Sun Java System Web Server 6.1 SP10 Reverse Proxy Plug-in Release Notes

Server Application Functions (SAFs)

The Reverse Proxy plug-in provides the following Server Application Functions (SAFs):


The auth-passthrough AuthTrans SAF inspects an incoming HTTP request for client information encoded by a service-passthrough function running on an intermediate server. The client information includes the following:

When auth-passthrough detects encoded client information, it instructs the server to treat the request as if it had arrived directly from the originating client instead of through an intermediate server running service-passthrough.

The auth-passthrough SAF is optional. When used, auth-passthrough is used on the server instance that receives the request forwarded by service-passthrough.

Because auth-passthrough makes it possible to override information that may be used for authentication (for example, the IP address of the original request), it is important that only trusted clients and servers be allowed to connect to a server running auth-passthrough. As a minimal precaution, only servers behind a corporate firewall should run auth-passthrough; no internet-accessible server should run auth-passthrough. Further, if information about the originating client is not required, auth-passthrough should not be used.

The following obj.conf code demonstrates the use of auth-passthrough (note that these lines are not indented in a real obj.conf):

<Object name="default"> 
AuthTrans fn="auth-passthrough"


The check-passthrough ObjectType SAF checks to see if the requested resource (for example, the HTML document or GIF image) is available on the local server. If the requested resource does not exist locally, check-passthrough sets the type to indicate that the request should be passed to another server for processing by service-passthrough.

The check-passthrough SAF accepts the following parameters:


The service-passthrough Service SAF forwards a request to another server for processing.

You can configure the number of times the service-passthrough directive tries to get a content from the web server before sending an error to the client by modifying the retries attribute in obj.conf:

<Object name="passthrough">
ObjectType fn="force-type" type="magnus-internal/passthrough"
Service type="magnus-internal/passthrough" fn="service-passthrough"
servers="http://xxx:8084/" poll-timeout="18000" retries="0"
Error reason="Bad Gateway" fn="send-error"

The service-passthrough SAF accepts the following parameters:

When multiple remote servers are configured, service-passthrough chooses a single remote server from the list on a request-by-request basis. If a remote server cannot be contacted or returns an invalid response, service-passthrough sets the status code to 502 Bad Gateway and returns REQ_ABORTED. This will return an error to the browser. This error can be customized in the Web Server by configuring a customized response for the 502 error code.

When user and password are specified, service-passthrough will use these credentials to authenticate to the remote server using HTTP basic authentication. When one or more of the servers in the servers parameter are configured with a https:// prefix, client-cert-nickname specifies the nickname of the client certificate service-passthrough will use to authenticate to the remote server.

Note –

service-passthrough generally uses HTTP/1.1 and persistent connections for outbound requests with the following exceptions:

In addition, service-passthrough encodes information about the originating client in the headers named by the ip-header, cipher-header, keysize-header, secret-keysize-header, ssl-id-header, issuer-dn-header, user-dn-header, and auth-cert-headerparameters (removing any client-supplied headers with the same name) before forwarding the request. Applications running on the remote server may examine these headers to extract information about the originating client.