,
  Dieter

• SAP Webdispatcher - Reverse Proxy Configuration

  Hi All,
  Need your help in configuration SAP Webdispatcher as reverse proxy. Currently we are using Apache as reverse proxy, but we are facing 400 Bad Request error and not able to solve the issue.
  So We are planning to install Webdispatcher and configure reverse proxy and test.
  Below is the Apache Reverse proxy configuration. Need help in configuring the same parameters in SAP Webdispatcher
  ProxyPass /sap http://srmerver:8000/sap
  ProxyPass /SRM-MDM  http://mdmserver:50100/SRM-MDM
  ProxyPass /mdmimages http://portalserver:8090/mdmimages
  ProxyPass /irj http://portalserver:50100/irj
  ProxyPass /saml2 http://portalserver:50100/saml2
  ProxyPass / http://portalserver:50100/　
  ProxyPassReverse /sap http://srmserver:8000/sap
  ProxyPassReverse /SRM-MDM  http://mdmserver:50100/SRM-MDM
  ProxyPassReverse /mdmimages http://portalserver:8090/mdmimages
  ProxyPassReverse /irj  http://portalserver:50100/irj
  ProxyPassReverse /saml2 http://portalserver:50100/saml2
  ProxyPassReverse /  http://portalserver:50100/
  Regards
  Ponnusamy

  Hi
  Kindly refer the SCN link
  How to...Configure SAP Webdispatcher as a reverse proxy
  http://basisondemand.com/Documents/Whitepaper_on_SAP_Web_Dispatcher.pdf
  http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/a015cea3-9627-2e10-a792-8f39e3d0b59d?QuickLink=index&…
  Regards
  Sriram

• SAPUI5 app and Reverse proxy configuration

  Hi
  Im trying to configure proxyserver for Cross origin resource sharing issue.
  The below steps i have configured in my machine.
  1. I have developed an application which consumes data through odata.
  2. Download and configured Apache server and enabled proxy module as per this url
  http://scn.sap.com/community/developer-center/front-end/blog/2013/06/29/solving-same-origin-policy-issue-in-different-ways
  3. In httpd.config file added the below reverse proxy setup
  ProxyPass /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
  ProxyPassReverse /poodata http://HOSTNAME:8000/sap/opu/odata/sap/Z_PORDER_SRV/
  4. Changed my service url as
  var serviceUrl = "proxy/http/localhost/poodata";
  5. Also i have added java-property-utils-1.9.jar and cors-filter-1.8.jar then
  in web.xml i have added Eventhough its seems not neccessary.
    <filter>
    <display-name>CacheControlFilter</display-name>
    <filter-name>CacheControlFilter</filter-name>
    <filter-class>com.sap.ui5.resource.CacheControlFilter</filter-class>
    </filter>
    <filter>
    <filter-name>CORS</filter-name>
    <filter-class>com.thetransactioncompany.cors.CORSFilter</filter-class>
    </filter>
  6. Finally when i am executing the application throgh http://localhost:9080/SamplePO/ Its working. But Instead of localhost when im using IP address it shows NO DATA and throws the "500 internal server error - only allowed for local testing"
  also the application is trying to fetch data from 'http://10.130.41.158:9080/SamplePO/proxy/http/localhost/poodata/$metadata' where the location should be 'http/localhost/poodata/$metadata'.
  I want to access this application in my iPAD through WIFI by passing IP address followed by application name (http://10.130.41.158:9080/SamplePO).
  Please help me to fix this issue.
  Regards
  Yokesvaran Kumarasamy

  Hi Michael Herzog /  DJ Adams / Frank Welz,
  It seems you have v.good knowledge on this, can you please help with this issue.
  Thanks in Advance
  Regards
  Yokesvaran Kumarasamy

• Reverse Proxy Configuration - HPVM (Guest)

  Hello Unix Champs,
  On 11iV3 - Vm Guest -  we want to configure this server as reverse proxy
  Please share step by step procedure/documents to do same.
  Thanks in advance
  Regards,
  Prashant Behal

  Assuming your webserver is apache, you have to make the apache proxy-aware. This can be done statically (while building apache from source with --with-proxy option) or dynamically with a LoadModule directive.
  Once the above is done, you will need to write these directives in the apache httpd.conf:
  ProxyEnable Off
  ProxyPass /localurl remote-url
  ProxyPassReverse....
  In the OAM config, protect /localurl.
  For other webservers, read the documentation of that webserver.
  Hope this helps.

• How to configure SharePoint HNSC with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.

  Could you please let me know how SharePoint HNSC can be configured with a reverse proxy server so that HNSC Share Point URLs are not exposed to end users.
  In normal path based site collections/web applications, reverse proxy configuration can be done using alternate access mappings with  Public URL = "proxy URL", internal = "HNSC Share Point URL" so that share point sends response back
  to Public URL = "proxy URL".
  In Host Named Site Collections,  alternate access mappings  are not supported. Each HNSC is designed to have only one URL in each zone. Zone is one of the five zones(Default,Intranet,Internet,Custom,Extranet) with each of which only one alternate
  URL is associated.  This is what we are able to get using power shell command "Set-SPSiteUrl", but this will not help us to get the response back to proxy URL after a request sent to share point because we could not find any mechanism in share
  point HNSC to respond  to a different URL(proxy URL). Consequently, Share Point URLs are exposed to  external users.
  Below share point article in MSDN blog is symmetrical to what we are observing with Share Point 2013 and Proxy Server. It mentions that internal HNSC URLs can’t be hidden using any proxy server. If  hiding the internal Share Point URLS is a requirement,
  it suggests to use a web application instead of host named site collections.
  Though I’m also observing the same behavior with Share Point 2013 HNSC, Could you please confirm my understanding is correct.
  http://blogs.msdn.com/b/kaevans/archive/2012/03/27/what-every-sharepoint-admin-needs-to-know-about-host-named-site-collections.aspx
  Excerpt from above article-
  "Host Named Site Collections Only Use One Host Name
  Continuing on the discussion on AAMs and host named site collections, you cannot use multiple host names to address a site collection in SharePoint 2010. Because host-named site collections have a single URL, they do not support alternate access mappings and
  are always considered to be in the Default zone.  This is important if you are using a reverse proxy to provide access to external users. Products like Unified Access Gateway 2010 allow external users to authenticate to your gateway and access a site
  as http://uag.sharepoint.com and forward the call to http://portal.sharepoint.com. Remember that URL rewriting is not permitted. Further, a site collection can only respond to one host name. This means if you are using a reverse proxy, it must forward the
  calls to the same URL.  If your networking team has a policy against exposing internal URLs externally, you must instead use web applications and extend the web application using an alternate access mapping."<u5:p></u5:p>

  Hi Satish,
  You are right that only one URL is allowed for each zone of the host-name site collections in both SharePoint 2010 and SharePoint 2013.
  It is by design that each host-name site collection only support one URL for each zone.
  The article below is about RTM version of SharePoint, and it is the same for SharePoint 2013 with the latest CU.
  https://support.microsoft.com/en-us/kb/2826457
  So to make the URL of HNSC not exposed to external users is not supported, you need to use path-based sites instead.
  Best regards.
  Thanks
  TechNet Community Support
  Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact
  [email protected]

• Something wrong with my SSL reverse proxy config.  HELP!

  Using Sun ONE Web Proxy Server 3.6-SP6
  1. Got Wildcard SSL Certificate from Verisign
  2. Ran sec-key
  made alias
  used password from Verisign
  3. Installed certificate
  Used "Trusted Certificate Authority (CA)"
  Pasted Cert in "Message Text (with headers)"
  4. Verified Certificate install in "Manage Certificates."
  5. Created regular and reverse mappings.
  When I try to turn on encryption, it says:
  Unable to read key file (9)
  What did I do wrong? I appreciate help from anyone.
  -ba

  What is the OS ?
  If it's Solaris, a truss will give you more details on the error.
  Verify the rights on your folder alias and all its contents.
  Can we have a more detailled error log file when you try to start the Proxy instance.
  Another remark :
  In the Admin Guide the scenario is called "Setting up a secure reverse proxy ".
  The problem is, that if the Webserver request for Client-Authentication
  within the SSL-Handshake the Proxy-Server has to present a cert signed as Client-Cert.
  Solution:
  - Proxy Server owner has own CA.
  Create CSR within Proxy Server and let the CSR be signed as Client Cert.
  - Proxy Server owner has not own CA.
  Choose a CA which allows to get client certs using CSR (e.g. tctrustcenter)
  Create CSR withing Proxy Server, at the common name use your name/Email=your.name@yourdomain
  Get the client cert at the CA using this CSR
  Import the cert into the Proxy Server.
  Create regular and reverse mappings
  e.g regular: http://test.content.org https://test.content.org
  reverse: https://test.content.org http://test.content.org
  Choose "initialize certificates only" at security settings for proxy instance.