Reverse Proxy with Firewall on Portal R2

Similar Messages

• Reverse proxy with apache2

  Hi folks,
  I have a huge problem here. I have a apache 2.0.50 on a Linux system that is to act as a reverse proxy for an enterprise portal. I have set up the apache to do reverse proxying and so far I have made first success. I can get to the login page of the portal and I even managed to make it show the images. The problem is, when I try to log on to the  portal I am always send back to the logon page in the very instance. If I enter the wrong logon information I see the authorization failed text, but when I enter correct information I only see the logon page again.
  I will put tyhe relevant part of my httpd.conf to this message and hope someone can point me to the right location or maybe even tell me what I'm doing wrong.
  And ny the way, the portal itself works perfectky when connected directly.
  Kind regards,
     Christian Guenther
  Reverse proxy configuration ############################################
  NameVirtualHost 172.30.210.96
  <VirtualHost 172.30.210.96>
     ServerAdmin [email protected]
     ServerName host.external.de
  SSL is turned off at the moment
     SSLEngine Off
     SSLCertificateFile /etc/apache2/ssl.crt/proxy.cert.cert
     SSLCertificateKeyFile /etc/apache2/ssl.key/proxy.cert.key
  Set up as a proxy for internal SAP systems
     ProxyRequests Off
     ProxyPreserveHost Off
     <Proxy *>
        Order deny,allow
        Allow from all
     </Proxy>
  IRJ
    <Location /irj/>
      ProxyPass http://host.internal.lan:8001/irj/
      ProxyPassReverse http://host.internal.lan:8001/irj/
  rewriting rules for proxy
      RewriteEngine On
      RewriteCond %  \.jsp
      RewriteRule ^(.+) % [P]
      RewriteCond % \.servlet
      RewriteRule ^(.+) %
  Portal
  rewriting rules for proxy
  [P]
    </Location>
    <Location />
      ProxyPass http://host.internal.lan:8001/
      ProxyPassReverse http://host.internal.lan:8001/
      RewriteEngine On
      RewriteCond %  \.jsp
      RewriteRule ^(.+) % [P]
      RewriteCond % \.servlet
      RewriteRule ^(.+) % [P]
    </Location>
  </VirtualHost>

  This is a valid configuration for an Apache Reverse Proxy:
  ThreadsPerChild 250
  MaxRequestsPerChild  0
  ServerRoot /usr/local/apache2
  Listen 443
  #LoadModule dir_module modules/mod_dir.so
  LoadModule rewrite_module modules/mod_rewrite.so
  LoadModule include_module modules/mod_include.so
  #LoadModule autoindex_module modules/mod_autoindex.so
  LoadModule access_module modules/mod_access.so
  #LoadModule auth_module modules/mod_auth.so
  LoadModule log_config_module modules/mod_log_config.so
  #LoadModule mime_module modules/mod_mime.so
  #LoadModule env_module modules/mod_env.so
  #LoadModule headers_module modules/mod_headers.so
  #LoadModule setenvif_module modules/mod_setenvif.so
  LoadModule alias_module modules/mod_alias.so
  LoadModule proxy_module modules/mod_proxy.so
  LoadModule proxy_http_module modules/mod_proxy_http.so
  LoadModule negotiation_module modules/mod_negotiation.so
  LoadModule ssl_module modules/mod_ssl.so
  ServerAdmin [email protected]
  ServerName your.servername.com
  UseCanonicalName Off
  make sure zou include these with valid entries...
  Include conf/log.conf
  Include conf/mime.conf
  Include conf/default.conf
  Include conf/ssl.conf
  BrowserMatch "Mozilla/2" nokeepalive
  BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
  BrowserMatch "RealPlayer 4\.0" force-response-1.0
  BrowserMatch "Java/1\.0" force-response-1.0
  BrowserMatch "JDK/1\.0" force-response-1.0
  BrowserMatch "Microsoft Data Access Internet Publishing Provider" redirect-carefully
  BrowserMatch "MS FrontPage" redirect-carefully
  BrowserMatch "^WebDrive" redirect-carefully
  BrowserMatch "^WebDAVFS/1.[0123]" redirect-carefully
  BrowserMatch "^gnome-vfs" redirect-carefully
  BrowserMatch "^XML Spy" redirect-carefully
  BrowserMatch "^Dreamweaver-WebDAV-SCM1" redirect-carefully
  this is for the MS IE SSL bug
  BrowserMatch ".MSIE." nokeepalive ssl-unclean-shutdown downgrade-1.0#
  force-response-1.0
  Header add P3P CP="NOI"
  Proxy with caching
  LoadModule cache_module modules/mod_cache.so
  LoadModule disk_cache_module modules/mod_disk_cache.so
  CacheRoot /usr/local/apache2/Cache
  CacheEnable disk /
  CacheDirLevels 5
  CacheDirLength 3
  <VirtualHost *:443>
      ServerName your.servername.com
      ServerAdmin [email protected]
  Set the level of log entries - debug produces A LOT of messages
      LogLevel debug
      ErrorLog logs\error.log
      LogFormat "%h %l %u %t \"%r\" %>s %b" common
      CustomLog logs\access.log common
  NEVER turn this On, it would create a forward proxy   
      ProxyRequests Off
      ProxyPreserveHost On
  it is important that the proxy uses active protocol used in the
  internet section of the request
      RequestHeader set ClientProtocol https
      Header add P3P CP="NOI"
  we need to answer HTTPS requests, so we need an ssl engine   
      SSLEngine On
  and a cipher suite plus certificate
      SSLCipherSuite ALL:!ADH:!EXPORT56:RC4RSA:HIGH:MEDIUM:LOW:SSLv2:EXP:+eNULL
      SSLProtocol all -SSLv2
  of course these entries have to be adopted
      SSLCertificateFile conf/certs/server.crt
      SSLCertificateKeyFile conf/certs/server.key
      SSLOptions +StdEnvVars
  this is for the bloody MS IE - I don't know why, but they seem to
  have trouble learning in redmond
      BrowserMatch ".MSIE." \
           nokeepalive ssl-unclean-shutdown \
           downgrade-1.0 force-response-1.0
      CustomLog logs/ssl_request.log \
            "%t %h %x %x \"%r\" %b"
  below are the proxied hosts - you always need ProxyPass
  AND ProxyPassReverse otherwise it will not work correctly
  ITS
      #ProxyPass /iac/               http://itsserver:8081/iac/
      #ProxyPassReverse /iac/          http://itsserver:8081/iac/
  direct portal connection              this ought to be the IP
      ProxyPass /irj/               http://10.8.1.14:50000/irj/
      ProxyPassReverse /irj/          http://10.8.1.14:50000/irj/
      ProxyPass /logon/               http://10.8.1.14:50000/logon/
      ProxyPassReverse /logon/          http://10.8.1.14:50000/logon/
  Rewrite Rule in case ICM puts session information in URL
  NEVER REALLY HARMS
      RewriteEngine On
      RewriteRule  ^/(sap\(.*) http://10.8.1.14:50000/$1 [P,L]
      #ProxyPass /chooselogin/          http://10.8.9.0:50000/chooselogin/
      #ProxyPassReverse /chooselogin/     http://10.8.9.0:50000/chooselogin/
  </VirtualHost>

• IIS Reverse Proxy with URL rewrite.

  Hi all, hoping to leverage the wealth of knowledge contained here.
  Any assistance would be very welcome.
  I'm having an issue getting a reverse proxy and URL rewrite working in IIS 7.0.
  I need to redirect all requests with a specific virtual directory suffix only.
  ie; https://domain.test.com/outbound/Content/query_etc
  With /Outbound/ being the trigger.
  This should be redirected to http://10.10.10.10/inbound/Content/query_etc
  While at the same time, requests without the /outbound/ suffix should be handled locally.
  I have configured the reverse proxy as described in a few articles, and have had no luck.
  Here's a snippet from my (sanitized) web.config at the site level.
  <rewrite>
  <outboundRules>
  <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
  <match filterByTags="A" pattern="^http(s)?://10.10.10.10/inbound/(.*)" />
  <action type="Rewrite" value="https://domain.test.com/outbound/{R:2}" />
  </rule>
  <preConditions>
  <preCondition name="ResponseIsHtml1">
  <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
  </preCondition>
  </preConditions>
  </outboundRules>
  <rules>
  <rule name="ReverseProxyInboundRule1" stopProcessing="true">
  <match url="^outbound/(.*)" />
  <action type="Rewrite" url="http://10.10.10.10/inbound/{R:1}" appendQueryString="true" logRewrittenUrl="false" />
  </rule>
  </rules>
  </rewrite>
  To me, this looks correct, yet it doesn't work.
  With this, I get the normal 404 - Error Code 0x80070002, with the text indicating the local directory doesn't exist, so.... not being picked up by the filter for redirection.

  Hi Andrew,
  Looking at your requirements it appears you need Reverse Proxy To Another Site/Server.
  By using URL Rewrite Module together with
  Application Request Routing module you can have IIS 7 act as a
  reverse proxy.
  It seems like URL Rewrite can't re-route the request somewhere else out of the server.
  Even when you rewrite the url the actual connection remains with the server. Hence if your original server doesn't have /inbound/Content/query_etc  it will fail with 404.
  Hosting multiple domain names under a single account using URL Rewrite.
  It’s a common desire to have a single IIS website that handles multiple sites with different domain names.
  References:
  How to create a url alias using IIS URL Rewrite:
  http://blogs.technet.com/b/mspfe/archive/2013/11/27/how-to-create-a-url-alias-using-iis-url-rewrite.aspx
  Reverse Proxy with URL Rewrite v2 and Application Request Routing:
  http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing
  Regards,
  Satyajit
  Please“Vote As Helpful”
  if you find my contribution useful or “MarkAs Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• Apache Reverse Proxy with Abap Web query

  Hi to all
    We are trying to configure apache 2 to work as a reverse proxy with web abap Netweaver installation.
  From inside the network the web query is fine.
  Running the query with the reverse proxy we have only the html code in the browser. All the scripts and css are not present.
  We checked some messages inside the forum and we have tried a lot of stuff without success.
  We use always linux (Fedora, Ubuntu with xampp or apache only) plus the html module or the publisher from http://apache.webthing.com.
  Our installation is like this the reverse proxy in the dmz and the netweaver to the inside off coarse, and we don't have the same domain name, i don't know if this is important.
  Any help/idea  is valuable.
  Thank you
  Yiannis

  Hi Olivier
  I have seen your solution in other messages but i didn't try it because i was trying to work with the html_proxy module.
  I read the documents you gave me plus some apache tutorials on the rewrite rule.
  In any case i have my installation working now.
  I did some extra changes in my config so now the rules are like that
  ProxyVia On
  ProxyBadHeader IsError
  ProxyRequests Off
  ProxyPreserveHost On
  ProxyPass /sap http://192.168.1.59:8001/sap
  ProxyPassReverse /sap http://192.168.1.59:8001/sap
  RewriteEngine On
  RewriteRule ^/(sap\(.*) http://192.168.1.59:8001/$1 [P,L]
  Thanks again for your help
  Yiannis

• CSM-S to Servers... Reverse proxy with authentication?

  Using a CSM-S with a number of web servers behind it, can the CSM-S be configured to act as a reverse proxy for the servers with no other equipment or licenses to buy?

  Reverse proxy with authentication.

• Sophos Firewall\Reverse Proxy With Lync 2013

  We currently have Lync 2013 deployed internally and working like a champ for about 5 months now. We are in the process of trying to get this rolled out externally and running into issues.
  It seems we have the ports opened up properly but the MS remote connectivity analyzer comes back with certificate error "The certificate couldn't be validated because SSL negotiation wasn't successful.
  I'm pretty certain our certificates are correct for the external edge server and the external firewall\Reverse proxy. From the Lync planning tool we have been following it and so far successful until the certificates. The certificates tool shows we should
  have the following certs assigned: (keep in mind we have 2 separate certificates assigned)
  Edge Server External
  Subject name: lyncaccess.domain.com
  SAN:webcon.domain.com and sip.domain.com
  Reverse Proxy:
  rp0100.domain.com (reverse proxy FQDN does resolve)
  SAN: dialin.domain.com, meet.domain.com, and temwac.domain.com (office web apps server)
  We requested the certificates from Go daddy and have them installed and the SANs are in there correct. The connectivity analyzer is able to get to our server using autodiscover over port 443, we see the traffic come in through the firewall and nothing is
  blocked just the certificate could not be validated.
  Has anyone deployed Lync using the Sophos UTM as a reverse Proxy any other ideas as to what we are missing with these certificates?
  The certificate couldn't be validated because SSL negotiation wasn't successful.
  The certificate couldn't be validated because SSL negotiation wasn't successful.

  lyncdiscover.domain.com does not resolve. Discovery is working fine through the connectivity analyzer. We actually figured that part out about the SSL. It seems we had the firewall and Reverse proxy rules in place on the Sophos appliance but the firewall
  rules leaving the edge server were being blocked. It took us about 1.5 days to figure that part out.
  The connectivity analyzer now is able to authenticate the certificates successfully. Of course it wouldn't be a Lync roll out without the next issue coming up.
  The next issue we have is the connectivity analyzer reaching the AV service. Which we are going to assume is a routing issue as well and are currently troubleshooting it:
  Couldn't sign in. Error: Error Message: The endpoint was unable to register. See the ErrorCode for specific reason..
  Error Type: RegisterException.
  Deregister Reason: None.
  Response Code: 504.
  Response Text: Server time-out.
  http://social.technet.microsoft.com/Forums/lync/en-US/f95c47cc-f8eb-4646-bdac-6c7244b26ff1/couldnt-sign-in-error-error-message-the-endpoint-was-unable-to-register-new-deployment?forum=ocsplanningdeployment
  Wish me luck.

• Reverse Proxy from Apache to portal to 2 different ITS Systems

  We're using Apache 2 webserver and we've enabled reverse proxy from our proxy server to our Enterprise Portal 7.0.  We have transaction iviews for different systems, an ECC 6.0 and CRM 5.0.  We are using the integrated ITS for these systems provided with basis version 7.0.  We have all the necessary ports open in the firewall.  I know how to configure the proxy when there's only one ITS server, but how would I do it for two (the ECC and CRM system)?

  We have integrated ITS.  I am not sure I understand where you are going with globalr.srvc file.  We have two systems that we want to hit from the portal via reverse proxy.  One is the ECC system and the other CRM 5.0.  In our portal we use the integrated ITS for each system:
  ECC sytem:
  http://ecc.system.com:8001/sap/bc/gui/its/sap/webgui
  CRM sytem:
  http://crm.system.com:8001/sap/bc/gui/its/sap/webgui
  The issue is how would I map to both ITS from the Apache reverse proxy

• O-Portal behind reverse proxy, aliasing of o-portal url to generic url.

  I'd like to setup o-Portal behind a reverse proxy. This is a proxy service which accepts connections on http://a.b.com/ and gets the content from internal webservers based on the url. For example http://a.b.com/pls/DAD1 comes from an o-Portal server but http://a.b.com/depts/ comes from a webserver. The problem with o-Portal is now, that it creates pages with its servername and port in the URL of the pages it serves out. For example, if it runs on server x.b.com on the port 7777 the links on all pages are http://x.b.com:7777/pls/DAD1. To get it to work correctly with my proxy, all these links should be http://a.b.com/pls/DAD1 and then the proxy gets the pages from http://x.b.com:77777/pls/DAD1.
  How do I tell o-Portal to create this different URL in its pages? You could also say, I'd like to alias http://a.b.com/pls/DAD1 to http://x.b.com:77777/pls/DAD1
  I'm sure there is a configuration setting to change this. We had the same problem with Oracle HR11i and there we got it solved.
  Web Single Sign On applications like IBM WebSeal or Netegrity Siteminder use these kind of proxies to protect the intranet and to create a Single Sign On domain for all web servers.
  Thanks,
  Rainer

  I also would like overcome this issue. I could not find an answer anywhere on Metalink or OTN.
  Can a reverse-proxy (i.e. using ProxyPass & Reverse) be used with and internal Portal?
  John Z
  Butler Mfg. Co.
  [email protected]

• Reverse Proxy with Sun Web Server 7 update 4

  Hi All,
  I've just migrating to Sun Java System Web Server 7.0U4 B12/02/2008 from Sun Java System Web Server 7.0-Technology-Preview-3 B09/13/2006. I've have the two web servers running side by side on separate machines. Both have a VS configured as a reverse proxy pointing to the same apache tomcat web server.
  The Tech Preview 3 server works fine and has been doing since it was installed. However the Update 4 server doesn't. I can access the tomcat app via the U4 server in a browser, but not with the app on my mobile (sync ML). Snooping the traffic show me that the U4 server is sending a different response that the Tech Preview server. I'm thinking it may have to do with Transfer Encoding: chunked. I've looked around the web to see if I can turn this off in the U4 server, as I seem to recall having to do so at some point in my life, though I can't remember when and with what.
  Does anybody have any clues they can throw at me?? Or anybody know what has change in the reverse proxy part of the web server from Tech Preview 3 to U4??
  Both VS reverse proxies are congfigured exactly the same.
  Thanks,
  Stuart.

  well, technology preview is what the name says .. i am surprised that u decided to stick with a technology preview release all these days.. in any case, there should not have any feature change between technology preview build and U4. but , there has been lot of bug fixes - so, unless we know the exact problem - we can't easily narrow down the change between tp3 build with U4 and find out how it is affecting u.
  here is a related article on how to use chunked encoding within web server 7
  http://developers.sun.com/webtier/reference/techart/chunked_req.html
  now, to help you more appropriately, you need to provide us with errors (probably with log level set to finest within server.xml) and let us know with the error reported by web server when it is unable to send those requests to back end tomcat
  you can set log level to finest by running the following command
  /sun/webserver7/bin/wadm set-config-prop -user=admin --config=<hostname> log-level=finest
  /sun/webserver7/bin/wadm deploy-config --user=admin <hostname>
  http://docs.sun.com/app/docs/doc/820-4842/set-config-prop-1?a=view
  (once you have identified the problem, you might want to set log level to info as setting to finest will cause your logs to grow humongous and also hurt performance
  thanks
  sriram

• Apache Reverse proxy with SSL

  Hi,
  I'm trying to install Apache Reverse proxy which will support both HTTP and HTTPS request.
  <b>What do I need to activate to support the HTTPS requests?</b>
  I installed Apache 2.0.53 Released and trying to activate the mod_ssl.
  From Where can I get the mod_ssl.so?
  I saw that there are 2 projects:
  Apache Interface to OpenSSL (mod_ssl)
  Apache-SSL
  Do I need to use them in case I want to use HTTPs?
  Regards,
  Yael

  Get the latest oppenssl compile it. before you compile apache, execute ./configure --help in the apache directory. It will give you the commands that you need to use to activate and deactivate various things in apache.
  mine is as follows:
  ./configure --with-layout=GNU --enable-proxy --enable-ssl --with-ssl=/usr/lo
  cal/src/apachessl/openssl-0.9.7f/ --enable-vhost-alias --enable-rewrite --enable
  -so --enable-proxy-http --enable-proxy-connect --enable- headers
  then make and make install.
  hope it helps.
  Jai

• Reverse Proxy with Coldfusion 8

  Has anyone set up Sun Java Web Server 7 to reverse proxy Coldfusion 8 (also running under SJWS7)? I can reverse proxy static HTML and SHTML content with SJWS7, but not Coldfusion content.
  Thanks in advance for any help, tips, etc.
  --Frank                                                                                                                                                                                                                                                                                                                                                                                                                                                                                               

  Thanks for replying, MV -- I've been out for a while -- sorry for the delay. Below are obj.conf and <vs> obj.conf:
  obj.conf
  # Copyright 2006 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # You can edit this file, but comments and formatting changes # might be lost when you use the administration GUI or CLI.
  <Object name="default">
  AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/webserver7/lib/icons" name="es-internal"
  PathCheck fn="uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index-j2ee"
  PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
  ObjectType fn="type-j2ee"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  <Object name="cgi">
  ObjectType fn="force-type" type="magnus-internal/cgi"
  Service fn="send-cgi"
  </Object>
  <Object name="send-precompressed">
  PathCheck fn="find-compressed"
  </Object>
  <Object name="compress-on-demand">
  Output fn="insert-filter" filter="http-compression"
  </Object>
  wwwproxy-obj.conf
  # Copyright 2007 Sun Microsystems, Inc. All rights reserved.
  # Use is subject to license terms.
  # You can edit this file, but comments and formatting changes # might be lost when you use the administration GUI or CLI.
  <Object name="default">
  AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
  NameTrans fn="ntrans-j2ee" name="j2ee"
  NameTrans fn="pfx2dir" from="/mc-icons" dir="/opt/webserver7/lib/icons" name="es-internal"
  NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
  PathCheck fn="uri-clean"
  PathCheck fn="check-acl" acl="default"
  PathCheck fn="find-pathinfo"
  PathCheck fn="find-index-j2ee"
  PathCheck fn="find-index" index-names="index.html,home.html,index.jsp"
  ObjectType fn="type-j2ee"
  ObjectType fn="type-by-extension"
  ObjectType fn="force-type" type="text/plain"
  Service method="(GET|HEAD)" type="magnus-internal/directory" fn="index-common"
  Service method="(GET|HEAD|POST)" type="*~magnus-internal/*" fn="send-file"
  Service method="TRACE" fn="service-trace"
  Error fn="error-j2ee"
  AddLog fn="flex-log"
  </Object>
  <Object name="j2ee">
  Service fn="service-j2ee" method="*"
  </Object>
  <Object name="es-internal">
  PathCheck fn="check-acl" acl="es-internal"
  </Object>
  <Object name="cgi">
  ObjectType fn="force-type" type="magnus-internal/cgi"
  Service fn="send-cgi"
  </Object>
  <Object name="send-precompressed">
  PathCheck fn="find-compressed"
  </Object>
  <Object name="compress-on-demand">
  Output fn="insert-filter" filter="http-compression"
  </Object>
  <Object name="reverse-proxy-/">
  Route fn="set-origin-server" server="www.water.ca.gov"
  </Object>
  <Object ppath="http:*">
  Service fn="proxy-retrieve" method="*"
  </Object>

• RDS 2012 - Using a reverse proxy with the Gateway server on the internal LAN

  Hi there,
  I'm looking to introduce an RDS 2012 farm and would like to put the RDS Gateway server on the internal LAN (due to it's AD requirements etc).
  What are the best practise options for using a reverse proxy to forward traffic to the gateway server and is it better to do this than just forward 443 traffic from the DMZ through to the Gateway directly?
  Thanks,
  Paul.

  Hi Paul,
  It is generally considered more secure to have a reverse proxy in front of RDG.  I don't know of a proxy that will handle the RDG UDP traffic, so you will need to consider using direct server return for that or not having the benefit of UDP.  Whether
  or not it is acceptable to simply forward TCP 443/UDP 3391 directly to your internal RDG is up to your security policies.  Many companies are fine with it while many other companies think it is unacceptable and require a reverse proxy or other method
  to provide an extra layer of protection.
  -TP

• Sun One 6.1 reverse proxy with multiple certs

  We are using Sun One Web Server 6.1sp6 as a reverse proxy without the passthrough plugin. We also have multiple certs and not a global cert and what we are seeing is the data getting "staged" on the web server before moving on to the destination (which obviously halves throughput). Some research tells us that this staging is happening because it needs to re-encrypt the packets for the next cert.
  Is there any way besides having a global cert that we can get around this? Would using the passthrough plugin help?
  Thanks,
  Don

  The thing is that it apparently doesn't do it on the fly, which is why I was wondering if the passthrough plug in would help. In other words, if I am sending a 10mb file through to the destination server (there's a weblogic server on the back end with a different cert that I want to do the real processing), the web server waits until it gets all 10mb then resends it. Seems it should do the encrypt/decrypt on a packet level to me.
  As far as the config, I didn't set it up, I'm just trying to get it to work :)
  Here are the configs, if it would help. If there's something set up wrong here, please feel free to point it out!
  Thanks,
  Don
  magnus.conf
  # The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
  # They will not be supported in future releases of the Web Server.
  NetsiteRoot /iplanet/servers
  ServerName rpserver.testdomain.com
  ServerID https-rpserver.testdomain.com
  RqThrottle 256
  DNS off
  Security on
  PidLog /iplanet/servers/https-rpserver.testdomain.com/logs/pid
  User iplanet1
  StackSize 131072
  TempDir /tmp/https-rpserver.testdomain.com-a9dd9515
  PostThreadsEarly off
  KernelThreads off
  ChunkedRequestBufferSize 0
  LogVerbose on
  LogVsId off
  AsyncDNS off
  KeepAliveTimeout 10
  UseNativePoll on
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/iplanet/servers/plugins/nsapi/wls923/libproxy128_61.so
  Init fn="wl_init"
  Init fn="load-modules" shlib="/iplanet/servers/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
  Init fn="stats-init" profiling="on"
  obj.conf
  # The NetsiteRoot, ServerName, and ServerID directives are DEPRECATED.
  # They will not be supported in future releases of the Web Server.
  NetsiteRoot /iplanet/servers
  ServerName rpserver.testdomain.com
  ServerID https-rpserver.testdomain.com
  RqThrottle 256
  DNS off
  Security on
  PidLog /iplanet/servers/https-rpserver.testdomain.com/logs/pid
  User iplanet1
  StackSize 131072
  TempDir /tmp/https-rpserver.testdomain.com-a9dd9515
  PostThreadsEarly off
  KernelThreads off
  ChunkedRequestBufferSize 0
  LogVerbose on
  LogVsId off
  AsyncDNS off
  KeepAliveTimeout 10
  UseNativePoll on
  Init fn="load-modules" funcs="wl_proxy,wl_init" shlib=/iplanet/servers/plugins/nsapi/wls923/libproxy128_61.so
  Init fn="wl_init"
  Init fn="load-modules" shlib="/iplanet/servers/bin/https/lib/libj2eeplugin.so" shlib_flags="(global|now)"
  Init fn="stats-init" profiling="on"
  server.xml
  <?xml version="1.0" encoding="UTF-8"?>
  <!--
  Copyright (c) 2003 Sun Microsystems, Inc. All rights reserved.
  Use is subject to license terms.
  -->
  <!DOCTYPE SERVER PUBLIC "-//Sun Microsystems Inc.//DTD Sun ONE Web Server 6.1//EN" "file:///iplanet/servers/bin/https/dtds/sun-web-server_6_1.dtd">
  <SERVER qosactive="false">
  <PROPERTY name="docroot" value="/iplanet/servers/docs"/>
  <PROPERTY name="accesslog" value="/iplanet/servers/https-rpserver.testdomain.com/logs/access"/>
  <PROPERTY name="user" value=""/>
  <PROPERTY name="group" value=""/>
  <PROPERTY name="chroot" value=""/>
  <PROPERTY name="dir" value=""/>
  <PROPERTY name="nice" value=""/>
  <LS id="ls1" port="443" servername="rpserver.testdomain.com" defaultvs="https-rpserver.testdomain.com" security="on" ip="any" blocking="false" acceptorthreads="2">
  <SSLPARAMS servercertnickname="Server-Cert" ssl2="off" ssl2ciphers="-rc4,-rc4export,-rc2,-rc2export,-desede3,-des" ssl3="on" tls="on" ssl3tlsciphers="-rsa_rc4_128_sha,+rsa_rc4_128_md5,-rsa_rc4_56_sha,-rsa_rc4_40_md5,+rsa_3des_sha,+rsa_des_sha,-rsa_des_56_sha,-rsa_rc2_40_md5,-rsa_null_md5,-fortezza,-fortezza_rc4_128_sha,-fortezza_null,+fips_3des_sha,-fips_des_sha" tlsrollback="on" clientauth="off"/>
  </LS>
  <MIME id="mime1" file="mime.types"/>
  <ACLFILE id="acl1" file="/iplanet/servers/httpacl/generated.https-rpserver.testdomain.com.acl"/>
  <VSCLASS id="vsclass1" objectfile="obj.conf" rootobject="default" acceptlanguage="false">
  <VS id="https-rpserver.testdomain.com" connections="ls1" mime="mime1" aclids="acl1" urlhosts="rpserver.testdomain.com" state="on">
  <PROPERTY name="docroot" value="/iplanet/servers/docs"/>
  <USERDB id="default"/>
  <SEARCH>
  <WEBAPP uri="/search" path="/iplanet/servers/bin/https/webapps/search" enabled="true"/>
  </SEARCH>
  </VS>
  </VSCLASS>
  <JAVA javahome="/iplanet/servers/bin/https/jdk" serverclasspath="/iplanet/servers/bin/https/jar/webserv-rt.jar:${java.home}/lib/tools.jar:/iplanet/servers/bin/https/jar/webserv-ext.jar:/iplanet/servers/bin/https/jar/webserv-jstl.jar:/iplanet/servers/bin/https/jar/ktsearch.jar" classpathsuffix="" envclasspathignored="true" nativelibrarypathprefix="" debug="false" debugoptions="-Xdebug -Xrunjdwp:transport=dt_socket,server=y,suspend=n" dynamicreloadinterval="-1">
  <JVMOPTIONS>-Djava.security.auth.login.config=/iplanet/servers/https-rpserver.testdomain.com/config/login.conf</JVMOPTIONS>
  <JVMOPTIONS>-Djava.util.logging.manager=com.iplanet.ias.server.logging.ServerLogManager</JVMOPTIONS>
  <JVMOPTIONS>-Xmx256m</JVMOPTIONS>
  <SECURITY defaultrealm="native" anonymousrole="ANYONE" audit="false">
  <AUTHREALM name="file" classname="com.iplanet.ias.security.auth.realm.file.FileRealm">
  <PROPERTY name="file" value="/iplanet/servers/https-rpserver.testdomain.com/config/keyfile"/>
  <PROPERTY name="jaas-context" value="fileRealm"/>
  </AUTHREALM>
  <AUTHREALM name="native" classname="com.iplanet.ias.security.auth.realm.webcore.NativeRealm">
  <PROPERTY name="jaas-context" value="nativeRealm"/>
  </AUTHREALM>
  <AUTHREALM name="ldap" classname="com.iplanet.ias.security.auth.realm.ldap.LDAPRealm">
  <PROPERTY name="directory" value="ldap://localhost:389"/>
  <PROPERTY name="base-dn" value="o=isp"/>
  <PROPERTY name="jaas-context" value="ldapRealm"/>
  </AUTHREALM>
  </SECURITY>
  <RESOURCES/>
  </JAVA>
  <LOG file="/iplanet/servers/https-rpserver.testdomain.com/logs/errors" loglevel="info" logtoconsole="true" usesyslog="false" createconsole="false" logstderr="true" logstdout="true" logvsid="false"/>
  </SERVER>

• Border manager as reverse proxy with Sharepoint 2007

  hello
  need to implement an extranet based solution of Windows Sharepoint 2007, clients may need to traverse a BM reverse proxy server in order to hit the sharepoint environment. have a few questions
  1. does it work well? or at all?
  2. is the SSL session from the client terminated at the BM level
  3. will be using SSL, can i install certs at the BM level for the site?
  any other tips??

  Originally Posted by phxazcraig
  In article <[email protected]>, Gwelsh123 wrote:
  > 1. does it work well? or at all?
  Should work.
  > 2. is the SSL session from the client terminated at the BM level
  Yes, if you use proxy, sessions are always between client and proxy,
  and another session between proxy and origin server.
  > 3. will be using SSL, can i install certs at the BM level for the
  > site?
  I'm not quite sure what you mean. If you want to encrypt the data, I
  think you would be best off doing a generic tcp proxy for port 443, and
  have the cert on the endpoint (sharepoint) server, but perhaps that
  would give cert errors due to the addressing.
  Craig Johnson
  Novell Support Connection SysOp
  *** For a current patch list, tips, handy files and books on
  BorderManager, go to Craig Johnson Consulting - BorderManager, NetWare, and More ***
  Im sure when using ISA as the reverse proxy, you install the SSL certs on the ISA box, and then you can use an internally generated cert on the web servers.
  I also read somewhere that BM dosent support webdav?
  do novell provide any documentation on this sort of configuration
  we have a BM server already, there is an external firewall which forwards traffic to various websites to a specific port on the BM server, which then proxies the requests internall. it dosent seem particularly smart, more like a glorified port forwarder?

• Apache installation for reverse proxy in linux for portal

  dear all,
  can u please guide me where to download the openssl apache foe linux for the reverse proxy
  regards
  revanth

  Google is your friend...
  It will take 15 seconds !
  Regards,
  Olivier