Oracle iPlanet Web Proxy Server 4.0.14 Administration Guide

Setting up a Reverse Proxy

To set up a reverse proxy, you need two mappings: a regular and a reverse mapping.

The regular mapping redirects requests to the content server. When a client requests a document from the proxy server, the proxy server needs a regular mapping to tell it where to get the actual document.

Caution –

Do not use a reverse proxy with a proxy that serves autoconfiguration files, because the proxy could return the wrong result.

The reverse mapping instructs the proxy server to trap for redirects from the content server. The proxy intercepts the redirect and then changes the redirected URL to map to the proxy server. For example, if the client requests a document that was moved or not found, the content server will return a message to the client explaining that it cannot find the document at the requested URL. In that returned message, the content server adds an HTTP header that lists a URL to use to get the moved file. In order to maintain the privacy of the internal content server, the proxy can redirect the URL using a reverse mapping.

Suppose you have a web server called http://http.site.com/ and you want to set up a reverse proxy server for it. You could call the reverse proxy http://proxy.site.com/.

To Create Regular or Reverse Mapping

Access the Server Manager, and click the URLs tab.

Click the Create Mapping link.

The Create Mapping page is displayed.

In the page that appears, provide the source prefix and source destination for the regular mapping,

for example,

Source prefix: http://proxy.site.com

Source destination: http://http.site.com/

Click OK.

Return to the page and create the reverse mapping, for example,

Reverse mapping:

Source prefix: http://http.site.com/

Source destination: http://proxy.site.com/

To make the change, click OK.

Once you click the OK button, the proxy server adds one or more additional mappings. To see the mappings, click the lView/Edit Mappings link. Additional mappings would be in the following format:

from: /

to: http://http.site.com/

These additional automatic mappings are for users who connect to the reverse proxy as a normal server. The first mapping is to catch users connecting to the reverse proxy as a regular proxy. The “/” mapping is added only if the user doesn't change the contents of the Map Source Prefix text box provided automatically by the Administration GUI. Depending on the setup, usually the second mapping is the only one required, but the extra mapping does not cause problems in the proxy.

Note –
If the web server has several DNS aliases, each alias should have a corresponding regular mapping. If the web server generates redirects with several DNS aliases to itself, each of those aliases should have a corresponding reverse mapping.

CGI applications still run on the origin server. The proxy server never runs CGI applications on its own. However, if the CGI script indicates that the result can be cached by implying a non-zero time-to-live by issuing a Last-modified or Expires header, the proxy will cache the result.

When authoring content for the web server, keep in mind that the content will be served by the reverse proxy, too, so all links to files on the web server should be relative links. Do not refer to the host name in the HTML files. All links must consist only of the page:

/abc/def

as opposed to a fully qualified host name, such as:

http://http.site.com/abc/def

Note –
You can provide custom error pages for the errors that occur in reverse proxy mode. These error pages override the errors generated by the proxy. This enables you to prevent the client from knowing that a proxy server is configured.

Setting Up a Secure Reverse Proxy

Before setting up secure reverse proxying, you should be familiar with digital certificates, Certificate Authorities, and authentication.

Setting up a secure reverse proxy is almost the same as setting up an insecure reverse proxy. The only difference is that you need to specify HTTPS as the protocol for the files to be encrypted.

Secure Client-to-Proxy

This procedure explains how to set up your secure reverse proxy according to the configuration scenario you choose. To demonstrate how to set up mappings, the instructions suppose that you have a web server called http.site.com and that you want to set up a secure reverse proxy server called proxy.site.com. When following the steps, substitute the name of your web server and proxy for the example names used in the directions.

To Set Up a Secure Client-to-Proxy Mapping

Access the Server Manager, and click the URLs tab.

Click the Create Mapping link.

The Create Mapping page is displayed.

In the page that appears, set up regular and reverse mappings in the following manner:

Regular mapping:

Source prefix: https://proxy.mysite.com

Source destination: http://http.mysite.com/

Reverse mapping:

Source prefix: http://http.mysite.com/

Source destination: https://proxy.mysite.com/

Save and apply your changes.

To see the mappings you just created, click the View/Edit Mappings link.

Note –
This configuration will only work if your proxy server is running in secure mode. In other words, encryption must be enabled and the proxy must be restarted from the command line. To restart the proxy from the command line, go to the proxy directory and type ./start.

To Set Up a Secure Proxy-to-Content Server Mapping

Access the Server Manager, and click the URLs tab.

Click the Create Mapping link.

The Create Mapping page is displayed.

In the page that appears, set up regular and reverse mappings in the following manner:

Regular mapping:

Source prefix: http://proxy.mysite.com

Source destination: https://http.mysite.com/

Reverse mapping:

Source prefix: https://http.mysite.com/

Source destination: http://proxy.mysite.com/

Save and Apply your changes.

To see the mappings you just created, click the link called View/Edit Mappings.

Note –
This configuration will only work if your content server is running in secure mode.

To Set up Secure Client-to-Proxy and Secure Proxy-to-Content Server

Access the Server Manager, and click the URLs tab.

Click the Create Mapping link.

The Create Mapping page is displayed.

In the page that appears, set up regular and reverse mappings in the following manner:

Regular mapping:

Source prefix: https://proxy.mysite.com

Source destination: https://http.mysite.com/

Reverse mapping:

Source prefix: https://http.mysite.com/

Source destination: https://proxy.mysite.com/

Save and Apply your changes.

To see the mappings you just created, click the link called View/Edit Mappings.

Note –
This configuration will only work if your proxy server and content server are running in secure mode. In other words, for the proxy, encryption must be enabled and the proxy must be restarted from the command line. To restart the proxy from the command line, go to the proxy directory and type ./restart.

Disabling the Forward Proxying Feature in a Reverse Proxy Setup

A proxy server instance, when configured as a reverse proxy server, by default does not stop functioning as a forward proxy server. Such a server instance accepts and serves reverse proxy requests as well as forward proxy requests. Further configuration is required to disable the forward proxying feature. You can set up an ACL configuration that denies requests whose URI matches forward proxy format. You can use a Client directive for this purpose:

<Client uri="http://.*">
PathCheck fn="check-acl" acl="http://.*"
<Client>
.
.
.
The "http://.*" ACL can be a deny all ACL as follows:
.
.
acl "http://.*";
deny (all) user="anyone";

Virtual Multihosting in Reverse Proxy

Virtual multihosting is a feature which enables an origin server, such as a reverse proxy server, to respond to multiple DNS aliases as if a different server was installed in each of those addresses. As an example, suppose you have the DNS host names:

www
specs
phones

Each of these host names could be mapped to the same IP address, the IP address of the reverse proxy. the reverse proxy could then act differently based on which DNS name was used to access it.

Virtual Multihosting enables you to host multiple different *domains* in a single reverse proxy server as well. For example:

www.domain-1.com
www.domain-2.com
www.domain-3.com

You can have a combination of multiple local host names as well as multiple domains, all in a single proxy server:

www
specs
phones
www.domain-1.com
www.domain-2.com
www.domain-3.com

Functional Details of Virtual Multihosting

The virtual multihosting feature works by specifying the DNS host and domain names or aliases, and then a target URL prefix where requests sent to that host name should be directed. As an example, suppose you have two mappings:

engr.domain.com -> http://int-engr.domain.com
mktg.domain.com -> http://int-mktg.domain.com

Mappings do not have to go root-to-root. You may specify an additional URL path prefix in the target URL:

engr.domain.com -> http://internal.domain.com/engr
mktg.domain.com -> http://internal.domain.com/mktg

The same technique applies to virtual domain mappings. For example, you could use:

www.domain-1.com -> http://int-engr.domain.com
www.domain-2.com -> http://int-mktg.domain.com

The system will look at the HTTP “Host:” header. Based on that header, the system will choose the matching Virtual Multihosting mapping. If none of the multihosting mappings match, the server will continue looking at other mappings in the order that they appear in the configuration file, or perform no mappings if no matches are found. If no matches are found, the proxy will typically issue the “Proxy denies fulfilling the request” response.

To Configure Virtual Multihosting

Access the Server Manager and click the URLs tab.

Click the Configure Virtual Multihosting link.

The Configure Virtual Multihosting page is displayed.

In the Source Hostname (alias) field, specify the local host name (or DNS alias) that this mapping should apply to.

In the Source Domain Name field, type the local domain name that this mapping should apply to.

Typically, this name is your own network’s domain name, unless you want to multi host multiple different DNS domains.

In the Destination URL Prefix field, type the target URL prefix where the request will be directed if the host and domain names match the above specifications.

If you are using templates, choose the template name from the Use This Template drop-down list, or leave the value at NONE if you do not want to apply a template.

Click OK.

Click Restart Required.

The Apply Changes page is displayed.

Click the Restart Proxy Server button to apply the changes.

Repeat the above steps for each virtual multihosting mapping you want to establish.

All virtual multihosting mappings appear on the bottom of the Configure Virtual Multihosting page. The Source Hostname (alias) and Source Domain Name fields are merged, together with the proxy’s port number, into a single regular expression that is used to match the “Host:” header.

For example, if you have host name www, domain example.com, and port number 8080, the following regular expression will appear:

www(|.example.com)(|:8080)

This regular expression guarantees a match with all of the following possible combinations that the user might have typed, or the client might have sent. The port number might be omitted by some client software even when it is non-80, as the server was listening on that port.
- www
- www:8080
- www.example.com
- www.example.com:8080

Notes about Virtual Multihosting

You will need to disable the Client autoconfiguration feature before you can configure reverse proxy mappings. The Client autoconfiguration feature is for the forward proxy operation, not reverse proxy.
The Virtual Multihosting feature establishes automatic reverse mappings. Do not create reverse mappings for mappings that you provide using the Virtual Multihosting page.
Virtual mappings are specified with virt-map function in the obj.conf file.
Virtual mappings are matched in the order specified in the obj.conf configuration file. If regular, reverse, regular expression, or client autoconfiguration mappings appear before the virtual mappings, they will be applied first. Similarly, if no matches are found in virtual mappings, translation will continue to the next mapping after the virtual mapping section in obj.conf.

Note –
In the order of specification, reverse mapping should appear before other mappings.
If the port number of the proxy server is changed, you will need to recreate the Virtual Multihosting mappings, to reflect the new port number.