Skip to Content
This is the 3rd post in the reverse-proxy series (The Reverse Proxy Series — Part 1: Introduction; The Reverse Proxy Series — Part 2: IIS as a reverse-proxy). Initially this blog was much longer — it talked about Apache, where to find it, how to install it, and so on in addition to the actual steps needed to configure the reverse-proxy. As the post grew bigger in length I decided to change course and zoom-in only on the matter at hand — configuring a reverse-proxy. If there’s a need for an Apache overview or installation-howto, write it down as a comment and I’ll get to that in a different post.

Pre-reqs
  1. A running Apache server. A basic installation would do.
  2. Access to the Apache httpd.conf file (found in the /conf directory under Apache’s installed directory
  3. Ability to restart the Apache server
  4. A portal, or any other application running on the J2EE WAS
  5. Administrator access to the J2EE WAS (specifically — access to the Visual Administrator tool)
  6. A smile on your face and a song in your heart (optional, Apache does not require those; nonetheless these are highly recommended for happy living)
Overview — How it’s going to happen

We will use mod_proxy, Apache’s Proxy module. mod_proxy lets you create forward (A.K.A “regular”) and reverse proxies. We will make sure the module (and its sub-modules) are loaded, and configure it to allow only reverse-proxying from specific URL patterns to the internal server we’re proxying.

On the portal/J2EE side we will use the PortMapping feature (you can read a short description of this property in the The Reverse Proxy Series — Part 2: IIS as a reverse-proxy in this series, near the end of the post) to make sure redireect URLs sent to the client don’t point to the internal server.

Step 1 — Load the modules

Open httpd.conf in your favourite text editor (I use jEdit because it highlights the file’s syntax; notepad would also do; VI if you’re 1337 ;-)). You can find it under the /conf directory where Apache is installed (in a deafult Windows installation that would be Program FilesApache GroupApache2conf).

Rule of thumb in most UNIX or UNIX-originated configuration files — a hash (“#”) denotes a remark. You can see all kinds of lines starting with “#” — those are disabled lines. What we’re looking for are the lines which load mod_proxy and mod_proxy_http (the sub-module which handles the HTTP protocol for proxying). Do a search for “mod_proxy.so” and you’re most likely to find the following line:
#LoadModule proxy_module modules/mod_proxy.so
Simply remove the “#” from the start of the line to enable loading mod_proxy. To do same for the LoadModule line for mod_proxy_http (if there’s no “#” in the begining of the line it means the module is already loaded.)

You should now have the following two lines in your httpd.conf file:

LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so
Step 2 — Activate mod_proxy, and configure basic reverse-proxy functionality

That takes care of loading the modules. Now to configure them to something useful, add the following lines at the end of the configuration file (replace “internal.company.com:50000” with the host-name and port of your internal portal, and “external.company.com” with the host-name of the revere-proxy server)

#Enable reverse-proxying ProxyVia on ProxyTimeout 600 #disable forward-proxying ProxyRequests Off #proxy /irj both ways ProxyPass /irj http://internal.company.com:50000/irj ProxyPassReverse /irj http://external.company.com/irj #proxy /logon both ways ProxyPass /logon http://internal.company.com:50000/logon ProxyPassReverse /logon http://external.company.com/logon

What are all those directives?

  • ProxyVia on — turns on reverse-proxying
  • ProxyTimeout 600 — sets mod_proxy’s time-out for requests
  • ProxyRequests off — disables forward-proxying — this is extremely important to do! if you don’t set ProxyRequests to “off” users will able to use your Apache server to as a proxy — I can’t stress enough how much that would be bad.
  • ProxyPass /irj http://internal.company.com:50000/ irj -- Tells mod_proxy to reverse-proxy all requests begining with /irj to the internal proxy
  • ProxyPassReverse /irj http://external.company.com /irj -- Tells mod_proxy to make sure redirects sent via HTTP headers from the internal server are sent as redirects to the reverse- proxy host-name and not the internal server's name

(the ProxyPass and ProxyPassReverse for /logon are similar to the lines handling /irj; to see why this is needed refer to the The Reverse Proxy Series — Part 2: IIS as a reverse-proxy of this series)

Step 3 — Configuring PortMappings in the WAS

If you were to try using the reverse-proxy at this stage, you’ll see you get redirected to the internal portal at a very early stage (probably after you try to submit your user-name or password). To stop this from happening we have to use the WAS J2EE’s PortMapping proprety to make sure redirects are not made to the internal server, but to the reverse-proxy instead. You can read more about this in the The Reverse Proxy Series — Part 2: IIS as a reverse-proxy — follow the instruction given there (it’s the same process). UPDATE: In most cases it should be enough to make Apache preserve the “Host:” header when proxying the requests. This is done by setting the ProxyPreserveHost attribute of mod_proxy to “On”. If you set this you can probably get by without touching the PortMapping feature of the WAS..

Step 4 — Rejoice, for thou are done!

Test it! Restart Apache (if you haven’t done that already), and navigate to /irj on the reverse-proxy’s host-name — you should be seeing the portal from the internal server. Yeah baby, yeah.

What’s next?

This takes care of simple scenarios. But what happens if you have all kinds of back-end systems to reverse-proxy as well? What about SSL? We’ll have a look at the infamous mod_rewrite (here’s a quote about it: “Despite the tons of examples and docs, mod_rewrite is voodoo. Damned cool voodoo, but still voodoo.” — I see you can tell it’s gonna be f-u-n), and we’ll see what needs to be done to add SSL support to the reverse-proxy scenario.

To report this post you need to login first.

8 Comments

You must be Logged on to comment or reply to a post.

  1. Praveen Mayalur
    Alon,

    Your weblogs are really good. It made us to configure IISPROXY and Apache Reverse Proxies. We most have issues on configuring SSL on Apache and SSL termination at proxy level in Apache. Eagerly waiting for your next weblog on this which would answer lot of issues on Apache reverse Proxy.
    Keep blogging.

    Thanks,
    Praveen

    (0) 
    1. Great info Nicholas, thank you!

      I’ll be covering mod_rewrite in the next post, including the regular-expression needed to handle those “sap(xxxxxxxxxx)”.
      Using a header is a great technique — is HTTP_REFERRER a header used by SAP’s WebAS by default?

      Alon

      (0) 
      1. Heren Zhou
        Hi Alon,

        I have a problem with my proxy:

        ssl.conf.in like

              ProxyPass          /irj            http://debmsu06.server.###.de:50300/irj
              ProxyPassReverse   /irj            http://debmsu06.server.###.de:50300/irj

        RewriteRule    ^/$           /irj/portal [R]

        If I use URL:

        https://bebuyer.###.de/ goto https://bebuyer.###.de/irj/portal

        but if I use

        https://bebuyer.###.de/irj/

        I get the info:

        https://bebuyer.###.de/irj/HTTPS:/bebuyer.###.de:443/irj/index.html

        What is happened? How I can redirect to /irj/portal?

        Of course I can use
        http://debmsu06.server.###.de:50300/irj/

        Could you please give me some tips?

        Best Thanks!

        Heren Zhou

        (0) 
      2. Vaibhav Dua
        Hey Alon,

        i have done the reverse proxy configuration as follows:-

        ProxyVia on

        ProxyTimeout 600
        #disable forward-proxying
        ProxyRequests Off

        ProxyPass /irj http://sapepqap01.sap.com/irj
        ProxyPassReverse /irj http://epq.sap.com/irj

        ProxyPass /logon http://sapepqap01.sap.com/logon
        ProxyPassReverse /logon http://epq.sap.com/irj

        and set the Proxy mappings property as:-
        80=(Host:epq.sap.com,Port:80,Scheme:http,Override:true)

        Now when i launch the Portal through reverse proxy, i’m not able to display any webdynpro application (e.g. Identity Management). Every other application is working fine.

        Please help

        Vaib

        (0) 
  2. B. Spil

    There is a quirk (actually a bug) with the use of ProxyPassReverse in this way. WebAS does not comply with the HTTP/1.1 spec (RFC2616 14.30) that states that the Location in the http-header returned for status 302 should be an Absolute URI, not a relative one like WebAS returns. “For 3xx responses, the location SHOULD indicate the server’s preferred URI for automatic redirection to the resource. The field value consists of a single absolute URI.”(Found at http://www.apacheweek.com/features/reverseproxies)

    (0) 
  3. Gerard Schlundt
    For AS2 Data my proxy is working flawlessly. 

    However, when using the SOAP adapter I’m trying to pass the certificate from the trading partner to the backend server so that autentication can be used.  How is this done?

    (0) 

Leave a Reply