Reverse proxy retrieve failed

Hi,
We are using Iplanet 4.1 as a basic web server and Netscape 3.5 proxy server to reverse proxy content from a CERN web server. Both Platforms are SPARC running Solaris 2.7. The reverse proxy works well except when reverse proxying dynamic content i.e. the CERN server provides graphs on demand and therefore can take upto 60 seconds to create, however the reverse proxy server seems to timeout after about 12 seconds.
Error in proxy logs:
retrieve-exit-routine reports:proxy retrieve failed:Document contains no data
Any ideas or experiences ? Cheers

Hi All,
Just found the answer to this - my Apache configuration was missing a very simple command (everything is simple once you find the answer )
On my reverse proxy configuration I forgot the following:
ProxyPerserveHost On
Hope that helps somebody out,
Brenton.

Similar Messages

Lync mobility and HTTP authentication test failed. Is reverse proxy required?

I currently have the following setup.
1 x 2013 edge server lync1.local.com
has 3 dmz ips for external names
has 1 internal ip
2 x 2013 std front end servers lync2 & lync3.local.com
Ive read that in 2013 the mobility service is installed automatically on the front end servers and i do see it running on both.
All my clients can connect from the windows and mac clients(internally and externally) but not from phone or windows app store client (internally or externally)
running the exchangeconnectivity test on the website i get the following error
Testing HTTP authentication methods for URL https://lyncdiscover.external.com/Autodiscover/AutodiscoverService.svc/root/user.
HTTP authentication test failed.
Additional Details
A Web exception occurred because an HTTP 404 - NotFound response was received from Unknown.
HTTP Response Headers:
X-MS-Server-Fqdn: lync1.local.com
Connection: close
Content-Length: 64
Content-Type: text/plain
Server: RTC/5.0
Elapsed Time: 427 ms.
After some reading I notice that many people refer to a reverse proxy when dealing with mobility.
I do not have a reverse proxy server installed. Is this required for the mobility to work correctly? I cant just use the edge server?
Thanks in advance for any help.

Take a look at Georg Thomas' blog: http://www.lynced.com.au/2014/04/configure-citrix-netscaler-vpx-as.html also the Citrix official documentation: http://www.citrix.com/global-partners/microsoft/netscaler.html
Please mark posts as answers/helpful if it answers your question.
Blog
Lync Validator - Used to assist in the validation and documentation of Lync Server 2013.

ACE 4710 - 'reverse proxy' infront of serverfarm - fail-over/sorry server design issue

Hi All,
I'm working on a specific config and have an issue in the backup farm/fail-over/sorry server area.
The customer wants the following:
They have an existing serverfarm with X web servers, they want a single server to act as a reverse-proxy in front of the farm.
So that all traffic goes trough that server, that server then forwards the request to the original serverfarm.
The problem in my design is in the fail-over, if i configure the reverse-proxy server in a new serverfarm and use the original (web servers) farm as backup it has fail-over, but if the reverse-proxy AND the original serverfarm fail, there is no nice way to get the users on a sorry server.
I could give the original serverfarms rservers a 'backup standby' server but that won't give the desired effect either.
For maintance they first take 50% of the servers offline and switch to the other 50% after that, so then users would see a sorry page even if there where operational servers in the farm left.
The 4710's are running routed mode, and the farms use Sticky Cookie, and also some http URL & Cookie matching is done.
Anyone have an idea how to build this?

Hi,
It need additional testing but as per my understanding if you put the back up in this order then the last backup server will be choosen first.
In your case it will be like " RSERVER1 >> backup sorry server >> backup web content
As per the below example:
I put test 2 as first backup server and test1 as second backup server but if you look at the first part it took rserver test1 as first backup.
serverfarm host 1313-GIN-GWAP-SDC-80
rserver RSERVER1
    backup-rserver test1
    inservice
rserver test1
    inservice standby
rserver test2
    inservice standby
regards,
Ajay Kumar

Apache as reverse proxy - 400 Bad request

Hi all,
I'm configured apache as reverse proxy according to this blog:
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
When I try to navigate http://testcomp/irj I get "400 - Bad request"
See exception;
Message : User Guest, IP address
Cannot parse the http request. Http error response [400 Bad Request] will be returned. Request is [Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
GET /irj HTTP/1.1
Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
com.sap.engine.services.httpserver.exceptions.HttpIllegalArgumentException: Incompatible field content in the MIME header.
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaderField.parse(MimeHeaderField.java:364)
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaders.init(MimeHeaders.java:504)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.initialize(RequestAnalizer.java:196)
 at com.sap.engine.services.httpserver.server.Client.initialize(Client.java:84)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:143)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Severity : Error
Category :
Location : com.sap.engine.services.httpserver
Application :
Thread : SAPEngine_Application_Thread[impl:3]_32
Datasource : 9332850:C:usrsapPD9JC00j2eeclusterserver0logdefaultTrace.trc
Message ID : 000C29EFE9A300570000002D00000B9000043A81D3311894
Source Name : com.sap.engine.services.httpserver
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : 5359e85066e411dcbf6b000c29efe9a3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.engine.services.httpserver
ThreadObject : SAPEngine_Application_Thread[impl:3]_32
Transaction :
User : Guest
The lines I added to http.conf
#Enable reverse-proxying
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://testcomp/logon
I tried with apache version 2.2.3 & 2.0.59 with no success.
My J2EE/Portal version is 6.17.
Since this is a testing environment the two computers are under the same workgroup (no domain).
If I naviagte directly to the portal (without the reverse proxy) everything is working.
How can I solve it?
Regards,
Omri

Hi Jakub,
Thanks for the answer.
It's not working for me...
I'm attaching my httpd.conf file.
Also, what apache version do you use?
Can you send me your post your httpd.conf file?
Thanks,
Omri
httpd.conf
This is the main Apache HTTP server configuration file. It contains the
configuration directives that give the server its instructions.
See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
In particular, see
<URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
for a discussion of each configuration directive.
Do NOT simply read the instructions in here without understanding
what they do. They're here only as hints or reminders. If you are unsure
consult the online docs. You have been warned.
Configuration and logfile names: If the filenames you specify for many
of the server's control files begin with "/" (or "drive:/" for Win32), the
server will use that explicit path. If the filenames do not begin
with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
with ServerRoot set to "c:/apache" will be interpreted by the
server as "c:/apache/logs/foo.log".
NOTE: Where filenames are specified, you must use forward slashes
instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If a drive letter is omitted, the drive on which Apache.exe is located
will be used by default. It is recommended that you always supply
an explicit drive letter in absolute paths, however, to avoid
confusion.
ThreadsPerChild: constant number of worker threads in the server process
MaxRequestsPerChild: maximum number of requests a server process serves
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot: The top of the directory tree under which the server's
configuration, error, and log files are kept.
Do not add a slash at the end of the directory path. If you point
ServerRoot at a non-local disk, be sure to point the LockFile directive
at a local disk. If you wish to share the same ServerRoot for multiple
httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "c:/apache"
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, instead of the default. See also the <VirtualHost>
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#Listen 12.34.56.78:80
Listen 80
Dynamic Shared Object (DSO) Support
To be able to use the functionality of a module which was built as a DSO you
have to place corresponding `LoadModule' lines at this location so the
directives contained in it are actually available before they are used.
Statically compiled modules (those listed by `httpd -l') do not need
to be loaded here.
Example:
LoadModule foo_module modules/mod_foo.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
'Main' server configuration
The directives in this section set up the values used by the 'main'
server, which responds to any requests that aren't handled by a
<VirtualHost> definition. These values also provide defaults for
any <VirtualHost> containers you may define later in the file.
All of these directives may appear inside <VirtualHost> containers,
in which case these default settings will be overridden for the
virtual host being defined.
ServerAdmin: Your address, where problems with the server should be
e-mailed. This address appears on some server-generated pages, such
as error documents. e.g. [email protected]
ServerAdmin @@ServerAdmin@@
ServerName gives the name and port that the server uses to identify itself.
This can often be determined automatically, but we recommend you specify
it explicitly to prevent problems during startup.
If your host doesn't have a registered DNS name, enter its IP address here.
ServerName localhost:80
DocumentRoot: The directory out of which you will serve your
documents. By default, all requests are taken from this directory, but
symbolic links and aliases may be used to point to other locations.
DocumentRoot "c:/apache/htdocs"
Each directory to which Apache has access can be configured with respect
to which services and features are allowed and/or disabled in that
directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of
features.
<Directory />
 Options FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Satisfy all
</Directory>
Note that from this point forward you must specifically allow
particular features to be enabled - so if something's not working as
you might expect, make sure that you have specifically enabled it
below.
This should be changed to whatever you set DocumentRoot to.
<Directory "c:/apache/htdocs">
Possible values for the Options directive are "None", "All",
or any combination of:
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Note that "MultiViews" must be named explicitly --- "Options All"
doesn't give it to you.
The Options directive is both complicated and important. Please see
http://httpd.apache.org/docs/2.2/mod/core.html#options
for more information.
 Options Indexes FollowSymLinks
AllowOverride controls what directives may be placed in .htaccess files.
It can be "All", "None", or any combination of the keywords:
Options FileInfo AuthConfig Limit
 AllowOverride None
Controls who can get stuff from this server.
 Order allow,deny
 Allow from all
</Directory>
DirectoryIndex: sets the file that Apache will serve if a directory
is requested.
<IfModule dir_module>
 DirectoryIndex index.html
</IfModule>
The following lines prevent .htaccess and .htpasswd files from being
viewed by Web clients.
<FilesMatch "^\.ht">
 Order allow,deny
 Deny from all
</FilesMatch>
ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a <VirtualHost>
container, error messages relating to that virtual host will be
logged here. If you do define an error logfile for a <VirtualHost>
container, that host's errors will be logged there and not here.
ErrorLog logs/error.log
LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
<IfModule log_config_module>
The following directives define some format nicknames for use with
a CustomLog directive (see below).
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%You need to enable mod_logio.c to use %I and %Oi\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 <IfModule logio_module>
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %I %O" combinedio
 </IfModule>
The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a <VirtualHost>
container, they will be logged here. Contrariwise, if you do
define per-<VirtualHost> access logfiles, transactions will be
logged therein and not in this file.
 CustomLog logs/access.log common
If you prefer a logfile with access, agent, and referer information
(Combined Logfile Format) you can use the following directive.
 #CustomLog logs/access.log combined
</IfModule>
<IfModule alias_module>
Redirect: Allows you to tell clients about documents that used to
exist in your server's namespace, but do not anymore. The client
will make a new request for the document at its new location.
Example:
Redirect permanent /foo http://www.example.com/bar
Alias: Maps web paths into filesystem paths and is used to
access content that does not live under the DocumentRoot.
Example:
Alias /webpath /full/filesystem/path
If you include a trailing / on /webpath then the server will
require it to be present in the URL. You will also likely
need to provide a <Directory> section to allow access to
the filesystem path.
ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that
documents in the target directory are treated as applications and
run by the server when requested rather than as documents sent to the
client. The same rules about trailing "/" apply to ScriptAlias
directives as to Alias.
 ScriptAlias /cgi-bin/ "c:/apache/cgi-bin/"
</IfModule>
"c:/apache/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.
<Directory "c:/apache/cgi-bin">
 AllowOverride None
 Options None
 Order allow,deny
 Allow from all
</Directory>
Apache parses all CGI scripts for the shebang line by default.
This comment line, the first line of the script, consists of the symbols
pound (#) and exclamation followed by the path of the program that
can execute this specific script. For a perl script, with perl.exe in
the C:\Program Files\Perl directory, the shebang line should be:
 #!c:/program files/perl/perl
Note you mustnot_ indent the actual shebang line, and it must be the
first line of the file. Of course, CGI processing must be enabled by
the appropriate ScriptAlias or Options ExecCGI directives for the files
or directory in question.
However, Apache on Windows allows either the Unix behavior above, or can
use the Registry to match files by extention. The command to execute
a file of this type is retrieved from the registry by the same method as
the Windows Explorer would use to handle double-clicking on a file.
These script actions can be configured from the Windows Explorer View menu,
'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
button allows you to modify the Actions, of which Apache 1.3 attempts to
perform the 'Open' Action, and failing that it will try the shebang line.
This behavior is subject to change in Apache release 2.0.
Each mechanism has it's own specific security weaknesses, from the means
to run a program you didn't intend the website owner to invoke, and the
best method is a matter of great debate.
To enable the this Windows specific behavior (and therefore -disable- the
equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
The directive above can be placed in individual <Directory> blocks or the
.htaccess file, with either the 'registry' (Windows behavior) or 'script'
(Unix behavior) option, and will override this server default option.
DefaultType: the default MIME type the server will use for a document
if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is
a good value. If most of your content is binary, such as applications
or images, you may want to use "application/octet-stream" instead to
keep browsers from trying to display binary files as though they are
text.
DefaultType text/plain
<IfModule mime_module>
TypesConfig points to the file containing the list of mappings from
filename extension to MIME-type.
 TypesConfig conf/mime.types
AddType allows you to add to or override the MIME configuration
file specified in TypesConfig for specific file types.
 #AddType application/x-gzip .tgz
AddEncoding allows you to have certain browsers uncompress
information on the fly. Note: Not all browsers support this.
 #AddEncoding x-compress .Z
 #AddEncoding x-gzip .gz .tgz
If the AddEncoding directives above are commented-out, then you
probably should define those extensions to indicate media types:
 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
AddHandler allows you to map certain file extensions to "handlers":
actions unrelated to filetype. These can be either built into the server
or added with the Action directive (see below)
To use CGI scripts outside of ScriptAliased directories:
(You will also need to add "ExecCGI" to the "Options" directive.)
 #AddHandler cgi-script .cgi
For type maps (negotiated resources):
 #AddHandler type-map var
Filters allow you to process content before it is sent to the client.
To parse .shtml files for server-side includes (SSI):
(You will also need to add "Includes" to the "Options" directive.)
 #AddType text/html .shtml
 #AddOutputFilter INCLUDES .shtml
</IfModule>
The mod_mime_magic module allows the server to use various hints from the
contents of the file itself to determine its type. The MIMEMagicFile
directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
Customizable error responses come in three flavors:
1) plain text 2) local redirects 3) external redirects
Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
EnableMMAP and EnableSendfile: On systems that support it,
memory-mapping or the sendfile syscall is used to deliver
files. This usually improves server performance, but must
be turned off when serving from networked-mounted
filesystems or if support for these functions is otherwise
broken on your system.
#EnableMMAP off
#EnableSendfile off
Supplemental configuration
The configuration files in the conf/extra/ directory can be
included to add extra features or to modify the default configuration of
the server, or you may simply copy their contents here and change as
necessary.
Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
Language settings
#Include conf/extra/httpd-languages.conf
User home directories
#Include conf/extra/httpd-userdir.conf
Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
Various default settings
#Include conf/extra/httpd-default.conf
Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Note: The following must must be present to support
 starting without SSL on platforms with no /dev/random equivalent
 but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
ProxyPreserveHost On
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://sapportal:50000/irj
#ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://sapportal:50000/logon
#ProxyPassReverse /logon http://testcomp/logon

SJSWS 7.0 Reverse Proxy Issue

Hi,
I am new here as well as to SJSWS.
We are migrating an Apache reverse proxy to SJSWS 7.0 due to some organisational decisions.
My current RP configuration in Apache on computer1 is as follows and this works great:
<IfModule mod_proxy.c>
<Proxy >
Order deny,allow
Allow from all
</Proxy>
ProxyRequests Off
<Location /abc>
Order deny,allow
Allow from all
ProxyPass [http://computer2/portal]
ProxyPassReverse [http://computer2/portal]
ProxyPassReverseCookiePath /abc /portal
</Location>
</IfModule>
I am trying to configure the same on SJSWS as follows in <vs>-obj.conf :
<Object name="default">
NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="http:/portal"
<Object ppath="http:">
Service fn="proxy-retrieve" method="*"*
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server=http://computer2
</Object>
This above config is not working and from the server logs on computer1 I can see that the subsequent GET requests are failing with example outputs as below:
[02/Jun/2010:12:09:05] warning (28415): for host xx.xx.xx.xx trying to GET /*xyz*/images/yyy.gif;jsessionid=A2E
D385AC9971ED4C4B8D8852F8AE392, send-file reports: HTTP4142: can't find /opt/app/sun/webserver7/https-computer1/docs/*xyz*/images/yyy.gif (File not found)
Seems like the origin server is redirecting to different directories within itself which my reverse proxy config in SJSWS is not able to handle.
Any inputs on what would be the equivalent configuration on SJSWS 7.0 for the config which is working flawlessly on Apache?
Edited by: esselle on Jun 1, 2010 8:14 PM
Edited by: esselle on Jun 1, 2010 8:15 PM

Hi,
The following seems to be working for me (configured on computer1):
NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="http:/portal"
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server="http://computer2"
</Object>It seems that you have <Object ppath="http:"> instead of <Object ppath="http:***">. Other than that, I can't see anything wrong with your setup.
If the above setup does not work:
Where did you get xyz from in GET /*xyz*/images/yyy.gif;jsessionid=A2E? Could you provide the access logs on both computer1 and computer2?

How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

Some of our installations use the Sun Web Server 7.0 (update 1, usually)
for hosting some of the public resource and reverse-proxying other parts
of the URI namespace from other backend servers (content, application
and other types of servers).
So far every type of backend server served a unique part of the namespace
and there was no collision of names, and the backend resources were
published in a one-to-one manner. That is, a backend resource like, say,
http://appserver:8080/content/page.html would be published in the internet
as http://www.publicsite.com/content/page.html
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.
Another quest, possibly related in solution, was to make a tidy url for the
first page the user opens of the site. That is, in the current solution when
a visitor types the url "www.publicsite.com" in his or her browser, our web
server returns an HTTP-302 redirect to the actual first page URL, so the
browser sends a second request (and changes the URL in its location bar).
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
So far I found that I can't solve these problems. I believe these problems
share a solution because it relies on ability to control the actual URI strings
requested by Sun Web Server from backend servers.
Some details follow, now:
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
[04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
fn="service-passthrough" rewrite-host="true" rewrite-location="true"
servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
# this causes /content/* to be taken from another (backend) server
NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
# this causes requests to site root to be HTTP-redirected to a certain page URI
<If $uri =~ '^/$'>
 NameTrans fn="redirect"
 url="http://www.publicsite.com/content/MainPage.html"
</If>
<Object name="content-test">
### This maps http://public/content/* to http://10.16.2.127:8080/content/*
### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
 Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
 Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
</Object>
I have also tried "restart"ing the request like this:
 NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
 Service fn="set-variable" uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
//Jim

Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
yes, you could do something like
- edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
<Object name=¨default¨>
<If $uri = ¨/page/¨>
#move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
NameTrans.. fn=map
</If
</Object>
and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
<install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
>
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
please check out the rewrite / restart SAF. this should help you.
http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
feel free to post to us if you need any futher help
you are probably better off - starting fresh
- install ws7u4
- use gui or CLI to create a reverse proxy and map one on one - say content
http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
<install-root>/bin/wadm disable-java user=admin config=<hostname>
<install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
>
I have also tried "restart"ing the request like this:
NameTrans fn="restart" uri="/data"
ordering is very important here... you need to do this some thing like
<Object name=default>
<If not $restarted>
NameTrans fn=restart uri from=/¨ uri=/foo.
</If>

IIS Reverse Proxy with URL rewrite.

Hi all, hoping to leverage the wealth of knowledge contained here.
Any assistance would be very welcome.
I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
I need to redirect all requests with a specific virtual directory suffix only.
ie; https://domain.test.com/outbound/Content/query_etc
With /Outbound/ being the trigger.
This should be redirected to http://10.10.10.10/inbound/Content/query_etc
While at the same time, requests without the /outbound/ suffix should be handled locally.
I have configured the reverse proxy as described in a few articles, and have had no luck.
Here's a snippet from my (sanitized) web.config at the site level.
<rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
<action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="^outbound/(.*)" />
<action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
</rule>
</rules>
</rewrite>
To me, this looks correct, yet it doesn't work.
With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

Hi Andrew,
Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
By using URL Rewrite Module together with
Application Request Routing module you can have IIS 7 act as a
reverse proxy.
It seems like URL Rewrite can't re-route the request somewhere else out of the server.
Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc it will fail with 404.
Hosting multiple domain names under a single account using URL Rewrite.
It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
References:
How to create a url alias using IIS URL Rewrite:
http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
Reverse Proxy with URL Rewrite v2 and Application Request Routing:
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Regards,
Satyajit
Please“Vote As Helpful”
if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

Kerberos Authentication between Sharepoint 2013 Foundation - SSRS 2012 - Oracle 11g failing with ORA-12638: Credential retrieval failed

I have set up SharePoint 2013 Foundation, SharePoint Reporting Services and SQL Server 2012 in a single server. I then created a Data Connection to Oracle 11g. Upon testing the connection, it throws the error “ORA-12638: Credential retrieval failed”.
Given below are the steps of installation and configuration.
Installation till basic authentication:
The installation has been done in a
single server.
Installed SQL Server 2012 (Developer version).
Selected only the following features:
Database Engine Services
Analysis Services
Reporting Services – SharePoint
Reporting Services Add-in for SharePoint Products
Management Tools – Basic
- Management Tools - Complete
2. Installed SQL Server 2012 SP1.
3. Installed SQL Server 2012 SP2.
  4. Installed SharePoint Foundation 2013.
5. Created web application (without Kerberos; we did not even create the SPNs).
      The application pool has been configured to use Reporting Services account since it is a single server installation. This account has been registered as a managed
account.
6. Created Site Collection.
7. Verified that Reporting Services is not installed.
8. Installed SharePoint Reporting Services from SharePoint 2013 Management Shell.
9. Verified that Reporting Services is installed.
10. Created a new SQL Server Reporting Services Service Application and associated the Web Application to the new SQL server Reporting Services Service Application.
11. Verified that SQL Server Reporting Services Service Application and its proxy have started. Reset IIS.
12. Created a Site.
  13. Created a Data Connection library with “Report Data Source” content type.
14. Created a Report Model library with “Report Builder Model” content type.
15. Created a Report library with “Report Builder Report” content type.
16. Uploaded an SMDL to the Report Model library.
  17. Added the top level site to Local Intranet instead of as a Trusted Site in the browser settings.
  18. Able to create and save a report using Report Builder.
Hence, basic authentication is working and SSRS is able to connect to Oracle database.
Next we have to configure Kerberos settings between SharePoint and SQL Server.
Implementation of Kerberos authentication
In the Report Server machine, opened the file C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\15\WebServices\Reporting\rsreportserver.config and added the Authentication Types of RSWindowsNegotiate
and RSWindowsKerberos.
2. Set up the following SPNs.
               a) SQL Server Database Engine service (sqlDbSrv2):
                setspn -S MSSQLSvc/CER1110:1433 CERDEMO\sqlDbSrv2
                setspn -S MSSQLSvc/CER1110.cer.demo.com:1433 CERDEMO\sqlDbSrv2
             In the Delegation tab of the account, selected "Trust this user for delegation to any service (Kerberos only)".
b) Account: SharePoint Setup Admin account (spAdmin2)
     setspn -S HTTP/CER1110:9999 CERDEMO\spAdmin2
                setspn -S HTTP/CER1110.cer.demo.com:9999 CERDEMO\spAdmin2
                In the Delegation tab of the account, selected "Trust this user for delegation to any  service
(Kerberos only)".
c) Account: SQL Server Reporting Service account (sqlRepSrv2)
                   setspn -S HTTP/CER1110 CERDEMO\sqlRepSrv2
                   setspn -S HTTP/CER1110.cer.demo.com CERDEMO\sqlRepSrv2
                   In the Delegation tab of the account, selected "Trust this user for delegation to any service
(Kerberos only)".
3. Configure the Web Application to use “Negotiate (Kerberos)”.
4. Logged in as SharePoint Administrator to the SharePoint server and opened the top level site in the IE browser.
     The Event Viewer logged the login process for the SharePoint Administration account as
Negotiate and not Kerberos.
5. Implemented Kerberos for Oracle database and client.
     Able to connect to the Oracle database via Kerberos authentication using SQL Plus.
6. Turn on Windows Firewall.
7. While testing the site's data connection using Kerberos settings, got the error
“Can not convert claims identity to windows token. This may be due to user not logging in using windows credentials.”
      Note: The Data Connection for basic authentication still worked.
8. Created a Claims to Windows Token Service account (spC2WTS2).
9. Started the Claims to Windows Token Service.
10. Registered the Claims to Windows Token Service account as a Managed Account.
11. Changed the Claims To Windows Token Service to use the above managed account.
12. Verified that the Claims to Windows Token Service account (spC2WTS2) is automatically added to the WSS_WPG local group on the SharePoint box.
      Note: The Reporting Services service account is also a part of the WSS_WPG local group.
13. Added the Claims to Windows Token Service account (spC2WTS2) to the Local Admin Group on the machine having the SharePoint App Server.
14. In the SharePoint box, added the Claims to Windows Token Service account (spC2WTS2) in the Act as part of the operating system policy right.
15. The Claims to Windows Token Service account (spC2WTS2) has the WSS_WPG group configured.
      When the C2WTS service was configured to use the managed account Claims to Windows Token Service account (spC2WTS2) earlier, the spC2WTS2 account was automatically
added to the WSS_WPG local group on the SharePoint box. The WSS_WPG group in turn is configured in c2wtshost.exe.config file.
16. Verified that the Reporting Services account is a managed account and part of the WSS_WPG group.
17. Earlier Service Application Pool - SQL Server Reporting Services App Pool service was associated with the SharePoint Admin account.
      Changed this to associate the Reporting Service account with the Service Application Pool - SQL Server Reporting Services App Pool service.
18. Changed the delegation of the Reporting Service account to constrained delegation with Protocol Transitioning. This is because we are transitioning from one authentication scheme (Claims) to another (Windows Token).
      For this, the delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use
any authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
      Note: The Reporting Service account already had an HTTP SPN.
19. Next, the goal was to make the Claims To Windows Token Service account match the Reporting Service account.
       For this, we created a fake SPN for the Claims To Windows Token Service account since the delegation tab was missing.
       The delegation has been changed to "Trust this user for delegation to specified services only". Also, selected the sub radio button "Use any
authentication protocol". Selected the Oracle Kerberos service as the service to which this account can present delegated credentials.
20. Restarted the SharePoint server.
21. Tested the data connection with the Kerberos settings again.
       Got the error
“ORA-12638: Credential retrieval failed”.
Can anyone tell me what is wrong with this setup?

http://www.freeoraclehelp.com/2011/10/kerberos-authentication-for-oracle.html
Problem4: ORA-12638: Credential retrieval failed
Solution: Make sure that SQLNET.KERBEROS5_CC_NAME is set in sqlnet.ora and okinit has been run before attempting to connect to the database.
Do check
http://webcache.googleusercontent.com/search?q=cache:5a2Pf3FH7vkJ:externaltable.blogspot.com/2012/06/kerberos-authentication-and-proxy-users.html+&cd=5&hl=en&ct=clnk&gl=in
If this helped you resolve your issue, please mark it Answered. You can reach me through http://itfreesupport.com/

Unable to set session in Oracle Portal useing reverse proxy

I have deployed a reverse proxy (using Oracle HTTP Server) in front of a Oracle Portal Install (version 10.1.2.0.2). The steps followed to set this up came from the following documents:
Steps mentioned in Section 9.2 Configuring a Reverse Proxy for OracleAS Portal and OracleAS Single Sign-On for a reverse proxy on a Oracle HTTP Server.
http://download-west.oracle.com/docs/cd/B14099_15/core.1012/b13998/variants.htm#ASTED005
Also performed steps mentioned in -> Section 5.3.7 - Step 7: Enable Session Binding on OracleAS Web Cache of the Oracle® Application Server Portal Configuration Guide 10g Release 2 (10.1.2) -- B14037-03.
My current (example names shown only)setup details are as follows:
Reverse Proxy for SSO server (running on internal.oracle.com:7777): proxy.oracle.com:7777
Reverse Proxy for Portal server (running on internal.oracle.com:7778): proxy.oracle.com:7778
With the above steps completed, I can successfully use the http://proxy.oracle.com:7777/pls/orasso for login into SSO without any issues.
Users get authenticated successfully.
I can also use http://proxy.oracle.com:7778/pls/portal for viewing pages on the portal fine . All self referencing links have also been successfully modified to point to proxy.oracle.com:7778.
However, an attempt to login in the portal is not successful. Clicking on the 'Login' link successfully redirects to the SSO login page (http://proxy.oracle.com:7777/<login-page>). However, after successful authentication, the success page fails to show up and the user gets shown the initial login portal home page again.
There are no error messages shown on the screen.But it seems that user session is failing to be initiated/set correctly, as shown by the log file (in $PORTAL_ORACLE_HOME/j2ee/OC4J_Portal/application-deployments/portal/OC4J_Portal_default_island_1/application.log ):
06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] Repository Gateway: LWUser: PUBLIC, Cookie: oracle.uix=0^^GMT+10:00;
portal=9.0.3+en-au+us+AUSTRALIA+22BC75924EEAD8A2E040007F010019F7+8DAC5E3559C95F5E0090A6F56FFA58192CB0F437CA57A9102A6394F1EB7FAB5DEE3BFA12C65
91C0C009B6......
06/11/21 16:49:31 portal: [module=RepositoryServlet, ecid=83928411196,1] ERROR: Repository Gateway error: Database Error: ORA=20001 ORA-20001:
Unable to obtain session information from the cookie. Please close your browser and reconnect.
ORA-06512: at "PORTAL.WPG_SESSION", line 149
ORA-06512: at line 22
Any help with this will be appreciated.
Thanks.

Hi Chris,
The begin of the expection stack gives you the reason:
06/11/03 09:13:59 java.sql.SQLException: The method 'setSavepoint' cant be called when a global transaction is active
The reason is, that either the whole global transaction must be commited or rollbacked.
I don't know your actual configuration, but between the methods begin() and commit()/rollback() of the UserTransaction instance, OC4J/OracleAS uses a global transaction (= XA transaction) in your configuration. The state of a global transactions is completely under the control of the application server and several restrictions must be considered. One of them is, that you can't use the method setSavePoint/. E.g. you can't also call the method setAutoCommit(true) in this state, or change the transaction isolation level via setTransactionIsolation(newLevel).
This is NOT a limitation of the OC4J/OracleAS but is true for ALL application servers.
P.S. I can successfully set savepoints and rollback to savepoints in weblogic 9.0This means, that WebLogic 9.0 doesn't use a global transaction in this case.
Because I don't know your configurations (Oracle and WebLogic) I can't say, why the behave different in this situation.
Best,
Manfred

B2B-51075 Missing signer certificate receiving AS2 through reverse proxy

We are setting up AS2 communication through B2B on 11.1.1.6.7, Our reverse proxy configuration in the DMZ looks as shown:
<Location /b2b/httpReceiver>
WebLogicHost internalsoa.domain
 WebLogicPort 8001
 WLLogFile /dmz/logs/wl-proxy.log
 SetHandler weblogic-handler
</Location>
https://externaledi.domain/b2b/httpReceiver
-Dhttp.proxySet=true -Dhttp.proxyHost=externaledi.domain -Dhttp.proxyPort=443
When I go to the externally available URL, I receive the B2B Server is ready to accept HTTP messages from the Trading Partner message.
In the TRACE:32 logging, I see:
[2014-01-10T09:20:30.551-08:00] [soa_server1] [TRACE] [] [oracle.soa.b2b.engine] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c8ec097869f74d35:75fef00f:14379dde17a:-8000-0000000000080c34,0] [SRC_CLASS: oracle.tip.b2b.system.DiagnosticService] [APP: soa-infra] [SRC_METHOD: synchedLog_J] Utility:getAllCertsFromWallet:Loaded Certs 5
[2014-01-10T09:20:30.553-08:00] [soa_server1] [ERROR] [] [oracle.soa.b2b.engine] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c8ec097869f74d35:75fef00f:14379dde17a:-8000-0000000000080c34,0] [APP: soa-infra] java.lang.NullPointerException[[
 at oracle.tip.b2b.packaging.SmimeSecureMessaging.verify(SmimeSecureMessaging.java:834)
 at oracle.tip.b2b.packaging.mime.MimePackaging.processSignedMultipartMessage(MimePackaging.java:1080)
 at oracle.tip.b2b.packaging.mime.MimePackaging.processMultipartMessage(MimePackaging.java:908)
 at oracle.tip.b2b.packaging.mime.MimePackaging.processMessageContent(MimePackaging.java:865)
 at oracle.tip.b2b.packaging.mime.MimePackaging.doUnpack(MimePackaging.java:780)
 at oracle.tip.b2b.packaging.mime.MimePackaging.unpack(MimePackaging.java:670)
 at oracle.tip.b2b.engine.Engine.processIncomingMessageImpl(Engine.java:1888)
 at oracle.tip.b2b.engine.Engine.processIncomingMessage(Engine.java:1654)
 at oracle.tip.b2b.transport.InterfaceListener.onMessageLocal(InterfaceListener.java:412)
 at oracle.tip.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:220)
 at oracle.tip.b2b.transport.basic.TransportServlet.doPost(TransportServlet.java:754)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
 at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
 at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
 at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
 at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
 at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
 at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
 at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
 at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
 at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
 at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
 at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
 at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
 at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
java.lang.NullPointerException
 at oracle.tip.b2b.packaging.SmimeSecureMessaging.verify(SmimeSecureMessaging.java:834)
 at oracle.tip.b2b.packaging.mime.MimePackaging.processSignedMultipartMessage(MimePackaging.java:1080)
 at oracle.tip.b2b.packaging.mime.MimePackaging.processMultipartMessage(MimePackaging.java:908)
 at oracle.tip.b2b.packaging.mime.MimePackaging.processMessageContent(MimePackaging.java:865)
 at oracle.tip.b2b.packaging.mime.MimePackaging.doUnpack(MimePackaging.java:780)
 at oracle.tip.b2b.packaging.mime.MimePackaging.unpack(MimePackaging.java:670)
 at oracle.tip.b2b.engine.Engine.processIncomingMessageImpl(Engine.java:1888)
 at oracle.tip.b2b.engine.Engine.processIncomingMessage(Engine.java:1654)
 at oracle.tip.b2b.transport.InterfaceListener.onMessageLocal(InterfaceListener.java:412)
 at oracle.tip.b2b.transport.InterfaceListener.onMessage(InterfaceListener.java:220)
 at oracle.tip.b2b.transport.basic.TransportServlet.doPost(TransportServlet.java:754)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
 at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
 at weblogic.servlet.internal.StubSecurityHelper$ServletServiceAction.run(StubSecurityHelper.java:227)
 at weblogic.servlet.internal.StubSecurityHelper.invokeServlet(StubSecurityHelper.java:125)
 at weblogic.servlet.internal.ServletStubImpl.execute(ServletStubImpl.java:301)
 at weblogic.servlet.internal.TailFilter.doFilter(TailFilter.java:26)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
 at oracle.security.jps.ee.http.JpsAbsFilter$1.run(JpsAbsFilter.java:119)
 at oracle.security.jps.util.JpsSubject.doAsPrivileged(JpsSubject.java:315)
 at oracle.security.jps.ee.util.JpsPlatformUtil.runJaasMode(JpsPlatformUtil.java:442)
 at oracle.security.jps.ee.http.JpsAbsFilter.runJaasMode(JpsAbsFilter.java:103)
 at oracle.security.jps.ee.http.JpsAbsFilter.doFilter(JpsAbsFilter.java:171)
 at oracle.security.jps.ee.http.JpsFilter.doFilter(JpsFilter.java:71)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
 at oracle.dms.servlet.DMSServletFilter.doFilter(DMSServletFilter.java:139)
 at weblogic.servlet.internal.FilterChainImpl.doFilter(FilterChainImpl.java:56)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.wrapRun(WebAppServletContext.java:3730)
 at weblogic.servlet.internal.WebAppServletContext$ServletInvocationAction.run(WebAppServletContext.java:3696)
 at weblogic.security.acl.internal.AuthenticatedSubject.doAs(AuthenticatedSubject.java:321)
 at weblogic.security.service.SecurityManager.runAs(SecurityManager.java:120)
 at weblogic.servlet.internal.WebAppServletContext.securedExecute(WebAppServletContext.java:2273)
 at weblogic.servlet.internal.WebAppServletContext.execute(WebAppServletContext.java:2179)
 at weblogic.servlet.internal.ServletRequestImpl.run(ServletRequestImpl.java:1490)
 at weblogic.work.ExecuteThread.execute(ExecuteThread.java:256)
 at weblogic.work.ExecuteThread.run(ExecuteThread.java:221)
[2014-01-10T09:20:30.553-08:00] [soa_server1] [TRACE] [] [oracle.soa.b2b.engine] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c8ec097869f74d35:75fef00f:14379dde17a:-8000-0000000000080c34,0] [SRC_CLASS: oracle.tip.b2b.system.DiagnosticService] [APP: soa-infra] [SRC_METHOD: synchedLog_J] MimePackaging:processSignedMultipartMessage:Signature Verification failed
[2014-01-10T09:20:30.585-08:00] [soa_server1] [TRACE] [] [oracle.soa.b2b.engine] [tid: [ACTIVE].ExecuteThread: '2' for queue: 'weblogic.kernel.Default (self-tuning)'] [userId: <anonymous>] [ecid: c8ec097869f74d35:75fef00f:14379dde17a:-8000-0000000000080c34,0] [SRC_CLASS: oracle.tip.b2b.system.DiagnosticService] [APP: soa-infra] [SRC_METHOD: synchedLog_J] Notification: notifyApp: payload = <Exception xmlns="http://integration.oracle.com/B2B/Exception" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">[[
<correlationId>null</correlationId>
<b2bMessageId>0A0A117A1437D2B5D520000017198417</b2bMessageId>
<errorCode>B2B-51075</errorCode>
<errorText>
<![CDATA[Missing signer certificate.
]]>
We used the following notes to guide the configuration:
http://blog.darwin-it.nl/2012/11/b2b11g-with-apache-20-as-forward-proxy.html
http://anuj-dwivedi.blogspot.sg/2010/10/enabling-ssl-on-oracle-b2b-11g.html
Has anyone gotten AS2 communication to work through a reverse proxy? We are not picking up any agreements or senders in the B2BConsole reports.
Thanks,
-Michael

It turns out the trading partner provided the incorrect certificate. Once they sent a new certificate (must be the one they use for signing), everything worked.

Reverse Proxy Problem

Hi!
I am configuring Oracle iPlanet is 7.0.15 to have one instance reverse proxy to another instance. They are different only in port numbers. The destination port is 2321.
I have set up the reverse proxy in Content Handling -> Reverse Proxy setting.
Problem is: When I display the URL of the proxy in the web browser, I see the index.html of the original instance, not the destination instance. I am expecting the web page to be redirected to the destination instance. Please help. Thanks.
Here is the config:
# Copyright (c) 2014, Oracle and/or its affiliates. All rights reserved.
# You can edit this file, but comments and formatting changes
# might be lost when you use the administration GUI or CLI.
<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="ntrans-j2ee" name="j2ee"
NameTrans fn="pfx2dir" from="/mc-icons" dir="/package/oracle/webserver7/lib/icons" name="es-internal"
NameTrans fn="map" from="/hk" name="reverse-proxy-/hk" to="http:/hk"
PathCheck fn="uri-clean"
PathCheck fn="check-acl" acl="default"
PathCheck fn="find-pathinfo"
PathCheck fn="find-index-j2ee"
PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
ObjectType fn="type-j2ee"
ObjectType fn="type-by-extension"
ObjectType fn="force-type" type="text/plain"
Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
Service method="TRACE" fn="service-trace"
Error fn="error-j2ee"
AddLog fn="flex-log"
</Object>
<Object name="j2ee">
Service fn="service-j2ee" method="*"
</Object>
<Object name="es-internal">
PathCheck fn="check-acl" acl="es-internal"
</Object>
<Object name="cgi">
ObjectType fn="force-type" type="magnus-internal/cgi"
Service fn="send-cgi"
</Object>
<Object name="send-precompressed">
PathCheck fn="find-compressed"
</Object>
<Object name="compress-on-demand">
Output fn="insert-filter" filter="http-compression"
</Object>
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/hk">
Route fn="set-origin-server" server="http://localhost:2321"
</Object>
Please help. Thanks.

Hi,
You have set up your reverse proxy on the URL '/hk'
NameTrans fn="map" from="/hk" name="reverse-proxy-/hk" to="http:/hk"
If you want this to work for the URL '/index.html', you need to set up the revere proxy on the URL '/'.
regards
Tracey

Reverse proxy with apache2

Hi folks,
I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
And ny the way, the portal itself works perfectky when connected directly.
Kind regards,
 Christian Guenther
Reverse proxy configuration ############################################
NameVirtualHost 172.30.210.96
<VirtualHost 172.30.210.96>
 ServerAdmin [email protected]
 ServerName host.external.de
SSL is turned off at the moment
 SSLEngine Off
 SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
 SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
Set up as a proxy for internal SAP systems
 ProxyRequests Off
 ProxyPreserveHost Off
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
IRJ
<Location /irj/>
 ProxyPass http://host.internal.lan:8001/irj/
 ProxyPassReverse http://host.internal.lan:8001/irj/
rewriting rules for proxy
 RewriteEngine On
 RewriteCond % \.jsp
 RewriteRule ^(.+) % [P]
 RewriteCond % \.servlet
 RewriteRule ^(.+) %
Portal
rewriting rules for proxy
[P]
</Location>
<Location />
 ProxyPass http://host.internal.lan:8001/
 ProxyPassReverse http://host.internal.lan:8001/
 RewriteEngine On
 RewriteCond % \.jsp
 RewriteRule ^(.+) % [P]
 RewriteCond % \.servlet
 RewriteRule ^(.+) % [P]
</Location>
</VirtualHost>

This is a valid configuration for an Apache Reverse Proxy:
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot /usr/local/apache2
Listen 443
#LoadModule dir_module modules/mod_dir.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule include_module modules/mod_include.so
#LoadModule autoindex_module modules/mod_autoindex.so
LoadModule access_module modules/mod_access.so
#LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule mime_module modules/mod_mime.so
#LoadModule env_module modules/mod_env.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin [email protected]
ServerName your.servername.com
UseCanonicalName Off
make sure zou include these with valid entries...
Include conf/log.conf
Include conf/mime.conf
Include conf/default.conf
Include conf/ssl.conf
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
this is for the MS IE SSL bug
BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
force-response-1.0
Header add P3P CP="NOI"
Proxy with caching
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
CacheRoot /usr/local/apache2/Cache
CacheEnable disk /
CacheDirLevels 5
CacheDirLength 3
<VirtualHost *:443>
 ServerName your.servername.com
 ServerAdmin [email protected]
Set the level of log entries - debug produces A LOT of messages
 LogLevel debug
 ErrorLog logs\error.log
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 CustomLog logs\access.log common
NEVER turn this On, it would create a forward proxy
 ProxyRequests Off
 ProxyPreserveHost On
it is important that the proxy uses active protocol used in the
internet section of the request
 RequestHeader set ClientProtocol https
 Header add P3P CP="NOI"
we need to answer HTTPS requests, so we need an ssl engine
 SSLEngine On
and a cipher suite plus certificate
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
 SSLProtocol all -SSLv2
of course these entries have to be adopted
 SSLCertificateFile conf/certs/server.crt
 SSLCertificateKeyFile conf/certs/server.key
 SSLOptions +StdEnvVars
this is for the bloody MS IE - I don't know why, but they seem to
have trouble learning in redmond
 BrowserMatch ".MSIE." \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 CustomLog logs/ssl_request.log \
 "%t %h %x %x \"%r\" %b"
below are the proxied hosts - you always need ProxyPass
AND ProxyPassReverse otherwise it will not work correctly
ITS
 #ProxyPass /iac/ http://itsserver:8081/iac/
 #ProxyPassReverse /iac/ http://itsserver:8081/iac/
direct portal connection this ought to be the IP
 ProxyPass /irj/ http://10.8.1.14:50000/irj/
 ProxyPassReverse /irj/ http://10.8.1.14:50000/irj/
 ProxyPass /logon/ http://10.8.1.14:50000/logon/
 ProxyPassReverse /logon/ http://10.8.1.14:50000/logon/
Rewrite Rule in case ICM puts session information in URL
NEVER REALLY HARMS
 RewriteEngine On
 RewriteRule ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
 #ProxyPass /chooselogin/ http://10.8.9.0:50000/chooselogin/
 #ProxyPassReverse /chooselogin/ http://10.8.9.0:50000/chooselogin/
</VirtualHost>

Caching in reverse proxy

We are using the Sun Proxy Server v4.0.5 as a reverse proxy with the browser side listening in http. Caching is enabled in the default object block. Most of the proxy mappings are going to http destinations, but some are to https content. I have noticed that even though the proxy is able to make the ssl connection and retrieve the content it does not cache any of it which hurts performance. Since the content gets decrypted by the proxy to be sent out to the browser it would look like any other http content so shouldn't it be considered for caching? Is there any way to get the content to be cached by the reverse proxy to improve performance?

Thanks for the suggestion, it looks like that works. Please note that it doesn't look like this option is listed in the Configuration file reference for 4.0.5. However after your suggestion I found that it is the value that is inserted by the admin console under the Caching -> Set Caching Configuration screen (the admin console is not used often as manual edits to the config files are preferred). Can we expect an effort to get the "undocumented" config values documented?

Issue in configuring TMG as Forward/Reverse Proxy

I am trying to setup reverse and forward proxy using TMG 2010. I have following networks:
Internal Networks:
10.2.1.0/24
10.3.1.0/24
DMZ (Perimeter) Network:
10.7.1.0/24   NAT relationship with external network e.g. Public IPs
I've setup one TMG node and selected "Back Firewall" as topology.
NIC 1 Config: (Internal)
IP:   10.2.1.20
Subnet: 255.255.255.0
DW:    Not defined
DNS:   10.2.1.5
NIC 2 Config: (Perimeter)
IP:   10.7.1.20
Subnet: 255.255.255.0
DW:    10.7.1.5
DNS:   Not Defined
During setup when wizard asked me to define internal IP ranges, I defined 10.2.1.1 - 10.2.1.255 instead of selecting Adaptor.
Setup Completed successfully.
I created Allow rule from internal to local host.
From Client-end:
From client machines i can not access TMG internal interface IP (because gateway is not defined on TMG internal interface i guess)
while i can access DMZ interface IP i.e. 10.7.1.20 and can telnet port 8080.
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in client-side browser, that throws an error "10061 no connection could be made because the target machine actively refused it"
Failed Connection Attempt
Log Type: Web Proxy (Forward)
Status:10061 No connection could be made because the target machine actively refused it.
Rule: Allow
Source: Internal (10.2.1.39)
Destination:LocalHost (10.7.1.20:8080)
Request:Get http://www.google.com
Protocol:http
On TMG server:
When i define DMZ interface IP i.e. 10.7.1.20:8080 as proxy address in browser that still throws an error "10061 no connection could be made because the target machine actively refused it"
But when i define internal interface IP as proxy in browser i.e. 10.2.1.20:8080 it works.
Allowed Connection
Log Type: Web Proxy (Forward)
Status:303 Not Modified
Rule: [System] Allow all HTTP traffic from forefront TMG to all networks (for CRL downloads)
Source: LocalHost (10.7.1.20:10082)
Destination: External (94.245.34.74:80)
Request:Get http://someurl
Protocol:http
What am i missing please advise and what could be the work around to get this work from internal network.
Regards,

Hello Quan,
Thanks for your reply..
No it didn't work. I'm still using that as reverse proxy and unable to configure that as forward. :-)
Regards,
Farrukh

Cannot connect to Reverse Proxy

Hi- I have what I think is a basic Lync setup, but it's basica-ally driving me crazy! What I have is:
1 Standard Edition Server
1 Edge Server
1 Reverse Proxy (IIS with ARR)
1 Office Web Apps Server
I've followed some of the numerous how-tos to set up these boxes. My internal setup works great with no issues.
I've worked with my security admin to get the firewall rules set up.. We have SSL certs (with SANs) installed and assigned on RP and Edge. I've set up persistent routes on RP and Edge to FE server. I can telnet from Reverse Proxy to Edge and
back. I've ran netstat to ensure both are listening on 443. But when I run the Microsoft Connectivity Analyzer (online) results show that connection to port 443 on the server failed and says that the port is either blocked or not listening.
Using the Lync Connectivity Analyzer (in house) shows that a connection to "Lyncdiscover.domain.com" failed.
Any insight is greatly appreciated.
Thanx

Public DNS records verified. (Although I do see some posts that say to create CNAME records instead of A records (we created A records) and other posts that say it doesn't matter.
Rewrite rules in IIS ARR verified.
I've triple-checked the certificate (issued by Digicert) and the simple URLs are all listed in the SAN:
sip.domain.com, meet.domain.com, dialin.domain.com, lyncdiscover.domain.com, and officewebapps.domain.com
Here's the error generated by the LCA:
An error occurred while sending the request.
Unable to connect to the remote server
A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond [xx.xxx.xxx.xxx]:443
If I try to open the Default Web Site from the server, I'm first presented with "There is a problem with this website's security certificate. The security certificate presented by this website was issued for a different website's address" message.
Clicking on "continue to this website" I get a "403-Forbidden" error. I read in another post that this message was as expected.
Trying to connect to lyncdiscover.domain.com from a browser on the RP returns a "Server not found". [This leads me to believe that the request is not getting through the firewall]. Attempts to access the simple URLs returns a "This page cannot
be displayed"
All services work internally...
More telnet testing: As previously posted, I CAN telnet between RP and Edge (external IPs) but CANNOT telnet to public IP of RP on 443
A similar issue with the Edge Server: netstat shows 0.0.0.0:443 listening but cannot connect via telnet to public IP on 443
RELATED QUESTION: Do I need the SANs included on my internal cert, too?
Thanx
SteveSmo
"Never, ever doubt what nobody is sure about." -Willy Wonka

Reverse proxy retrieve failed

Similar Messages

Maybe you are looking for