Reverse proxy rule

Hi,
I have confiugure apache 2.2 as reverse proxy which will be interacting with my portal as well as ECC ITS. Everything is working fine but the problem is when user gives the path:
http://<hotst>/sap/bc/its/gui/sap/webgui he able to access logon page of ECC which i want to block.
I want one redirect rule which should block the request which come with request http://<host>/sap/bc/its/gui/sap/webgui through reverse proxy. It should allow only when request comes in this format :
http://<host>/sap([some cache])/bc/its/gui/sap/webgui. where [some_cache] is automatically generated by SAP.
What could be the syntax of rewrite rule.

User 2 layers of Reverse proxies to resolve the issue

Similar Messages

CSS Reverse Proxy Rule problem if caches suspended breaks web site

Hi
Another perplexing problem we've had tonight:
2 x CSS11000 with 2 x CE560's providing Reverse Proxy Cache to a front end web server. During testing we had both CE services "suspended" but not the RCP content rule. So in my theory this rule couldn't work because it's services were not available. However, the CSS continued to hit this content rule and hence broke the web side. We then suspended the RPC rule, all traffic was forced to use the directtoserver rule and things worked again.
The question this poses, and we will be testing this on Monday is....if the caches are "down" rather than "suspended" does the same thing happen....and is this a bug (because I cant help thinking thats not what ithe CSS should be doing) or something else.
Anyone come across this ?
Thanks
Simon

Simon,
I think the answer to your question comes down to whether the content rule is considered "down" or not. When the caches are down, what does a "show rule" show as a status of the content rule. If the rule is down, the CSS should not even respond to the clients request via the vip unless there is another content rule containing the same vip (L3, L4 etc..)
Maybe the keepalive types need to be changed. For example, using icmp for a keepalive type and shutting down port 80 on a webserver will NOT signify to the CSS that the services is down.
If the rule is down and still increasing hit counts, then this would be some type of bug.
Regards
Pete Knoops
Cisco Systems

Forward parameters in reverse proxy configuration

Hi,
Looking at the detailed configuration in a reverse proxy rule in SJSWS, I have derived the following conclusions:
1) Where the SJSWS listener has SSL-enabled, reverse proxy works on a HTTPS in, HTTP out basis.
2) Details in the incoming request's SSL header, such as User DN, will be stripped out and remapped into the outgoing request as a custom header, e.g. "Proxy-user-dn".
Can anybody tell me if I have gotten anything wrong above?
We are currently switching over from an Apache/mod_proxy/mod_ssl --> Apache/mod_jk --> Apache Tomcat server setup to a hybrid model where SJSWS is the web server reverse proxying to Tomcat (old apps) and SJSAS (new apps).
My question:
All our apps use the User DN string as the user ID. Previously, we developed a custom module in Apache to read the DN at the Apache level and then rewrite it into the Basic Auth user name header in the outgoing request. The Tomcat webapp will then authenticate the user based on the Basic Auth user name property. Is it possible for me to remap it into something similar here in the SJSWS reverse proxy configuration?
Thanks!
Wong

I am not a reverse proxy expert, but this Object-type SAF should forward userdn
http://docs.sun.com/app/docs/doc/820-1062/6ncoqnq3b?l=en&a=view&q=forward-user-dn
You can look for more such SAFs in this document.

Sophos Firewall\Reverse Proxy With Lync 2013

We currently have Lync 2013 deployed internally and working like a champ for about 5 months now. We are in the process of trying to get this rolled out externally and running into issues.
It seems we have the ports opened up properly but the MS remote connectivity analyzer comes back with certificate error "The certificate couldn't be validated because SSL negotiation wasn't successful.
I'm pretty certain our certificates are correct for the external edge server and the external firewall\Reverse proxy. From the Lync planning tool we have been following it and so far successful until the certificates. The certificates tool shows we should
have the following certs assigned: (keep in mind we have 2 separate certificates assigned)
Edge Server External
Subject name: lyncaccess.domain.com
SAN:webcon.domain.com and sip.domain.com
Reverse Proxy:
rp0100.domain.com (reverse proxy FQDN does resolve)
SAN: dialin.domain.com, meet.domain.com, and temwac.domain.com (office web apps server)
We requested the certificates from Go daddy and have them installed and the SANs are in there correct. The connectivity analyzer is able to get to our server using autodiscover over port 443, we see the traffic come in through the firewall and nothing is
blocked just the certificate could not be validated.
Has anyone deployed Lync using the Sophos UTM as a reverse Proxy any other ideas as to what we are missing with these certificates?
The certificate couldn't be validated because SSL negotiation wasn't successful.
The certificate couldn't be validated because SSL negotiation wasn't successful.

lyncdiscover.domain.com does not resolve. Discovery is working fine through the connectivity analyzer. We actually figured that part out about the SSL. It seems we had the firewall and Reverse proxy rules in place on the Sophos appliance but the firewall
rules leaving the edge server were being blocked. It took us about 1.5 days to figure that part out.
The connectivity analyzer now is able to authenticate the certificates successfully. Of course it wouldn't be a Lync roll out without the next issue coming up.
The next issue we have is the connectivity analyzer reaching the AV service. Which we are going to assume is a routing issue as well and are currently troubleshooting it:
Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
Error Type: RegisterException.
Deregister Reason: None.
Response Code: 504.
Response Text: Server time-out.
http://social.technet.microsoft.com/Forums/lync/en-US/f95c47cc-f8eb-4646-bdac-6c7244b26ff1/couldnt-sign-in-error-error-message-the-endpoint-was-unable-to-register-new-deployment?forum=ocsplanningdeployment
Wish me luck.

Save session between two virtual directories in Reverse Proxy

All,
I'm having an issue and I'm hoping someone here can help me. I currently have an reverse proxy rule for say
/abc pointing to 10.10.10.10
We had to add to another virtual directory
/xyz pointing to 10.10.10.20
This is because of the limitation of the application where different parts are to be installed on different servers. What we are trying to achieve is to see if there is a way we can keep a session alive while the user is switching from /abc to /xyz.
We are using SJWS 7.0. Any help will be greatly appreciated.

I have one Web Server 7.0 instance with the following obj.conf :
<Object name="default">
<If $uri =~ "/xyz">
NameTrans fn="map" from="/" name="reverse-proxy-/xyz" to="/"
</If>
<ElseIf $uri =~ "/abc">
NameTrans fn="map" from="/" name="reverse-proxy-/abc" to="/"
</ElseIf>
</Object>
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server="http://server1.sun.com:80"
</Object>
<Object name="reverse-proxy-/xyz">
Route fn="set-origin-server" server="http://server2.sun.com:80"
</Object> ...When I send a request to URI :
/abc/test1.html : the request gets served from server1 from docs/abc/test1.html.
/xyz/test2.html : the request gets served from server2 from docs/xyz/test2.html
Where as when you change obj.conf to (note the change in from parameter in map SAF)
<Object name="default">
<If $uri =~ "/xyz">
NameTrans fn="map" from="/xyz" name="reverse-proxy-/xyz" to="/"
</If>
<ElseIf $uri =~ "/abc">
NameTrans fn="map" from="/abc" name="reverse-proxy-/abc" to="/"
</ElseIf>
</Object>
<Object ppath="*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/abc">
Route fn="set-origin-server" server="http://server1:80"
</Object>
<Object name="reverse-proxy-/xyz">
Route fn="set-origin-server" server="http://server2:80"
</Object> ...When I send a request to URI :
/abc/test1.html : the request gets served from server1 from docs/test1.html.
/xyz/test2.html : the request gets served from server2 from docs/test2.html.
first test with a simple html file to see if the request is going to appropriate servers.
What do u mean by : "What we are trying to achieve is to see if there is a way we can keep a session alive while the user is switching from /abc to /xyz."

Can the 4710 reverse proxy like the Apache rerwite rule

We currently have web servers configured with Apache that act as reverse proxies using an Apache rewrite rule. The end user connects to the Apache web server and it proxies that connection to the backend app server. Is the 4710 capable of acting as a reverse proxy like Apache which would eliminate the need for a web server?
Thanks

Hi,
Although this is not the most common scenario it is doable. What you will need is to NAT the client source IP to the ACE VIP and send the request to the web server. If there is a web farm then you can use another context of ACE to loadbalance the request to the web farm.Actually i have setup ACE as a reverse proxy in replacement of an ISA server by using the one-arm mode for the implementation. Beware though that you will need to use Policy Based Routing or NAT so as for the return traffic to go though ACE. Also you will need to insert the client IP in the x-forwarded-for HTTP header for proper analysis (as you would do with Apache).
See below link for routed mode (it is for the c6500 / ACE module but same applies for the ACE 4710 appliance
http://supportwiki.cisco.com/ViewWiki/index.php/Configure_ACE_with_Source_NAT_and_Client_IP_Header_Insert
Hope it helps,
./G

Lync Reverse Proxy Alternatives

When migrating from OCS 2007 to Lync 2010, we balked Microsoft’s recommendation to deploy Forefront Threat Management Gateway (or ISA) just to get the reverse proxy services.
TMG is way too expensive and complex for such a limited, simple use case.
I didn't find much information on what people are using as free alternatives to ISA/TMG, so I decided to post this discussion in case there are others out there who are interested.
We decided to use Apache 2.2 on Windows Server 2008 R2.
Here's how we configured it:
Read here to understand what features require a reverse proxy, and follow the steps to configure your FQDNs, Network Adapters and (maybe) obtain an SSL Certificate for the reverse proxy.
http://technet.microsoft.com/en-us/library/gg398069.aspx
Download and install the latest stable release of Apache with OpenSSL on your reverse proxy server.
http://httpd.apache.org/download.cgi
We're using the same certificate on the reverse proxy that we use on our front end server (it has the appropriate SANs), so we need to convert it to PEM format for use with Apache:
Use the Certificates MMC on your front end server to export the certificate and include the private key.
Transfer the resultant .pfx file to your reverse proxy server.
Use OpenSSL to convert your .pfx file to PEM:
openssl pkcs12 -in c:\pathto\yourcert.pfx -out c:\pathto\yourcert.pem –nodes
Separate the private key from the certificate using notepad:
Open the new .pem file and cut the text from the beginning of the file through the end of the “----END RSA PRIVATE KEY----“ tag.
Save that text to a new file named
yourcert.key.
Save
yourcert.pem, which should now only include the certificate.
Copy (or move) the certificate and private key to the Apache configuration directory. We like to use: C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl
for storing the certificates.
Edit httpd.conf (typically in
C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf) to enable and configure the proxy and SSL features:
(See http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
for more information on each directive)
Uncomment the following lines, which will enable proxy and SSL:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-ssl.conf
Add the following lines to configure reverse proxy behavior:
#Be a reverse proxy, not a forward proxy
ProxyRequests Off
#Accept requests from any client to any URL
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
#Set the network buffer to improve throughput
ProxyReceiveBufferSize 4096
#Configure the Reverse Proxy to forward all requests to your front end server on 4443
ProxyPass / https://yourfrontend.domain.com:4443/
ProxyPassReverse / https://yourfrontend.domain.com:4443/
#Preserve Host Headers for Lync
ProxyPreserveHost On
Optionally, configure logging directives, bindings and server name.
Save and close httpd.conf
Edit httpd-ssl.conf (typically in conf\extra):
Configure the session cache:
Uncomment:
SSLSessionCache “dbm:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache”
Comment out:
SSLSessionCache “shmcb:C:/Program Files (x86)/Apache Software Foundation/Apache2.2/logs/ssl_scache(512000)”
Locate the <VirtualHost _default_:443> tag and configure the following:
Add the following directive:
SSLProxyEngine On
Configure the path to your SSL Certificate saved in step 3-5 above:
SSLCertificateFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.pem”
Configure the path to your private key saved in step 3-5 above:
SSLCertificateKeyFile “C:\Program Files (x86)\Apache Software Foundation\Apache2.2\conf\extra\ssl\yourcert.key”
Optionally, configure the SSLCACertificateFile (you can download the appropriate bundle from your CA).
Optionally, configure logging directives.
Save and close httpd-ssl.conf
Restart the Apache2.2 service
Configure public DNS records and appropriate firewall rules to allow public http/https traffic to the external interface of your reverse proxy, and to allow the internal interface of
the reverse proxy to talk to the front end Lync server on 8080 and 4443.
From an external connection, test connectivity through the reverse proxy:
Test
https://dialin.company.com (friendly URL for getting dial-in information, if you’re using voice conferencing)
Test the Lync Web App by setting up an online meeting and following the URL to join the meeting.
You can force the use of the web app by appending ?sl= to the end of the meet.company.com link.
See this for more information http://blogs.technet.com/b/jenstr/archive/2010/11/30/launching-lync-web-app.aspx
Hope this information is helpful and saves some of you some money and trouble.
Please contact me if you need further clarification or see any mistakes in my notes.
Best regards,
Kenneth Walden
Enterprise Systems Supervisor
GSD&M
Austin, TX

I'd like to thank you for this article. We were setting up Apache RP for Lync .... needless to say they weren't too excited to learn this new (and highly complex with lots of specific undocumented requirements) Microsoft product. Anyways, your
blog saved me a LOT of headache. I owe you big time.
AWESOME JOB.
-Greg
*****EDIT***
Decided to come back in there and post good information. We had issues with EXTERNAL and ANONYMOUS users being able to attend a meeting. The "DIALUP" url was working fine but the "MEETING" url was broken. On our WFE servers we were getting
the event error as below. Turns out that our reverse proxy was not set to "PROXYPRESERVEHOST ON". Once we put that in there ALL was good.
Notice that the MEET portion was the only thing that was really broken. So, if you can get DIALUP to work, but MEET doesn't ... your RP is working to FW the 443 to the 4443 correctly but you're RP is sending the wrong HEADER. Look for
http://10.x.x.x/meet/ or soemthing in the event logs.
Log Name: Application
Source: ASP.NET 2.0.50727.0
Date: 11/16/2011 1:26:35 PM
Event ID: 1309
Task Category: Web Event
Level: Warning
Keywords: Classic
User: N/A
Computer: OneofMyInternalWFEservers.local
Description:
Event code: 3005
Event message: An unhandled exception has occurred.
Event time: 11/16/2011 1:26:35 PM
Event time (UTC): 11/16/2011 6:26:35 PM
Event ID: b2039ecd0a62482284030f62e1e639d8
Event sequence: 129
Event occurrence: 28
Event detail code: 0
Application information:
 Application domain: /LM/W3SVC/34578/ROOT/meet-1-129658725547585993
 Trust level: Full
 Application Virtual Path: /meet
 Application Path: C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\
 Machine name: MYWFE.local
Process information:
 Process ID: 14204
 Process name: w3wp.exe
 Account name: NT AUTHORITY\NETWORK SERVICE
Exception information:
 Exception type: HttpException
 Exception message: Server cannot append header after HTTP headers have been sent.
Request information:
 Request URL:
https://FQDN:4443/meet/MyName/456456
 User host address: gatewayIP
 User:
 Is authenticated: False
 Authentication Type:
 Thread account name: NT AUTHORITY\NETWORK SERVICE
Thread information:
 Thread ID: 7
 Thread account name: NT AUTHORITY\NETWORK SERVICE
 Is impersonating: False
 Stack trace: at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
 at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
Custom event details:
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
 <Provider Name="ASP.NET 2.0.50727.0" />
 <EventID Qualifiers="32768">1309</EventID>
 <Level>3</Level>
 <Task>3</Task>
 <Keywords>0x80000000000000</Keywords>
 <TimeCreated SystemTime="2011-11-16T18:26:35.000000000Z" />
 <EventRecordID>4483</EventRecordID>
 <Channel>Application</Channel>
 <Computer>XXXXXXXXXXXXXXXXXX</Computer>
 <Security />
</System>
<EventData>
 <Data>3005</Data>
 <Data>An unhandled exception has occurred.</Data>
 <Data>11/16/2011 1:26:35 PM</Data>
 <Data>11/16/2011 6:26:35 PM</Data>
 <Data>b2039ecd0a62482284030f62e1e639d8</Data>
 <Data>129</Data>
 <Data>28</Data>
 <Data>0</Data>
 <Data>/LM/W3SVC/34578/ROOT/meet-1-129658725547585993</Data>
 <Data>Full</Data>
 <Data>/meet</Data>
 <Data>C:\Program Files\Microsoft Lync Server 2010\Web Components\Join Launcher\Ext\</Data>
 <Data>SNKXS300</Data>
 <Data>
 </Data>
 <Data>14204</Data>
 <Data>w3wp.exe</Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>HttpException</Data>
 <Data>Server cannot append header after HTTP headers have been sent.</Data>
 <Data>XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
 <Data>/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX</Data>
 <Data>10.71.1.1</Data>
 <Data>
 </Data>
 <Data>False</Data>
 <Data>
 </Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>7</Data>
 <Data>NT AUTHORITY\NETWORK SERVICE</Data>
 <Data>False</Data>
 <Data> at System.Web.HttpHeaderCollection.SetHeader(String name, String value, Boolean replace)
 at Microsoft.Rtc.Internal.WebServicesAuthFramework.OCSAuthModule.EndRequest(Object source, EventArgs e)
 at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
 at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
</Data>
</EventData>
</Event>

IIS Reverse Proxy with URL rewrite.

Hi all, hoping to leverage the wealth of knowledge contained here.
Any assistance would be very welcome.
I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
I need to redirect all requests with a specific virtual directory suffix only.
ie; https://domain.test.com/outbound/Content/query_etc
With /Outbound/ being the trigger.
This should be redirected to http://10.10.10.10/inbound/Content/query_etc
While at the same time, requests without the /outbound/ suffix should be handled locally.
I have configured the reverse proxy as described in a few articles, and have had no luck.
Here's a snippet from my (sanitized) web.config at the site level.
<rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
<action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<rule name="ReverseProxyInboundRule1" stopProcessing="true">
<match url="^outbound/(.*)" />
<action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
</rule>
</rules>
</rewrite>
To me, this looks correct, yet it doesn't work.
With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

Hi Andrew,
Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
By using URL Rewrite Module together with
Application Request Routing module you can have IIS 7 act as a
reverse proxy.
It seems like URL Rewrite can't re-route the request somewhere else out of the server.
Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc it will fail with 404.
Hosting multiple domain names under a single account using URL Rewrite.
It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
References:
How to create a url alias using IIS URL Rewrite:
http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
Reverse Proxy with URL Rewrite v2 and Application Request Routing:
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
Regards,
Satyajit
Please“Vote As Helpful”
if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

BizTalk published WCF service throwing HTTP 404 error using ISA reverse proxy settings

I have published my schemas as a WCF service from BizTalk 2010 "Publish WCF Service" wizard. I used Wcf-basicHTTP adapter in receive port. I am able to run the service successfully on localhost IIS and I tested my biztalk solution by sending request using SOAP UI and got response successfully.... Now: Actually, I need to give this service endpoint to my vendor who will send request from outside my company's network i.e. internet. In my infrastrucrue BizTalk is behind the firewall so, we setup a REVERSE proxy server at DMZ layer and it is configured properly. I have tested a simple WCF service by replacing the localhost with Proxy server configured address <DNSName> and it worked absolutely fine. But when I change localhost in my BizTalk schema based published WCF service it is not working and I am getting following error. Really strugling to get it resolved. I wasted a whole 3 days....very upset. Please help me out by giving the detailed step solution. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested URL: /BizTalkServiceInstance/MyService.svc I am surprized why other c# code based WCF services are working fine with reverse proxy settings. Server Error in '/' Application. The resource cannot be found.Is there any special things to consider Biztalk exposed wcf servcie over ssl in IIS cluster with ISA

Hi Singam :)
First I would start by browsing any other files (files other than the one from WCF) just to ensure that the reverse-proxy’s redirection rules are set correctly. If you get the same 404 error when you try to access other service/files “through reverse-proxy”,
then it’s an issue in the redirection rule(s) in reverse-proxy.
If others are fine i.e. no issue in reverse-proxy setup as such, then try the following for WCF service's web.config file. I have seen this issue in WCF service (not just BizTalk’s artifacts exposed as service in reverse-proxy). Add serviceHostingEnvironment
config as show with in serviceModel section.
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Regards,
M.R.Ashwin Prabhu
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

Reverse Proxy - Apache vs SAP Web Dispatcher

Hi,
my config consists in a portal (EP7.0 - DB/CI + AS) and an ECC system (ECC 6.0 - DB/CI + AS).
Web developments are based on Abap Web Dynpro and are also located on ECC.
To ensure load balancing there are 2 web dispatchers : one on EP DB/CI, one on ECC DB/CI.
Those 2 systems are located in intranet. Intranet access are realized via http.
Moreover I need to open this solution to internet. I need a component to filter access in DMZ and ensure reverse proxy + https functions.
Technical target chain links are depicted below.
internet access : browser (https) -
> (https) reverse proxy in DMZ (http) -
> IS (Portal/ECC)
intranet access : browser (http) -
> IS (portal/ECC)
At the moment two application gateway solutions have been identified :
Apache (MOD_PROXY + MOD_HTTPS) - My configuration is based on Linux
SAP Web Dispatcher ("cascading" implementation as described in OSS note 740234)
I'm looking for PROs and CONs of those 2 solutions and I'm also seeking for the impact of ensuring https encryption/decryption at the application gateway level ("a priori" this usage is not transparent in term of server sizing - CPU/memory, do I require to implement an SSL accelerator ?).
Regards.
Frederic.

Hi,
PRO Webdispatcher:
- Supports SAP Java + ABAP
- Loadbalancing of SAP applications (stateful)
- Supports load balancing (saplb_* cookie)
- Free of costs
- easy to set up (up & running in 2 minutes)
- Supports HA solutions out-of-the-box (process HA)
- Filter + Rules to modify the requests
CONS Webdispatcher
- not a full reverse proxy
- Limited functionality
- one more server/solution (normaly, a company already does have a reverse proxy solution in place)
- limited user base (only SAP customers)
PRO Apache
- free
- widly in use
- full reverse proxy
- allows more complex filtering / rewriting
- can be used for more web solutions, reuse of existing apache reverse proxy
CONS Apache
- does not support SAP load balancing (connection to the message server port for load distribution)
- can be more complex to set up
- SAP specific technology / problems are more harder to fix (ABAP, Stateful connections, sap_lb*)
Short: both will server well as a reverse proxy.
Rule of thumb: If you go for Apache or Web Dispatcher should mainly depend on you current IT landscape. If you already do have an apache in use, use Apache. You already have the people / knowledge, try to foster it .
If you start from scratch and have SAP Logon Groups or many WebDynpro ABAP applications, go for the Web Dispatcher.
br,
Tobias

How to use logon group of backend systems via reverse proxy

Hi
we have setup EP 6.0 in DMZ2 and connected backend servers in INTERNAL network. We have another firewall for DMZ1. In order to provide access to EP and respective backend systems, we have installed two reverse proxy servers on Apache, one in DMZ1 and another in DMZ2. We could able to reach to the backend system successfully in this setup by using proper rewrite rule for virtual systems in order to connect to multiple systems.
However we have observed that connection for backend systems is established only to respective CI and not to any of the application server, even though we have created "Load Balancing" systems in EP and used the same logon group of backend systems.
Kindly suggest us if there is any option using which we can establish connection via Load balancing option in this current setup of ours.
Thanks
Pradeep

Hi Mechael/Dutt
We r using Integrated ITS in WAS 6.40. and we r maintaing seperate entries for each systems in rewrite rule.
Thanks
PRadeep

Reverse proxy with apache2

Hi folks,
I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
And ny the way, the portal itself works perfectky when connected directly.
Kind regards,
 Christian Guenther
Reverse proxy configuration ############################################
NameVirtualHost 172.30.210.96
<VirtualHost 172.30.210.96>
 ServerAdmin [email protected]
 ServerName host.external.de
SSL is turned off at the moment
 SSLEngine Off
 SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
 SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
Set up as a proxy for internal SAP systems
 ProxyRequests Off
 ProxyPreserveHost Off
 <Proxy *>
 Order deny,allow
 Allow from all
 </Proxy>
IRJ
<Location /irj/>
 ProxyPass http://host.internal.lan:8001/irj/
 ProxyPassReverse http://host.internal.lan:8001/irj/
rewriting rules for proxy
 RewriteEngine On
 RewriteCond % \.jsp
 RewriteRule ^(.+) % [P]
 RewriteCond % \.servlet
 RewriteRule ^(.+) %
Portal
rewriting rules for proxy
[P]
</Location>
<Location />
 ProxyPass http://host.internal.lan:8001/
 ProxyPassReverse http://host.internal.lan:8001/
 RewriteEngine On
 RewriteCond % \.jsp
 RewriteRule ^(.+) % [P]
 RewriteCond % \.servlet
 RewriteRule ^(.+) % [P]
</Location>
</VirtualHost>

This is a valid configuration for an Apache Reverse Proxy:
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot /usr/local/apache2
Listen 443
#LoadModule dir_module modules/mod_dir.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule include_module modules/mod_include.so
#LoadModule autoindex_module modules/mod_autoindex.so
LoadModule access_module modules/mod_access.so
#LoadModule auth_module modules/mod_auth.so
LoadModule log_config_module modules/mod_log_config.so
#LoadModule mime_module modules/mod_mime.so
#LoadModule env_module modules/mod_env.so
#LoadModule headers_module modules/mod_headers.so
#LoadModule setenvif_module modules/mod_setenvif.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule ssl_module modules/mod_ssl.so
ServerAdmin [email protected]
ServerName your.servername.com
UseCanonicalName Off
make sure zou include these with valid entries...
Include conf/log.conf
Include conf/mime.conf
Include conf/default.conf
Include conf/ssl.conf
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
BrowserMatch "MS FrontPage" redirect-carefully
BrowserMatch "^WebDrive" redirect-carefully
BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
BrowserMatch "^gnome-vfs" redirect-carefully
BrowserMatch "^XML Spy" redirect-carefully
BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
this is for the MS IE SSL bug
BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
force-response-1.0
Header add P3P CP="NOI"
Proxy with caching
LoadModule cache_module modules/mod_cache.so
LoadModule disk_cache_module modules/mod_disk_cache.so
CacheRoot /usr/local/apache2/Cache
CacheEnable disk /
CacheDirLevels 5
CacheDirLength 3
<VirtualHost *:443>
 ServerName your.servername.com
 ServerAdmin [email protected]
Set the level of log entries - debug produces A LOT of messages
 LogLevel debug
 ErrorLog logs\error.log
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 CustomLog logs\access.log common
NEVER turn this On, it would create a forward proxy
 ProxyRequests Off
 ProxyPreserveHost On
it is important that the proxy uses active protocol used in the
internet section of the request
 RequestHeader set ClientProtocol https
 Header add P3P CP="NOI"
we need to answer HTTPS requests, so we need an ssl engine
 SSLEngine On
and a cipher suite plus certificate
 SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
 SSLProtocol all -SSLv2
of course these entries have to be adopted
 SSLCertificateFile conf/certs/server.crt
 SSLCertificateKeyFile conf/certs/server.key
 SSLOptions +StdEnvVars
this is for the bloody MS IE - I don't know why, but they seem to
have trouble learning in redmond
 BrowserMatch ".MSIE." \
 nokeepalive ssl-unclean-shutdown \
 downgrade-1.0 force-response-1.0
 CustomLog logs/ssl_request.log \
 "%t %h %x %x \"%r\" %b"
below are the proxied hosts - you always need ProxyPass
AND ProxyPassReverse otherwise it will not work correctly
ITS
 #ProxyPass /iac/ http://itsserver:8081/iac/
 #ProxyPassReverse /iac/ http://itsserver:8081/iac/
direct portal connection this ought to be the IP
 ProxyPass /irj/ http://10.8.1.14:50000/irj/
 ProxyPassReverse /irj/ http://10.8.1.14:50000/irj/
 ProxyPass /logon/ http://10.8.1.14:50000/logon/
 ProxyPassReverse /logon/ http://10.8.1.14:50000/logon/
Rewrite Rule in case ICM puts session information in URL
NEVER REALLY HARMS
 RewriteEngine On
 RewriteRule ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
 #ProxyPass /chooselogin/ http://10.8.9.0:50000/chooselogin/
 #ProxyPassReverse /chooselogin/ http://10.8.9.0:50000/chooselogin/
</VirtualHost>

Apache as reverse proxy - 400 Bad request

Hi all,
I'm configured apache as reverse proxy according to this blog:
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
When I try to navigate http://testcomp/irj I get "400 - Bad request"
See exception;
Message : User Guest, IP address
Cannot parse the http request. Http error response [400 Bad Request] will be returned. Request is [Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
GET /irj HTTP/1.1
Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
com.sap.engine.services.httpserver.exceptions.HttpIllegalArgumentException: Incompatible field content in the MIME header.
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaderField.parse(MimeHeaderField.java:364)
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaders.init(MimeHeaders.java:504)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.initialize(RequestAnalizer.java:196)
 at com.sap.engine.services.httpserver.server.Client.initialize(Client.java:84)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:143)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Severity : Error
Category :
Location : com.sap.engine.services.httpserver
Application :
Thread : SAPEngine_Application_Thread[impl:3]_32
Datasource : 9332850:C:usrsapPD9JC00j2eeclusterserver0logdefaultTrace.trc
Message ID : 000C29EFE9A300570000002D00000B9000043A81D3311894
Source Name : com.sap.engine.services.httpserver
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : 5359e85066e411dcbf6b000c29efe9a3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.engine.services.httpserver
ThreadObject : SAPEngine_Application_Thread[impl:3]_32
Transaction :
User : Guest
The lines I added to http.conf
#Enable reverse-proxying
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://testcomp/logon
I tried with apache version 2.2.3 & 2.0.59 with no success.
My J2EE/Portal version is 6.17.
Since this is a testing environment the two computers are under the same workgroup (no domain).
If I naviagte directly to the portal (without the reverse proxy) everything is working.
How can I solve it?
Regards,
Omri

Hi Jakub,
Thanks for the answer.
It's not working for me...
I'm attaching my httpd.conf file.
Also, what apache version do you use?
Can you send me your post your httpd.conf file?
Thanks,
Omri
httpd.conf
This is the main Apache HTTP server configuration file. It contains the
configuration directives that give the server its instructions.
See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
In particular, see
<URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
for a discussion of each configuration directive.
Do NOT simply read the instructions in here without understanding
what they do. They're here only as hints or reminders. If you are unsure
consult the online docs. You have been warned.
Configuration and logfile names: If the filenames you specify for many
of the server's control files begin with "/" (or "drive:/" for Win32), the
server will use that explicit path. If the filenames do not begin
with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
with ServerRoot set to "c:/apache" will be interpreted by the
server as "c:/apache/logs/foo.log".
NOTE: Where filenames are specified, you must use forward slashes
instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If a drive letter is omitted, the drive on which Apache.exe is located
will be used by default. It is recommended that you always supply
an explicit drive letter in absolute paths, however, to avoid
confusion.
ThreadsPerChild: constant number of worker threads in the server process
MaxRequestsPerChild: maximum number of requests a server process serves
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot: The top of the directory tree under which the server's
configuration, error, and log files are kept.
Do not add a slash at the end of the directory path. If you point
ServerRoot at a non-local disk, be sure to point the LockFile directive
at a local disk. If you wish to share the same ServerRoot for multiple
httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "c:/apache"
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, instead of the default. See also the <VirtualHost>
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#Listen 12.34.56.78:80
Listen 80
Dynamic Shared Object (DSO) Support
To be able to use the functionality of a module which was built as a DSO you
have to place corresponding `LoadModule' lines at this location so the
directives contained in it are actually available before they are used.
Statically compiled modules (those listed by `httpd -l') do not need
to be loaded here.
Example:
LoadModule foo_module modules/mod_foo.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
'Main' server configuration
The directives in this section set up the values used by the 'main'
server, which responds to any requests that aren't handled by a
<VirtualHost> definition. These values also provide defaults for
any <VirtualHost> containers you may define later in the file.
All of these directives may appear inside <VirtualHost> containers,
in which case these default settings will be overridden for the
virtual host being defined.
ServerAdmin: Your address, where problems with the server should be
e-mailed. This address appears on some server-generated pages, such
as error documents. e.g. [email protected]
ServerAdmin @@ServerAdmin@@
ServerName gives the name and port that the server uses to identify itself.
This can often be determined automatically, but we recommend you specify
it explicitly to prevent problems during startup.
If your host doesn't have a registered DNS name, enter its IP address here.
ServerName localhost:80
DocumentRoot: The directory out of which you will serve your
documents. By default, all requests are taken from this directory, but
symbolic links and aliases may be used to point to other locations.
DocumentRoot "c:/apache/htdocs"
Each directory to which Apache has access can be configured with respect
to which services and features are allowed and/or disabled in that
directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of
features.
<Directory />
 Options FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Satisfy all
</Directory>
Note that from this point forward you must specifically allow
particular features to be enabled - so if something's not working as
you might expect, make sure that you have specifically enabled it
below.
This should be changed to whatever you set DocumentRoot to.
<Directory "c:/apache/htdocs">
Possible values for the Options directive are "None", "All",
or any combination of:
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Note that "MultiViews" must be named explicitly --- "Options All"
doesn't give it to you.
The Options directive is both complicated and important. Please see
http://httpd.apache.org/docs/2.2/mod/core.html#options
for more information.
 Options Indexes FollowSymLinks
AllowOverride controls what directives may be placed in .htaccess files.
It can be "All", "None", or any combination of the keywords:
Options FileInfo AuthConfig Limit
 AllowOverride None
Controls who can get stuff from this server.
 Order allow,deny
 Allow from all
</Directory>
DirectoryIndex: sets the file that Apache will serve if a directory
is requested.
<IfModule dir_module>
 DirectoryIndex index.html
</IfModule>
The following lines prevent .htaccess and .htpasswd files from being
viewed by Web clients.
<FilesMatch "^\.ht">
 Order allow,deny
 Deny from all
</FilesMatch>
ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a <VirtualHost>
container, error messages relating to that virtual host will be
logged here. If you do define an error logfile for a <VirtualHost>
container, that host's errors will be logged there and not here.
ErrorLog logs/error.log
LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
<IfModule log_config_module>
The following directives define some format nicknames for use with
a CustomLog directive (see below).
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%You need to enable mod_logio.c to use %I and %Oi\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 <IfModule logio_module>
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %I %O" combinedio
 </IfModule>
The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a <VirtualHost>
container, they will be logged here. Contrariwise, if you do
define per-<VirtualHost> access logfiles, transactions will be
logged therein and not in this file.
 CustomLog logs/access.log common
If you prefer a logfile with access, agent, and referer information
(Combined Logfile Format) you can use the following directive.
 #CustomLog logs/access.log combined
</IfModule>
<IfModule alias_module>
Redirect: Allows you to tell clients about documents that used to
exist in your server's namespace, but do not anymore. The client
will make a new request for the document at its new location.
Example:
Redirect permanent /foo http://www.example.com/bar
Alias: Maps web paths into filesystem paths and is used to
access content that does not live under the DocumentRoot.
Example:
Alias /webpath /full/filesystem/path
If you include a trailing / on /webpath then the server will
require it to be present in the URL. You will also likely
need to provide a <Directory> section to allow access to
the filesystem path.
ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that
documents in the target directory are treated as applications and
run by the server when requested rather than as documents sent to the
client. The same rules about trailing "/" apply to ScriptAlias
directives as to Alias.
 ScriptAlias /cgi-bin/ "c:/apache/cgi-bin/"
</IfModule>
"c:/apache/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.
<Directory "c:/apache/cgi-bin">
 AllowOverride None
 Options None
 Order allow,deny
 Allow from all
</Directory>
Apache parses all CGI scripts for the shebang line by default.
This comment line, the first line of the script, consists of the symbols
pound (#) and exclamation followed by the path of the program that
can execute this specific script. For a perl script, with perl.exe in
the C:\Program Files\Perl directory, the shebang line should be:
 #!c:/program files/perl/perl
Note you mustnot_ indent the actual shebang line, and it must be the
first line of the file. Of course, CGI processing must be enabled by
the appropriate ScriptAlias or Options ExecCGI directives for the files
or directory in question.
However, Apache on Windows allows either the Unix behavior above, or can
use the Registry to match files by extention. The command to execute
a file of this type is retrieved from the registry by the same method as
the Windows Explorer would use to handle double-clicking on a file.
These script actions can be configured from the Windows Explorer View menu,
'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
button allows you to modify the Actions, of which Apache 1.3 attempts to
perform the 'Open' Action, and failing that it will try the shebang line.
This behavior is subject to change in Apache release 2.0.
Each mechanism has it's own specific security weaknesses, from the means
to run a program you didn't intend the website owner to invoke, and the
best method is a matter of great debate.
To enable the this Windows specific behavior (and therefore -disable- the
equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
The directive above can be placed in individual <Directory> blocks or the
.htaccess file, with either the 'registry' (Windows behavior) or 'script'
(Unix behavior) option, and will override this server default option.
DefaultType: the default MIME type the server will use for a document
if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is
a good value. If most of your content is binary, such as applications
or images, you may want to use "application/octet-stream" instead to
keep browsers from trying to display binary files as though they are
text.
DefaultType text/plain
<IfModule mime_module>
TypesConfig points to the file containing the list of mappings from
filename extension to MIME-type.
 TypesConfig conf/mime.types
AddType allows you to add to or override the MIME configuration
file specified in TypesConfig for specific file types.
 #AddType application/x-gzip .tgz
AddEncoding allows you to have certain browsers uncompress
information on the fly. Note: Not all browsers support this.
 #AddEncoding x-compress .Z
 #AddEncoding x-gzip .gz .tgz
If the AddEncoding directives above are commented-out, then you
probably should define those extensions to indicate media types:
 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
AddHandler allows you to map certain file extensions to "handlers":
actions unrelated to filetype. These can be either built into the server
or added with the Action directive (see below)
To use CGI scripts outside of ScriptAliased directories:
(You will also need to add "ExecCGI" to the "Options" directive.)
 #AddHandler cgi-script .cgi
For type maps (negotiated resources):
 #AddHandler type-map var
Filters allow you to process content before it is sent to the client.
To parse .shtml files for server-side includes (SSI):
(You will also need to add "Includes" to the "Options" directive.)
 #AddType text/html .shtml
 #AddOutputFilter INCLUDES .shtml
</IfModule>
The mod_mime_magic module allows the server to use various hints from the
contents of the file itself to determine its type. The MIMEMagicFile
directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
Customizable error responses come in three flavors:
1) plain text 2) local redirects 3) external redirects
Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
EnableMMAP and EnableSendfile: On systems that support it,
memory-mapping or the sendfile syscall is used to deliver
files. This usually improves server performance, but must
be turned off when serving from networked-mounted
filesystems or if support for these functions is otherwise
broken on your system.
#EnableMMAP off
#EnableSendfile off
Supplemental configuration
The configuration files in the conf/extra/ directory can be
included to add extra features or to modify the default configuration of
the server, or you may simply copy their contents here and change as
necessary.
Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
Language settings
#Include conf/extra/httpd-languages.conf
User home directories
#Include conf/extra/httpd-userdir.conf
Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
Various default settings
#Include conf/extra/httpd-default.conf
Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Note: The following must must be present to support
 starting without SSL on platforms with no /dev/random equivalent
 but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
ProxyPreserveHost On
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://sapportal:50000/irj
#ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://sapportal:50000/logon
#ProxyPassReverse /logon http://testcomp/logon

Apache Reverse Proxy with Abap Web query

Hi to all
We are trying to configure apache 2 to work as a reverse proxy with web abap Netweaver installation.
From inside the network the web query is fine.
Running the query with the reverse proxy we have only the html code in the browser. All the scripts and css are not present.
We checked some messages inside the forum and we have tried a lot of stuff without success.
We use always linux (Fedora, Ubuntu with xampp or apache only) plus the html module or the publisher from http://apache.webthing.com.
Our installation is like this the reverse proxy in the dmz and the netweaver to the inside off coarse, and we don't have the same domain name, i don't know if this is important.
Any help/idea is valuable.
Thank you
Yiannis

Hi Olivier
I have seen your solution in other messages but i didn't try it because i was trying to work with the html_proxy module.
I read the documents you gave me plus some apache tutorials on the rewrite rule.
In any case i have my installation working now.
I did some extra changes in my config so now the rules are like that
ProxyVia On
ProxyBadHeader IsError
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /sap http://192.168.1.59:8001/sap
ProxyPassReverse /sap http://192.168.1.59:8001/sap
RewriteEngine On
RewriteRule ^/(sap\(.*) http://192.168.1.59:8001/$1 [P,L]
Thanks again for your help
Yiannis

Apache Reverse Proxy: Domain problem

Hi,
I have a problem with Apache Reverse Proxy (Apache 2.2) and SAP Enterprise Portal 6.0.
I configured Apache as a Reverse Proxy Server (with SSL)so that the portal is accessible through the internet. Everything is working fine but the OWA integration doesn't work over the Reverse Proxy.
If I log on to http://portalsrv.mydomain.xx:12345/irj the OWA integration works fine with SSO and there is no problem with session management.
If I log on to https://revproxy.mydomain.zz:1234/irj and want to open Outlook I get the message that Session management doesn't work. However the other components like ESS work fine. Deactivating the DSM Logger is not a solution to this problem.
The Log tells me:
1.
Application domain 'mydomain.xx' differs from Portal domain 'mydomain.zz'.
Session Management will not work for Application 'abc.mydomain.xx'
2.
Application schema 'http' differs from Portal schema 'https'.
Session Management will not work for Application 'abc.mydomain.xx'
Is there a possibility to write a Rewrite-Rule in the Apache-Conf?
For instance:
https://abc.mydomain.xx --> http://abc.mydomain.zz
Does anybody made such a rule?
I hope anybody can help me with the problem.
Thank you

Hi Daniel,
ok I`ll try to find a solution in parallel and keep you up to date.
In the following my settings in case I missed something:
<VirtualHost test.firma.de:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /apache/keys/pac_ssl_qep_dmz_server.crt
SSLCertificateKeyFile /apache/keys/pac_ssl_qep_dmz_server.key
ServerName test.firma.de:443
ServerAdmin [email protected]
LogLevel debug
ErrorLog logs/ssl_443_error
CustomLog logs/ssl_443_access_log common
ProxyVia Off
ProxyPreserveHost On
ReWriteEngine on
ReWriteLogLevel 0
ReWriteLog logs//ssl_443_rewrite_http.log
ProxyPass / https://backend.firma.de:50001/
ProxyPassReverse / https://backend.firma.de:50001/
</VirtualHost>
Regards, Jens

Reverse proxy rule

Similar Messages

Maybe you are looking for