Reverse Proxy Settings.

Hi Friends,
We have setup our DMZ using 238276.1 this note for iRecruitment.
We are now thinking to use Reverse Proxy.
Below was the step which we skipped in note related to configuration of reverse proxy.
5.5.1: Update Oracle E-Business Suite Applications Context File
On the external Oracle E-Business Suite web node, run the AutoConfig Context Editor as documented in the Oracle MetaLink Note 165195.1
"Using AutoConfig to Manage System Configurations with Oracle Applications 11i". In the Context Detail screen, set the following
configuration values:
l set the webentry point, s_webentryhost, to the reverse proxy server.
l set the webentry domain, s_webentrydomain, to the domain name of the reverse proxy server.
l set the active webport, s_active_webport, to the port where the reverse proxy server listen for client requests. For example port 80 for
HTTP or 443 for HTTPS.
l set the webentry protocol, s_webentryurlprotocol, to the protocol value the clients use to access the reverse proxy server.
l set the login page, s_login_page, to <webentry protocol>://<webentry point>.<webentry domain>:<active webport>. Replace
<webentry protocol>, <webentry point>, <webentry domain>, and <active webport> with their respective values.
My doubt is, Our unix admin directly can configure one external web site like
https://irecrutment.xcompnay.com which can directly re-route to our external web server in DMZ for iRecruit Page.
Then what is the significant of these settings ? Can we not achieve this thing without
setting these things ?
Regards,
Jagjeet Singh

Yes it sounds like a reverse proxy would help you out, however Apple no longer provide a (built-in) means to set one up in Server.app, you might be able to manually set one up in Apache but a better option would be to install a copy of Nginx and use that instead for your reverse-proxy server.

Similar Messages

BizTalk published WCF service throwing HTTP 404 error using ISA reverse proxy settings

I have published my schemas as a WCF service from BizTalk 2010 "Publish WCF Service" wizard. I used Wcf-basicHTTP adapter in receive port. I am able to run the service successfully on localhost IIS and I tested my biztalk solution by sending request using SOAP UI and got response successfully.... Now: Actually, I need to give this service endpoint to my vendor who will send request from outside my company's network i.e. internet. In my infrastrucrue BizTalk is behind the firewall so, we setup a REVERSE proxy server at DMZ layer and it is configured properly. I have tested a simple WCF service by replacing the localhost with Proxy server configured address <DNSName> and it worked absolutely fine. But when I change localhost in my BizTalk schema based published WCF service it is not working and I am getting following error. Really strugling to get it resolved. I wasted a whole 3 days....very upset. Please help me out by giving the detailed step solution. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested URL: /BizTalkServiceInstance/MyService.svc I am surprized why other c# code based WCF services are working fine with reverse proxy settings. Server Error in '/' Application. The resource cannot be found.Is there any special things to consider Biztalk exposed wcf servcie over ssl in IIS cluster with ISA

Hi Singam :)
First I would start by browsing any other files (files other than the one from WCF) just to ensure that the reverse-proxy’s redirection rules are set correctly. If you get the same 404 error when you try to access other service/files “through reverse-proxy”,
then it’s an issue in the redirection rule(s) in reverse-proxy.
If others are fine i.e. no issue in reverse-proxy setup as such, then try the following for WCF service's web.config file. I have seen this issue in WCF service (not just BizTalk’s artifacts exposed as service in reverse-proxy). Add serviceHostingEnvironment
config as show with in serviceModel section.
<system.serviceModel>
<serviceHostingEnvironment aspNetCompatibilityEnabled="true" multipleSiteBindingsEnabled="true" />
</system.serviceModel>
Regards,
M.R.Ashwin Prabhu
If this answers your question please mark it accordingly. If this post is helpful, please vote as helpful by clicking the upward arrow mark next to my reply.

Reverse proxy settings crashing ML Server

I have a few IP cameras I'm attempting to expose externally via reverse proxy. I've created a site on my Mini ML Server and password protected it under a subdomain. This allows me to drop my own custom UI on the camera controls so they work better with my iPhone etc. It's working great on my laptops local virtual host. However, the reverse proxy settings seem to kill apache on the ML server. If I remove the lines in blue below, it seems to work, but i get double authentication requests. Anyone have any experience with this? My Apache knowledge is minimal at best
ProxyRequests off
ProxyPass /camera1/ http://192.168.0.1/
ProxyPass /camera2/ http://192.168.0.2/
ProxyPass /camera3/ http://192.168.0.3/
ProxyHTMLURLMap http://192.168.0.1 /camera1
ProxyHTMLURLMap http://192.168.0.2 /camera2
ProxyHTMLURLMap http://192.168.0.3 /camera3
<Location /camera1/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /camera1/
RequestHeader unset Accept-Encoding
</Location>
<Location /camera2/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /camera2/
RequestHeader unset Accept-Encoding
</Location>
<Location /camera3/>
ProxyPassReverse /
ProxyHTMLEnable On
ProxyHTMLURLMap / /camera3/
RequestHeader unset Accept-Encoding
</Location>

The following setup took care of my issue...
ProxyRequests off
ProxyPass /camera1/ http://192.168.0.30/
ProxyPass /camera2/ http://192.168.0.32/
ProxyPass /camera3/ http://192.168.0.34/
ProxyPass /camera4/ http://192.168.0.36/
ProxyPassReverse /camera1 http://192.168.0.30
ProxyPassReverse /camera2 http://192.168.0.32
ProxyPassReverse /camera3 http://192.168.0.34
ProxyPassReverse /camera4 http://192.168.0.36

Reverse proxy settings needed for exposing webservice to external world?

Hi guys,
Internal PI system have exposed a WebService endpoint URL. There is firewall point lets say it <EXT_POINT:EXT_PORT>, which is accessible from outside the company premises, with http://<EXT_POINT:EXT_PORT>/<SomeService>, then request is forwarded to the PI. However, I believe on PI system, the reverse proxy should be configured. What I shall do is to setup the HTTP mapping:
<EXT_POINT:EXT_PORT> TO <PI_SYSTEM:PI_HTTP_PORT>
and
<SomeService> TO XISOAPAdapter/MessageServlet?channel=<PARTY>:<SENDER_COMP>:<CHANNEL>
Or am I missing something in the whole picture ..?
Thanks,
Lalo

Hi,
You don't need to setup rules for each partner or each interface. which requires lot of rule set up at reverse proxy server table. To avoid this, I would suggest to have a common rule for SOAP adapter and HTTP adapter which should be maintained in proxy server.
Let say, your webservice URL in SAP PI is something like this,
http://< PI host>:< PI port>/XISOAPAdapter/MessageServlet?channel=:<Service>:<channel name>
and reverser proxy server URL ( exposed to external world....URL should have Business servie, communication details as well)
http://< Reverse proxy server host>:< Reverse proxy server port>/XISOAPAdapter/MessageServlet?channel=:<Service>:<channel name>
then the rule should be set like,
whatever request coming from any application with http://< Reverse proxy server host>:< Reverse proxy server port>/XISOAPAdapter/ ** then route the request to http://< PI host>:< PI port>/XISOAPAdapter/**.
So the webservice request will be routed to respective interface.
The same way can be applied for HTTP.
Hope this helps.
Thanks
Rajesh
Edited by: Rajesh on Jun 23, 2010 9:52 PM

How do I use Sun Web Server 7.0u1 reverse proxy to change public URLs?

Some of our installations use the Sun Web Server 7.0 (update 1, usually)
for hosting some of the public resource and reverse-proxying other parts
of the URI namespace from other backend servers (content, application
and other types of servers).
So far every type of backend server served a unique part of the namespace
and there was no collision of names, and the backend resources were
published in a one-to-one manner. That is, a backend resource like, say,
http://appserver:8080/content/page.html would be published in the internet
as http://www.publicsite.com/content/page.html
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.
Another quest, possibly related in solution, was to make a tidy url for the
first page the user opens of the site. That is, in the current solution when
a visitor types the url "www.publicsite.com" in his or her browser, our web
server returns an HTTP-302 redirect to the actual first page URL, so the
browser sends a second request (and changes the URL in its location bar).
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
So far I found that I can't solve these problems. I believe these problems
share a solution because it relies on ability to control the actual URI strings
requested by Sun Web Server from backend servers.
Some details follow, now:
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
[04/Mar/2009:21:45:34] finest (25095) www.publicsite.com: for host xx.xx.xx.83
trying to GET /content/MainPage.html while trying to GET /test, func_exec reports:
fn="service-passthrough" rewrite-host="true" rewrite-location="true"
servers="http://10.16.2.127:8080" Directive="Service" DaemonPool="2b1348"
returned 0 (REQ_PROCEED)My obj.conf file currently has simple clauses like this:
# this causes /content/* to be taken from another (backend) server
NameTrans fn="assign-name" from="/content" name="content-test" nostat="/content"
# this causes requests to site root to be HTTP-redirected to a certain page URI
<If $uri =~ '^/$'>
 NameTrans fn="redirect"
 url="http://www.publicsite.com/content/MainPage.html"
</If>
<Object name="content-test">
### This maps http://public/content/* to http://10.16.2.127:8080/content/*
### Somehow the desired solution should instead map http://public/data/* to http://10.16.2.127:8080/content/*
 Service fn="service-passthrough" rewrite-host="true" rewrite-location="true" servers="http://10.16.2.127:8080"
 Service fn="set-variable" set-srvhdrs="host=www.publicsite.com:80"
</Object>
I have also tried "restart"ing the request like this:
 NameTrans fn="restart" uri="/data"or desperately trying to set the new request uri like this:
 Service fn="set-variable" uri="/magnoliaPublic/Main.html"Thanks for any ideas (including a statement whether this can be done at all
in some version of Sun Web Server 7.0 or its opensourced siblings) ;)
//Jim

Some of our installations use the Sun Web Server 7.0 (update 1, usually)please plan on installing the latest service pack - 7.0 Update 4. these updates addresses potentially critical bug fixes.
I was recently asked to research whether we can rename some parts of
the public URI namespace, to publish some or all resources as, say,
http://www.publicsite.com/data/page.html while using the same backend
resources.> now, if all the resources are under say /data, then how will you know which pages need to be sent to which back end resources. i guess, you probably meant to check for /data/page.html should go to <back-end>/content/page.html
yes, you could do something like
- edit your corresponding obj.conf (<hostname>-obj.conf or obj.conf depending on your configuration)
<Object name=¨default¨>
<If $uri = ¨/page/¨>
#move this nametrans SAF (for map directive - which is for reverse proxy within <if> clause)
NameTrans.. fn=map
</If
</Object>
and you could do https-<hostname>/bin/reconfig (dynamic reconfiguration) to check out if this is what you wanted. also, you might want to move config/server.xml <log-level> to finest and do your configuration . this way, you would get enough information on what is going on within your server logs.
finally,when you are satisfied, you might have to run the following command to make your manual change into admin config repository.
<install-root>/bin/wadm pull-config user=admin config=<hostname> <hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
you might want to check out this for more info on how you could use <if> else condition to handle your requirement.
http://docs.sun.com/app/docs/doc/820-6599/gdaer?a=view
finally, you might want to refer to this doc - which explains on ws7 request processing overview. this should provide you with some pointers as to what these different directives mean
http://docs.sun.com/app/docs/doc/820-6599/gbysz?a=view
>
One customer said that it is not "tidy". They don't want the URL to change
right upon first rendering the page. They want the root page to be rendered
instantly i the first HTTP request.
please check out the rewrite / restart SAF. this should help you.
http://docs.sun.com/app/docs/doc/820-6599/gdada?a=view
pl. understand that - like with more web servers - ordering of directives is very important within obj.conf. so, you might want to make sure that you verify the obj.conf directive ordering is what you want it to do..
It seems that the reverse proxy (Service fn="service-passthrough") takes
only the $uri value which was originally requested by the browser. I didn't
yet manage to override this value while processing a request, not even if
I "restart" a request. Turning the error log up to "finest" I see that even
when making the "service-passthrough" operation, the Sun Web Server
still remembers that the request was for "/test" (in my test case below);
it does indeed ask the backend server for an URI "/test" and that fails.
now, you are in the totally wrong direction. web server 7 includes a highly integrated reverse proxy solution compared to 6.1. unlike 6.1, you don´t have to download a separate plugin . however, you will need to manually migrate your 6.1 based reverse proxy settings into 7.0. please check out this blog link on how to set up a reverse proxy
http://blogs.sun.com/amit/entry/setting_up_a_reverse_proxy
feel free to post to us if you need any futher help
you are probably better off - starting fresh
- install ws7u4
- use gui or CLI to create a reverse proxy and map one on one - say content
http://docs.sun.com/app/docs/doc/820-6601/create-reverse-proxy-1?a=view
if you don´t plan on using ws7 integrated web container (ability to process jsp/servlet), then you could disable java support as well. this should reduce your server memory footprint
<install-root>/bin/wadm disable-java user=admin config=<hostname>
<install-root>/bin/wadm create-reverse-proxy user=admin uri-prefix=/content server=<http://your back end server/ config=<hostname> --vs=<hostname>
<install-root>/bin/wadm deploy-config --user=admin <hostname>
now, you can check out the regular express processing and <if> syntax from our docs and try it out within <https-<hostname>/config/<hostname>-obj.conf> file and restart the server. pl. note that once you disable java, ws7 admin server creates <vs>-obj.conf and you need to edit this file and not default obj.conf for your changes to be read by server.
>
I have also tried "restart"ing the request like this:
NameTrans fn="restart" uri="/data"
ordering is very important here... you need to do this some thing like
<Object name=default>
<If not $restarted>
NameTrans fn=restart uri from=/¨ uri=/foo.
</If>

Printing Issue from ITS with a Reverse Proxy Configured

Hi experts,
We have an enterprise portal landscape which can be accessed from the internet. The URLs are mapped using apache server as a reverse proxy. Also, we have configured the reverse proxy settings for accessing R/3 systems.
When the users try to take the print out from the ITS Web GUI accessed through the enterprise portal, the page redirects itself to an only internally resolvable host name of the R/3 ITS.
Due to this issue, users are not able to take prints from internet.
I would like to know if there is any way by which i can change this to my externally resolvable reverse proxy host address, which in turn can be mapped internally to the original host name at the reverse proxy level.
Can any one help me out in this?
Thanks a lot
Shobin

Hi Shobin,
SAP note 1145306 might provide some help about directives to be used.
Regards,
Dieter

How to set 3rd Party Reverse Proxy for smp 3.0 ?

Hi am new to SMP 3.0 . Please help me out .

hi am fallowing the steps in SyBooks Online for reverse proxy settings.
I added the below proxy settings in Apache2.2\conf\httpd.conf .
Listen 8080
<VirtualHost *:8080>
 ServerName proxy-server
 ErrorLog "C:/Apache2.2/logs/error.log"
 TransferLog "C:/Apache2.2/logs/access.log"
 <Location />
 ProxyPass http://172.22.26.199:8080/
 ProxyPassReverse http://172.22.26.199:8080/
</Location>
 </VirtualHost>
After adding this proxy setting am unable to run apche server am getting error like "The requested operation has failed " . How to resolve this error ?

Using reverse proxy for load balancing

Hello,
i have succesfully configured a reverse proxy ( Sun Web Server 7 ) to balance load between two application servers ( Sun Application Server 9.1), however i do not want randon assignment of requests using a round robin algorithm ( default option in Sun Web Server 7) but rather i want to apply a 80/20 rule so that one application server will receive 80% of the requests and the other will receive 20%.
Is there a way of performarming such a task.
your help is really appreciated.
thank you

thank you for the reply,
actually i tried it yesterday and it seems to work.
in my reverse proxy settings i added one server two times and the other once and 66% of the requests were forwarded to the first server.
now i have enabled the scenario that you are mentioning above and i so far requests seem to be proceced using the 80% 20% scenario.

Sharepoint 2013 + Windows Server 2012 as reverse proxy

Hello All -
I'd like to ask if anyone has any experience with the new Windows Server 2012 (reverse) proxy, in providing a single sign-on service to Sharepoint 2013.
Scenario:
My client has a Sharepoint 2013 with 3 web applications (portal, teamsites, mysites). All three URLs are available externally via HTTPS only. All clients have AD credentials (no requirement for claims based authentication), although this includes 3 domains
in two different forests (trusts exist). Everything is already configured to allow clients access from domain-joined devices.
My client would like mobile devices (not domain-joined) to be able to access the three web applications without repeated logon prompts. Browser default settings must be used, they do not want to instruct people to perform any configuration on their mobile
device - it all has to work "out of the box" from the client side. Clients will be using iPads and iPhones with Safari, Windows Phones, Androids etc.
I'm considering proposing the use of a reverse-proxy, and rather than using the now depracated Forefront TMG or probably soon-to-be depracated UAG, I would like to jump straight in to the new and very cool looking Windows 2012 proxy server.
It's my understanding that this will provide a single sign-on service in this scenario. I'm unsure whether an ADFS server is also required even for pass-through, the information available is unclear, and also whether any special configuration is required
to a domain controller (DCs in the environment are all 2008R2, with 2008R2 functional level).
I would appreciate it if anyone could give an overview or point me in the direction of some accurate documentation regarding all of the above. Most importantly, if any of my assumptions above seem incorrect, please let me know.
Thank you!
sysadmin

I've heard no supportability statement with SharePoint and the Web Application Proxy (likely because it isn't GA yet). However, it does use ADFS for SSO, so you'll have to SAML-enable your Web Applications. The only downside to this is if you
use anything that is SAML-unfriendly, like PowerPivot [Data Refresh] and at least in 2010, Visio Services and InfoPath Forms Services.
Trevor Seward, MCC
Follow or contact me at...
&nbsp&nbsp
This post is my own opinion and does not necessarily reflect the opinion or view of Microsoft, its employees, or other MVPs.

Problem with Apache reverse proxy after applying SP13 NW

Hello,
we have a NW04 EP Portal and a Apache reverse proxy in the DMZ. After applying SP 13 for the portal we get the following error from the reverse proxy:
Proxy Error
The proxy server received an invalid response from an upstream server.
The proxy server could not handle the request GET /irj/.
Reason: Error reading from remote server
Apache/2.0.52 (Win32) mod_ssl/2.0.52 OpenSSL/0.9.7e Server at servername.company.de Port 443
Is is it possible, that there is a problem with sp13?
Best regards
Daniel Holstein

Hi Daniel,
ok I`ll try to find a solution in parallel and keep you up to date.
In the following my settings in case I missed something:
<VirtualHost test.firma.de:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /apache/keys/pac_ssl_qep_dmz_server.crt
SSLCertificateKeyFile /apache/keys/pac_ssl_qep_dmz_server.key
ServerName test.firma.de:443
ServerAdmin [email protected]
LogLevel debug
ErrorLog logs/ssl_443_error
CustomLog logs/ssl_443_access_log common
ProxyVia Off
ProxyPreserveHost On
ReWriteEngine on
ReWriteLogLevel 0
ReWriteLog logs//ssl_443_rewrite_http.log
ProxyPass / https://backend.firma.de:50001/
ProxyPassReverse / https://backend.firma.de:50001/
</VirtualHost>
Regards, Jens

Webdynpro application not functioning from Apache Reverse Proxy

Hi Experts,
We are currently working on custom webdynpro application, which needs to be exposed to Internet. We are using Apache HTTP Server as a reverse proxy.
We canable to access URL, but no images are getting displayed and also the application not functioning when we click any button/links.
Below is the HTTPD file configuration.
ProxyPass /esampleApp http://hostname:port/webdynpro/dispatcher/local/esampUI/ESamplingApp
ProxyPassReverse /esampleApp http://hostname:port/webdynpro/dispatcher/local/esampUI/ESamplingApp
When we look into image URL, which is being called from Apache, we found out "webdynpro" is missing in the URL.
Actual URL in Portal Server: (working)
http://portalhostname:port/webdynpro/resources/local/esampUI/Components/esampling.ui.ESamplingComp/logo.gif
Apache URL:
http://Apachehostname:port/resources/local/esampUI/Components/esampling.ui.ESamplingComp/logo.gif
Please suggest.
Thanks
Aravind

We also had the same issue, but the problem was that instead of http https was getting called.
This has to do with 2 settings:
1. Check the reverse proxy re-write URL's again. Note that there will be 2-3 entries one for webdynpro as well.
2. Open your system definintion in system admin-sys configuration adn check the WAS settings. this should point to the FQDN of the proxy server and not to the R3 server.
ankur

Apache as reverse proxy - 400 Bad request

Hi all,
I'm configured apache as reverse proxy according to this blog:
The Reverse Proxy Series -- Part 3: Apache as a reverse-proxy
When I try to navigate http://testcomp/irj I get "400 - Bad request"
See exception;
Message : User Guest, IP address
Cannot parse the http request. Http error response [400 Bad Request] will be returned. Request is [Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
GET /irj HTTP/1.1
Host: sapportal:50000
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, /
Accept-Language: en,he;q=0.5
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.1.4322; FDM; .NET CLR 2.0.50727)
Max-Forwards: 10
Via: 1.1 localhost
X-Forwarded-For: 10.0.0.4
X-Forwarded-Host: 10.0.0.6
X-Forwarded-Server: localhost
Connection: Keep-Alive
com.sap.engine.services.httpserver.exceptions.HttpIllegalArgumentException: Incompatible field content in the MIME header.
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaderField.parse(MimeHeaderField.java:364)
 at com.sap.engine.services.httpserver.lib.headers.MimeHeaders.init(MimeHeaders.java:504)
 at com.sap.engine.services.httpserver.server.RequestAnalizer.initialize(RequestAnalizer.java:196)
 at com.sap.engine.services.httpserver.server.Client.initialize(Client.java:84)
 at com.sap.engine.services.httpserver.server.Processor.request(Processor.java:143)
 at com.sap.engine.core.service630.context.cluster.session.ApplicationSessionMessageListener.process(ApplicationSessionMessageListener.java:33)
 at com.sap.engine.core.cluster.impl6.session.MessageRunner.run(MessageRunner.java:41)
 at com.sap.engine.core.thread.impl3.ActionObject.run(ActionObject.java:37)
 at java.security.AccessController.doPrivileged(Native Method)
 at com.sap.engine.core.thread.impl3.SingleThread.execute(SingleThread.java:100)
 at com.sap.engine.core.thread.impl3.SingleThread.run(SingleThread.java:170)
Severity : Error
Category :
Location : com.sap.engine.services.httpserver
Application :
Thread : SAPEngine_Application_Thread[impl:3]_32
Datasource : 9332850:C:usrsapPD9JC00j2eeclusterserver0logdefaultTrace.trc
Message ID : 000C29EFE9A300570000002D00000B9000043A81D3311894
Source Name : com.sap.engine.services.httpserver
Argument Objs :
Arguments :
Dsr Component :
Dsr Transaction : 5359e85066e411dcbf6b000c29efe9a3
Dsr User :
Indent : 0
Level : 0
Message Code :
Message Type : 0
Relatives :
Resource Bundlename :
Session : 2
Source : com.sap.engine.services.httpserver
ThreadObject : SAPEngine_Application_Thread[impl:3]_32
Transaction :
User : Guest
The lines I added to http.conf
#Enable reverse-proxying
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://testcomp/logon
I tried with apache version 2.2.3 & 2.0.59 with no success.
My J2EE/Portal version is 6.17.
Since this is a testing environment the two computers are under the same workgroup (no domain).
If I naviagte directly to the portal (without the reverse proxy) everything is working.
How can I solve it?
Regards,
Omri

Hi Jakub,
Thanks for the answer.
It's not working for me...
I'm attaching my httpd.conf file.
Also, what apache version do you use?
Can you send me your post your httpd.conf file?
Thanks,
Omri
httpd.conf
This is the main Apache HTTP server configuration file. It contains the
configuration directives that give the server its instructions.
See <URL:http://httpd.apache.org/docs/2.2/> for detailed information.
In particular, see
<URL:http://httpd.apache.org/docs/2.2/mod/directives.html>
for a discussion of each configuration directive.
Do NOT simply read the instructions in here without understanding
what they do. They're here only as hints or reminders. If you are unsure
consult the online docs. You have been warned.
Configuration and logfile names: If the filenames you specify for many
of the server's control files begin with "/" (or "drive:/" for Win32), the
server will use that explicit path. If the filenames do not begin
with "/", the value of ServerRoot is prepended -- so "logs/foo.log"
with ServerRoot set to "c:/apache" will be interpreted by the
server as "c:/apache/logs/foo.log".
NOTE: Where filenames are specified, you must use forward slashes
instead of backslashes (e.g., "c:/apache" instead of "c:\apache").
If a drive letter is omitted, the drive on which Apache.exe is located
will be used by default. It is recommended that you always supply
an explicit drive letter in absolute paths, however, to avoid
confusion.
ThreadsPerChild: constant number of worker threads in the server process
MaxRequestsPerChild: maximum number of requests a server process serves
ThreadsPerChild 250
MaxRequestsPerChild 0
ServerRoot: The top of the directory tree under which the server's
configuration, error, and log files are kept.
Do not add a slash at the end of the directory path. If you point
ServerRoot at a non-local disk, be sure to point the LockFile directive
at a local disk. If you wish to share the same ServerRoot for multiple
httpd daemons, you will need to change at least LockFile and PidFile.
ServerRoot "c:/apache"
Listen: Allows you to bind Apache to specific IP addresses and/or
ports, instead of the default. See also the <VirtualHost>
directive.
Change this to Listen on specific IP addresses as shown below to
prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#Listen 12.34.56.78:80
Listen 80
Dynamic Shared Object (DSO) Support
To be able to use the functionality of a module which was built as a DSO you
have to place corresponding `LoadModule' lines at this location so the
directives contained in it are actually available before they are used.
Statically compiled modules (those listed by `httpd -l') do not need
to be loaded here.
Example:
LoadModule foo_module modules/mod_foo.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
#LoadModule auth_digest_module modules/mod_auth_digest.so
#LoadModule authn_anon_module modules/mod_authn_anon.so
#LoadModule authn_dbm_module modules/mod_authn_dbm.so
LoadModule authn_default_module modules/mod_authn_default.so
LoadModule authn_file_module modules/mod_authn_file.so
#LoadModule authz_dbm_module modules/mod_authz_dbm.so
LoadModule authz_default_module modules/mod_authz_default.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
#LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule cgi_module modules/mod_cgi.so
#LoadModule dav_module modules/mod_dav.so
#LoadModule dav_fs_module modules/mod_dav_fs.so
#LoadModule deflate_module modules/mod_deflate.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
#LoadModule expires_module modules/mod_expires.so
#LoadModule file_cache_module modules/mod_file_cache.so
#LoadModule headers_module modules/mod_headers.so
LoadModule imagemap_module modules/mod_imagemap.so
LoadModule include_module modules/mod_include.so
#LoadModule info_module modules/mod_info.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
#LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule proxy_module modules/mod_proxy.so
#LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
#LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
#LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
#LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule negotiation_module modules/mod_negotiation.so
#LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
#LoadModule speling_module modules/mod_speling.so
#LoadModule status_module modules/mod_status.so
#LoadModule unique_id_module modules/mod_unique_id.so
LoadModule userdir_module modules/mod_userdir.so
#LoadModule usertrack_module modules/mod_usertrack.so
#LoadModule vhost_alias_module modules/mod_vhost_alias.so
#LoadModule ssl_module modules/mod_ssl.so
'Main' server configuration
The directives in this section set up the values used by the 'main'
server, which responds to any requests that aren't handled by a
<VirtualHost> definition. These values also provide defaults for
any <VirtualHost> containers you may define later in the file.
All of these directives may appear inside <VirtualHost> containers,
in which case these default settings will be overridden for the
virtual host being defined.
ServerAdmin: Your address, where problems with the server should be
e-mailed. This address appears on some server-generated pages, such
as error documents. e.g. [email protected]
ServerAdmin @@ServerAdmin@@
ServerName gives the name and port that the server uses to identify itself.
This can often be determined automatically, but we recommend you specify
it explicitly to prevent problems during startup.
If your host doesn't have a registered DNS name, enter its IP address here.
ServerName localhost:80
DocumentRoot: The directory out of which you will serve your
documents. By default, all requests are taken from this directory, but
symbolic links and aliases may be used to point to other locations.
DocumentRoot "c:/apache/htdocs"
Each directory to which Apache has access can be configured with respect
to which services and features are allowed and/or disabled in that
directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of
features.
<Directory />
 Options FollowSymLinks
 AllowOverride None
 Order deny,allow
 Deny from all
 Satisfy all
</Directory>
Note that from this point forward you must specifically allow
particular features to be enabled - so if something's not working as
you might expect, make sure that you have specifically enabled it
below.
This should be changed to whatever you set DocumentRoot to.
<Directory "c:/apache/htdocs">
Possible values for the Options directive are "None", "All",
or any combination of:
Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
Note that "MultiViews" must be named explicitly --- "Options All"
doesn't give it to you.
The Options directive is both complicated and important. Please see
http://httpd.apache.org/docs/2.2/mod/core.html#options
for more information.
 Options Indexes FollowSymLinks
AllowOverride controls what directives may be placed in .htaccess files.
It can be "All", "None", or any combination of the keywords:
Options FileInfo AuthConfig Limit
 AllowOverride None
Controls who can get stuff from this server.
 Order allow,deny
 Allow from all
</Directory>
DirectoryIndex: sets the file that Apache will serve if a directory
is requested.
<IfModule dir_module>
 DirectoryIndex index.html
</IfModule>
The following lines prevent .htaccess and .htpasswd files from being
viewed by Web clients.
<FilesMatch "^\.ht">
 Order allow,deny
 Deny from all
</FilesMatch>
ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a <VirtualHost>
container, error messages relating to that virtual host will be
logged here. If you do define an error logfile for a <VirtualHost>
container, that host's errors will be logged there and not here.
ErrorLog logs/error.log
LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit,
alert, emerg.
LogLevel warn
<IfModule log_config_module>
The following directives define some format nicknames for use with
a CustomLog directive (see below).
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%You need to enable mod_logio.c to use %I and %Oi\" \"%{User-Agent}i\"" combined
 LogFormat "%h %l %u %t \"%r\" %>s %b" common
 <IfModule logio_module>
 LogFormat "%h %l %u %t \"%r\" %>s %b \"%i\" \"%{User-Agent}i\" %I %O" combinedio
 </IfModule>
The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a <VirtualHost>
container, they will be logged here. Contrariwise, if you do
define per-<VirtualHost> access logfiles, transactions will be
logged therein and not in this file.
 CustomLog logs/access.log common
If you prefer a logfile with access, agent, and referer information
(Combined Logfile Format) you can use the following directive.
 #CustomLog logs/access.log combined
</IfModule>
<IfModule alias_module>
Redirect: Allows you to tell clients about documents that used to
exist in your server's namespace, but do not anymore. The client
will make a new request for the document at its new location.
Example:
Redirect permanent /foo http://www.example.com/bar
Alias: Maps web paths into filesystem paths and is used to
access content that does not live under the DocumentRoot.
Example:
Alias /webpath /full/filesystem/path
If you include a trailing / on /webpath then the server will
require it to be present in the URL. You will also likely
need to provide a <Directory> section to allow access to
the filesystem path.
ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that
documents in the target directory are treated as applications and
run by the server when requested rather than as documents sent to the
client. The same rules about trailing "/" apply to ScriptAlias
directives as to Alias.
 ScriptAlias /cgi-bin/ "c:/apache/cgi-bin/"
</IfModule>
"c:/apache/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.
<Directory "c:/apache/cgi-bin">
 AllowOverride None
 Options None
 Order allow,deny
 Allow from all
</Directory>
Apache parses all CGI scripts for the shebang line by default.
This comment line, the first line of the script, consists of the symbols
pound (#) and exclamation followed by the path of the program that
can execute this specific script. For a perl script, with perl.exe in
the C:\Program Files\Perl directory, the shebang line should be:
 #!c:/program files/perl/perl
Note you mustnot_ indent the actual shebang line, and it must be the
first line of the file. Of course, CGI processing must be enabled by
the appropriate ScriptAlias or Options ExecCGI directives for the files
or directory in question.
However, Apache on Windows allows either the Unix behavior above, or can
use the Registry to match files by extention. The command to execute
a file of this type is retrieved from the registry by the same method as
the Windows Explorer would use to handle double-clicking on a file.
These script actions can be configured from the Windows Explorer View menu,
'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
button allows you to modify the Actions, of which Apache 1.3 attempts to
perform the 'Open' Action, and failing that it will try the shebang line.
This behavior is subject to change in Apache release 2.0.
Each mechanism has it's own specific security weaknesses, from the means
to run a program you didn't intend the website owner to invoke, and the
best method is a matter of great debate.
To enable the this Windows specific behavior (and therefore -disable- the
equivilant Unix behavior), uncomment the following directive:
#ScriptInterpreterSource registry
The directive above can be placed in individual <Directory> blocks or the
.htaccess file, with either the 'registry' (Windows behavior) or 'script'
(Unix behavior) option, and will override this server default option.
DefaultType: the default MIME type the server will use for a document
if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is
a good value. If most of your content is binary, such as applications
or images, you may want to use "application/octet-stream" instead to
keep browsers from trying to display binary files as though they are
text.
DefaultType text/plain
<IfModule mime_module>
TypesConfig points to the file containing the list of mappings from
filename extension to MIME-type.
 TypesConfig conf/mime.types
AddType allows you to add to or override the MIME configuration
file specified in TypesConfig for specific file types.
 #AddType application/x-gzip .tgz
AddEncoding allows you to have certain browsers uncompress
information on the fly. Note: Not all browsers support this.
 #AddEncoding x-compress .Z
 #AddEncoding x-gzip .gz .tgz
If the AddEncoding directives above are commented-out, then you
probably should define those extensions to indicate media types:
 AddType application/x-compress .Z
 AddType application/x-gzip .gz .tgz
AddHandler allows you to map certain file extensions to "handlers":
actions unrelated to filetype. These can be either built into the server
or added with the Action directive (see below)
To use CGI scripts outside of ScriptAliased directories:
(You will also need to add "ExecCGI" to the "Options" directive.)
 #AddHandler cgi-script .cgi
For type maps (negotiated resources):
 #AddHandler type-map var
Filters allow you to process content before it is sent to the client.
To parse .shtml files for server-side includes (SSI):
(You will also need to add "Includes" to the "Options" directive.)
 #AddType text/html .shtml
 #AddOutputFilter INCLUDES .shtml
</IfModule>
The mod_mime_magic module allows the server to use various hints from the
contents of the file itself to determine its type. The MIMEMagicFile
directive tells the module where the hint definitions are located.
#MIMEMagicFile conf/magic
Customizable error responses come in three flavors:
1) plain text 2) local redirects 3) external redirects
Some examples:
#ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
EnableMMAP and EnableSendfile: On systems that support it,
memory-mapping or the sendfile syscall is used to deliver
files. This usually improves server performance, but must
be turned off when serving from networked-mounted
filesystems or if support for these functions is otherwise
broken on your system.
#EnableMMAP off
#EnableSendfile off
Supplemental configuration
The configuration files in the conf/extra/ directory can be
included to add extra features or to modify the default configuration of
the server, or you may simply copy their contents here and change as
necessary.
Server-pool management (MPM specific)
#Include conf/extra/httpd-mpm.conf
Multi-language error messages
#Include conf/extra/httpd-multilang-errordoc.conf
Fancy directory listings
#Include conf/extra/httpd-autoindex.conf
Language settings
#Include conf/extra/httpd-languages.conf
User home directories
#Include conf/extra/httpd-userdir.conf
Real-time info on requests and configuration
#Include conf/extra/httpd-info.conf
Virtual hosts
#Include conf/extra/httpd-vhosts.conf
Local access to the Apache HTTP Server Manual
#Include conf/extra/httpd-manual.conf
Distributed authoring and versioning (WebDAV)
#Include conf/extra/httpd-dav.conf
Various default settings
#Include conf/extra/httpd-default.conf
Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
Note: The following must must be present to support
 starting without SSL on platforms with no /dev/random equivalent
 but a statically compiled-in mod_ssl.
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
ProxyPreserveHost On
ProxyVia on
ProxyTimeout 600
#disable forward-proxying
ProxyRequests Off
#proxy /irj both ways
ProxyPass /irj http://sapportal:50000/irj
ProxyPassReverse /irj http://sapportal:50000/irj
#ProxyPassReverse /irj http://testcomp/irj
#proxy /logon both ways
ProxyPass /logon http://sapportal:50000/logon
ProxyPassReverse /logon http://sapportal:50000/logon
#ProxyPassReverse /logon http://testcomp/logon

Apache Reverse Proxy

Hi
I have installed Apache Reverse Proxy to access my Portal and ECC6.
In the httpd config file , i have done the following settings.
<VirtualHost ipaddress:port>
ProxyPreserveHost On
ProxyPass /irj/ http://portalserver:50000/irj/
ProxyPassReverse /irj/ http://portalserver:50000/irj/
ProxyPass /eccdev/ http://eccserver:8000/eccdev/
ProxyPassReverse /eccdev/ http://eccserver:8000/eccdev/
</VirtualHost>
eccdev is external alias for the path
/sap/bc/gui/sap/its/webgui/
With this setting when i when a request is made for eccdev/
it takes me to the ecc6 login page.
when i enter the required information , it just clears the username password fields.
i checked that the username password are correctly entered.
what is the problem ?
Regards
Rajendra

Hi Darren ,
Thanks for the reply.
Our SSO between Portal and ECC6 works fine without Reverse Proxy.
If we access the Portal Through Reverse Proxy , when we navigate to any iViews say BSP iView , it asks for Username password. Once provided it works fine.
Second Scenario is Using Reverse Proxy to Directly access
SAP GUI . i.e without using Portal.
If i do not use Reverse Proxy , i can access my ECC6 webgui
through browser after providing the Login Details, but if i use Reverse Proxy then Even after providing the Login Details ,
the LogOn Box does not go and keeps asking for login details.
To summarize , i just want to acess the SAP GUI from Browser
using Reverse Proxy . I am able to do it without reverse Proxy .
Can you help ?

Apache Reverse Proxy: Domain problem

Hi,
I have a problem with Apache Reverse Proxy (Apache 2.2) and SAP Enterprise Portal 6.0.
I configured Apache as a Reverse Proxy Server (with SSL)so that the portal is accessible through the internet. Everything is working fine but the OWA integration doesn't work over the Reverse Proxy.
If I log on to http://portalsrv.mydomain.xx:12345/irj the OWA integration works fine with SSO and there is no problem with session management.
If I log on to https://revproxy.mydomain.zz:1234/irj and want to open Outlook I get the message that Session management doesn't work. However the other components like ESS work fine. Deactivating the DSM Logger is not a solution to this problem.
The Log tells me:
1.
Application domain 'mydomain.xx' differs from Portal domain 'mydomain.zz'.
Session Management will not work for Application 'abc.mydomain.xx'
2.
Application schema 'http' differs from Portal schema 'https'.
Session Management will not work for Application 'abc.mydomain.xx'
Is there a possibility to write a Rewrite-Rule in the Apache-Conf?
For instance:
https://abc.mydomain.xx --> http://abc.mydomain.zz
Does anybody made such a rule?
I hope anybody can help me with the problem.
Thank you

Hi Daniel,
ok I`ll try to find a solution in parallel and keep you up to date.
In the following my settings in case I missed something:
<VirtualHost test.firma.de:443>
SSLEngine on
SSLProxyEngine on
SSLCertificateFile /apache/keys/pac_ssl_qep_dmz_server.crt
SSLCertificateKeyFile /apache/keys/pac_ssl_qep_dmz_server.key
ServerName test.firma.de:443
ServerAdmin [email protected]
LogLevel debug
ErrorLog logs/ssl_443_error
CustomLog logs/ssl_443_access_log common
ProxyVia Off
ProxyPreserveHost On
ReWriteEngine on
ReWriteLogLevel 0
ReWriteLog logs//ssl_443_rewrite_http.log
ProxyPass / https://backend.firma.de:50001/
ProxyPassReverse / https://backend.firma.de:50001/
</VirtualHost>
Regards, Jens

Apache reverse proxy setting for access to Backend

Hi experts,
we have set up apache reverse proxy to make available our NW portal (and SRM functions)over the internet.
Our settings look something like this:
ProxyRequests Off
<VirtualHost *:80>
 ServerName myportal.portalhosto.com
 ProxyPreserveHost On
 ProxyPass /irj/ http://myportal.portalhost.com:53200/irj/
 ProxyPass /webdynpro/ http://myportal.postalhost.com:53200/webdynpro/
 ProxyPassReverse /irj/ http://myportal.portalhost.com:53200/irj/
 ProxyPassReverse /webdynpro/ http://myportal.portalhost.com:53200/webdynpro/
 ErrorLog logs/myportal.portalhost.com-error.log
 CustomLog logs/myportal.portalhost.com-custom.log combined
RewriteEngine On
 RewriteRule ^/sap/(.*)$ http://mybackend.backendhost.com:8020/sap/$1 [P,NC]
</VirtualHost>
Problem:
when we access the portal from the internal network(either by using the internal URL or external URL) things work fine.
But we access the portal from internet, we are able to login to the portal and acess all webdynpro Java related applications.But when we try to acess the BSP/WD abap application running on a backend SRM system, we get 'host not found' message with the INTERNAL url of the SRM backend application displayed.
Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
Any help in resolving this would be greatly appreciated.
regards,
Kiran

Hi,
Do we need to expose the SRM backend to the outside world via reverse proxy as well?If yes,how?Do we need to change the system definitions in portal for that?
Yes , you have to expose your backend system using reverse proxy ...
When user access the portal and when he clicks on BSP/WD , the URL get re-directed to backend system.
But , as your backend system is not expose on internet , you get an error as host not found.
So, to solve your problem you have to expose your backend system on internet. It is in general pratice to expose on internet.
Thanks
Anil

Reverse Proxy Settings.

Similar Messages

Maybe you are looking for