Previous      Contents      Index      Next
Sun Java System Web Proxy Server 4.0.1 Administration Guide

Chapter 14
Using a Reverse Proxy

This chapter describes how to use Proxy Server as a reverse proxy. Reverse proxy is the name for certain alternate uses of a proxy server. It can be used outside the firewall to represent a secure content server to outside clients, preventing direct, unmonitored access to your server’s data from outside your company. It can also be used for replication; that is, multiple proxies can be attached in front of a heavily used server for load balancing. This chapter describes the alternate ways that Proxy Server can be used inside or outside a firewall.

This chapter has the following sections:

How Reverse Proxying Works
Setting up a Reverse Proxy

---

How Reverse Proxying Works

There are two models for reverse proxying. One model takes advantage of Proxy Server’s security features to handle transactions, and the other makes use of its caching features to provide load balancing on a heavily used server. Both of these models differ from the conventional proxy usage in that they do not operate strictly on a firewall.

Proxy as a Stand-in for a Server

If you have a content server that has sensitive information that must remain secure, such as a database of credit card numbers, you can set up a proxy outside the firewall as a stand–in for your content server. When outside clients try to access the content server, they are sent to the proxy server instead. The real content resides on your content server, safely inside the firewall. The proxy server resides outside the firewall, and appears to the client to be the content server.

When a client makes a request to your site, the request goes to the proxy server. The proxy server then sends the client’s request through a specific passage in the firewall to the content server. The content server passes the result through the passage back to the proxy. The proxy sends the retrieved information to the client, as if the proxy were the actual content server (see Figure 14-1). If the content server returns an error message, the proxy server can intercept the message and change any URLs listed in the headers before sending the message to the client. This prevents external clients from getting redirection URLs to the internal content server.

In this way, the proxy provides an additional barrier between the secure database and the possibility of malicious attack. In the unlikely event of a successful attack, the perpetrator is more likely to be restricted to only the information involved in a single transaction, as opposed to having access to the entire database. The unauthorized user can not get to the real content server because the firewall passage allows only the proxy server to have access.

Figure 14-1  A reverse proxy appears to be the real content server

You can configure the firewall router to allow a specific server on a specific port (in this case, the proxy on its assigned port) to have access through the firewall without allowing any other machines in or out.

Secure Reverse Proxying

Secure reverse proxying occurs when one or more of the connections between the proxy server and another machine uses the Secure Sockets Layer (SSL) protocol to encrypt data.

Secure reverse proxying has many uses:

It can provide an encrypted connection from a proxy server outside a firewall to a secure content server inside the firewall.
It can allow clients to connect securely to the proxy server, facilitating the secure transmission of information (such as credit card numbers).

Secure reverse proxying causes each secure connection to be slower due to the overhead involved in encrypting your data. However, because SSL provides a caching mechanism, two connecting parties can reuse previously negotiated security parameters, dramatically reducing the overhead on subsequent connections.

There are three ways to configure a secure reverse proxy:

Secure client to proxy. This scenario is effective if there is little or no chance that the information being exchanged between your proxy and content server can be accessed by unauthorized users (see Figure 14-2).

Figure 14-2  Secure client connection to proxy

Secure proxy to content server. This scenario is effective if you have clients inside the firewall and a content server that is outside the firewall. In this scenario, your proxy server can act as a secure channel between sites (see Figure 14-3

Figure 14-3  Secure proxy connection to content server

Secure client to proxy and secure proxy to content server. This scenario is effective if the information exchanged between the server, proxy and client needs to be secure. In this scenario, your proxy server can act like a secure channel between sites with the additional security of client authentication (see Figure 14-4).

Figure 14-4  Secure client connection to proxy and secure proxy connection to content server

For information on how to set up each of these configurations, see Setting up a Reverse Proxy.

In addition to SSL, the proxy can use client authentication, which requires that a computer making a request to the proxy provides a certificate (or form of identification) to verify its identity.

Proxying for Load Balancing

You can use multiple proxy servers within an organization to balance the network load among web servers. This model lets you take advantage of the caching features of the proxy server to create a server pool for load balancing. In this case, the proxy servers can be on either side of the firewall. If you have a web server that receives a high number of requests per day, you could use proxy servers to take the load off the web server and make the network access more efficient.

The proxy servers act as go-betweens for client requests to the real server. The proxy servers cache the requested documents. If there is more than one proxy server, DNS can route the requests randomly using a “round-robin” selection of their IP addresses. The client uses the same URL each time, but the route the request takes might go through a different proxy each time.

The advantage of using multiple proxies to handle requests to one heavily used content server is that the server can handle a heavier load, and more efficiently than it could alone. After an initial start-up period in which the proxies retrieve documents from the content server for the first time, the number of requests to the content server can drop dramatically.

Only CGI requests and occasional new requests must go all the way to the content server. The rest can be handled by a proxy. Here is an example. Suppose that 90% of the requests to your server are not CGI requests (which means they can be cached), and that your content server receives 2 million hits per day. In this situation, if you connect three reverse proxies, and each of them handles 2 million hits per day, about 6 million hits per day would then be possible. The 10% of requests that reach the content server could add up to about 200,000 hits from each proxy per day, or only 600,000 total, which is far more efficient. The number of hits could increase from around 2 million to 6 million, and the load on the content server could decrease correspondingly from 2 million to 600,000. Your actual results would depend upon your situation.

Figure 14-5  Proxy used for load balancing

---

Setting up a Reverse Proxy

To set up a reverse proxy, you need two mappings: a regular and a reverse mapping.

The regular mapping redirects requests to the content server. When a client requests a document from the proxy server, the proxy server needs a regular mapping to tell it where to get the actual document.

Caution	You should not use a reverse proxy with a proxy that serves autoconfiguration files. This is because the proxy could return the wrong result.

The reverse mapping makes the proxy server trap for redirects from the content server. The proxy intercepts the redirect and then changes the redirected URL to map to the proxy server. For example, if the client requests a document that was moved or not found, the content server will return a message to the client explaining that it cannot find the document at the requested URL. In that returned message, the content server adds an HTTP header that lists a URL to use to get the moved file. In order to maintain the privacy of the internal content server, the proxy can redirect the URL using a reverse mapping.

Suppose you have a web server called http://http.site.com/ and you want to set up a reverse proxy server for it. You could call the reverse proxy http://proxy.site.com/.

You would create a regular mapping and a reverse mapping as follows:

Access the Server Manager, and click the URLs tab.
Click the Create Mapping link. The Create Mapping page displays.
In the page that appears, enter information for a single mapping. For example:

Regular mapping:

Source prefix: http://proxy.site.com

Source destination: http://http.site.com/

Click OK. Return to the page and create the second mapping:

Reverse mapping:

Source prefix: http://http.site.com/

Source destination: http://proxy.site.com/

To make the change, click OK.

Once you click the OK button, the proxy server adds one or more additional mappings. To see the mappings, click the link called View/Edit Mappings. Additional mappings would be in the following format:

from: /

to: http://http.site.com/

These additional automatic mappings are for users who connect to the reverse proxy as a normal server. The first mapping is to catch users connecting to the reverse proxy as a regular proxy. Depending on the setup, usually the second is the only one required, but it does not cause problems in the proxy to have them both.

Note	If the web server has several DNS aliases, each alias should have a corresponding regular mapping. If the web server generates redirects with several DNS aliases to itself, each of those aliases should have a corresponding reverse mapping.

CGI applications still run on the origin server; the proxy server never runs CGI applications on its own. However, if the CGI script indicates that the result can be cached (by implying a non-zero time-to-live by issuing a Last-modified or Expires header), the proxy will cache the result.

Caution	When authoring content for the web server, keep in mind that the content will be served by the reverse proxy, too, so all links to files on the web server should be relative links. There must be no reference to the host name in the HTML files; that is, all links must be of the page: /abc/def as opposed to a fully qualified host name, such as: http://http.site.com/abc/def

Setting up a Secure Reverse Proxy

Before setting up secure reverse proxying, you should be familiar with digital certificates, Certificate Authorities, and authentication.

Setting up a secure reverse proxy is almost the same as setting up an insecure reverse proxy. The only difference is that you need to specify HTTPS as the protocol for the files to be encrypted.

The following instructions explain how to set up your secure reverse proxy according to the configuration scenario you choose. To demonstrate how to set up mappings, the instructions suppose that you have a web server called http.site.com and that you want to set up a secure reverse proxy server called proxy.site.com. When following the steps, substitute the name of your web server and proxy for the example names used in the directions.

Secure Client to Proxy

Access the Server Manager, and click the URLs tab.
Click the Create Mapping link. The Create Mapping page displays.
In the page that appears, set up regular and reverse mappings in the following manner:

  Regular mapping:

Source prefix: https://proxy.mysite.com

Source destination: http://http.mysite.com/

Reverse mapping:

Source prefix: http://http.mysite.com/

Source destination: https://proxy.mysite.com/

Save and apply your changes.

To see the mappings you just created, click the link called View/Edit Mappings.

Note	This configuration will only work if your proxy server is running in secure mode. In other words, encryption must be enabled and the proxy must be restarted from the command line. To restart the proxy from the command line, go to the proxy directory and type ./start.

Secure Proxy to Content Server

Access the Server Manager, and click the URLs tab.
Click the Create Mapping link. The Create Mapping page displays.
In the page that appears, set up regular and reverse mappings in the following manner:

Regular mapping:

Source prefix: http://proxy.mysite.com

Source destination: https://http.mysite.com/

Reverse mapping:

Source prefix: https://http.mysite.com/

Source destination: http://proxy.mysite.com/

Save and Apply your changes. To see the mappings you just created, click the link called View/Edit Mappings.

Note	This configuration will only work if your content server is running in secure mode.

Secure Client to Proxy and Secure Proxy to Content Server

Access the Server Manager, and click the URLs tab.
Click the Create Mapping link. The Create Mapping page displays.
In the page that appears, set up regular and reverse mappings in the following manner:

Regular mapping:

Source prefix: https://proxy.mysite.com

Source destination: https://http.mysite.com/

Reverse mapping:

Source prefix: https://http.mysite.com/

Source destination: https://proxy.mysite.com/

Save and Apply your changes. To see the mappings you just created, click the link called View/Edit Mappings.

Note	This configuration will only work if your proxy server and content server are running in secure mode. In other words, for the proxy, encryption must be enabled and the proxy must be restarted from the command line. To restart the proxy from the command line, go to the proxy directory and type ./restart.

Virtual Multihosting in Reverse Proxy

Virtual multihosting is a feature which allows an origin server, or in our case, a reverse proxy server, to respond to multiple DNS aliases as if there was a different server installed in each of those addresses. As an example, you could have the DNS host names:

www
specs
phones

Each of them could be mapped to the same IP address (the IP address of the reverse proxy). You could then have the reverse proxy act differently based on which DNS name was used to access it.

Virtual Multihosting allows you to host multiple different *domains* in a single reverse proxy server as well. For example:

www.domain-1.com
www.domain-2.com
www.domain-3.com

Note that you can have a combination of multiple local host names as well as multiple domains, all in a single proxy server:

www
specs
phones
www.domain-1.com
www.domain-2.com
www.domain-3.com

This section contains the following topics:

Functional Details of Virtual Multihosting
Important Notes on Virtual Multihosting

Functional Details of Virtual Multihosting

The virtual multihosting feature works by specifying the DNS host and domain names (or aliases), and then giving a target URL prefix where requests sent to that host name should be directed. As an example, you can have two mappings:

engr.domain.com -> http://int-engr.domain.com
mktg.domain.com -> http://int-mktg.domain.com

Mappings do not have to go root-to-root; you may specify an additional URL path prefix in the target URL:

engr.domain.com -> http://internal.domain.com/engr
mktg.domain.com -> http://internal.domain.com/mktg

Same applies to virtual domain mappings. For example, you could use:

www.domain-1.com -> http://int-engr.domain.com
www.domain-2.com -> http://int-mktg.domain.com

The system will look at the HTTP "Host:" header, and based on that header, it will choose the matching Virtual Multihosting mapping. If none of the multihosting mappings match, the server will continue looking at other mappings in the order that they appear in the configuration file, or perform no mappings if no matches are found. If there are no matches, the proxy will typically respond with the "Proxy denies fulfilling the request" response.

To configure virtual multihosting

Access the Server Manager and click the URLs tab.
Click the Configure Virtual Multihosting link. The Configure Virtual Multihosting page displays.
In the Source Hostname (alias) field, specify the local host name (or DNS alias) that this mapping should apply to.
In the Source Domain Name field, enter the local domain name that this mapping should apply to. Typically, this is your own network’s domain name, unless you want to multi-host multiple different DNS domains.
In the Destination URL Prefix field, enter the target URL prefix where the request will be directed if the host and domain names match the above specifications.
If you are using templates, choose the template name from the Use This Template drop-down list, or leave the value at NONE" if you do not want to apply a template.
Click OK.
Click Restart Required. The Apply Changes page displays.
Click the Restart Proxy Server button to apply the changes.

Repeat the above steps for each virtual multihosting mapping you want to establish.

All virtual multihosting mappings appear on the bottom of the Configure Virtual Multihosting page. Note that the Source Hostname (alias) and Source Domain Name fields are merged, together with the proxy’s port number, into a single regular expression that is used to match the "Host:" header.

For example, if you have host name "www", domain "example.com", and port number "8080", it will display the regular expression:

www(|.example.com)(|:8080)

This will guarantee a match with all of the following possible combinations that the user may have typed, or the client may have sent (the port number may be omitted by some client software even when it’s non-80, as it is obvious to the server which port number it was listening on):

www
www:8080
www.example.com
www.example.com:8080

Important Notes on Virtual Multihosting

You will need to disable the Client autoconfiguration feature before you can configure reverse proxy mappings. Doing so will not cause any problems because the Client autoconfiguration feature is for the forward proxy operation, not reverse proxy.

The Virtual Multihosting feature establishes automatic reverse mappings. In other words, do not create reverse mappings for mappings that you enter using the Virtual Multihosting page.

Virtual mappings are specified with virt-map function in obj.conf.

Virtual mappings are matched in the order specified in the obj.conf configuration file. If there are regular, reverse, regular expression, or client autoconfiguration mappings before the virtual mappings, they will be applied first. Similarly, if no matches are found in virtual mappings, translation will continue to the next mapping after the virtual mapping section in obj.conf.

If the port number of the proxy server is changed, you will need to recreate the Virtual Multihosting mappings, as they now have the wrong port number.

Previous      Contents      Index      Next

---

Part No: 819-3650-10.   Copyright 2005 Sun Microsystems, Inc. All rights reserved.