31.7 Activating Reverse Proxy for Apache v2 and IHS v2

The Webgates for Apache v2 and IHS v2 powered by Apache support reverse proxy capability, if you choose to activate this capability.

The procedures to implement reverse proxy capability differ, depending on your environment:

31.7.1 Activating Reverse Proxy For Apache v2 Web Servers

For reverse proxy functions with Access Manager, you need to include the Apache proxy module in the configure command for the Web server. You also need to load mod_proxy and the mod_proxy_http module into the server dynamically. A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive.

Reverse proxy capability is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on to configure a reverse proxy. Access control is less critical when using a reverse proxy (ProxyPass directive with ProxyRequests Off), because clients can contact only the hosts that you have specifically configured. You can control access to your proxy using the <Proxy> control block.

To activate reverse proxy capability for Apache v2 Web servers

  1. Review the following topics:
  2. Include the Apache proxy module in the configure command for the Web server, if needed.

    For example:

    --enable-proxy      
--enable-proxy-connect      
--enable-proxy-ftp      
--enable-proxy-http

    See the Apache documentation for more information.

  3. Use the ProxyPass directive or the [P] flag to the RewriteRule directive to activate a reverse proxy, as follows: 
            Reverse Proxy
        ProxyRequests Off
        <Proxy *>
         Order deny,allow
         Allow from all
        </Proxy>
        ProxyPass /foo http://foo.example.com/bar
        ProxyPassReverse /foo http://foo.example.com/bar
  4. Control access to your proxy using the <Proxy> control block as follows: 
          <Proxy *>
       Order Deny,Allow
       Deny from all
       Allow from 192.168.0
      </Proxy>
  5. Perform steps in Registering and Managing 10g WebGates with Access Manager 11g, if you haven't yet done so.

31.7.2 Activating Reverse Proxy For IHS v2 Web Servers

Use the following procedure after installing the Web server.

To activate reverse proxy capability for IHS v2 Web servers

  1. Review "About the Apache and IBM HTTP Reverse Proxy Server"
  2. Install the IHS v2 Web server, as described in "Preparing the IHS v2 Web Server".
  3. Load the modules by including these lines (uncommented) in the Dynamic Shared Object section of the httpd.conf file in:

    IHS_install_dir/conf/httpd.conf

          LoadModule access_module modules/mod_access.so
      LoadModule auth_module modules/mod_auth.so
      LoadModule auth_dbm_module modules/mod_auth_dbm.so
      LoadModule include_module modules/mod_include.so
      LoadModule log_config_module modules/mod_log_config.so
      LoadModule env_module modules/mod_env.so
      LoadModule unique_id_module modules/mod_unique_id.so
      LoadModule setenvif_module modules/mod_setenvif.so
      LoadModule proxy_module modules/mod_proxy.so
      LoadModule proxy_connect_module modules/mod_proxy_connect.so
      LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
      LoadModule proxy_http_module modules/mod_proxy_http.so
      LoadModule mime_module modules/mod_mime.so
      LoadModule dav_module modules/mod_dav.so
      LoadModule autoindex_module modules/mod_autoindex.so
      LoadModule asis_module modules/mod_asis.so
      LoadModule info_module modules/mod_info.so
      LoadModule cgid_module modules/mod_cgid.so
      LoadModule dav_fs_module modules/mod_dav_fs.so
      LoadModule vhost_alias_module modules/mod_vhost_alias.so
      LoadModule dir_module modules/mod_dir.so
      LoadModule imap_module modules/mod_imap.so
      LoadModule actions_module modules/mod_actions.so
      LoadModule userdir_module modules/mod_userdir.so
      LoadModule alias_module modules/mod_alias.so
      LoadModule rewrite_module modules/mod_rewrite.so
  4. Directives Under the IfModule mod_proxy.c Tag--Use the information and the following examples to ensure that:

    • Allow or Deny conditions are appropriately commented.

      For example:

         <Proxy *>
      Order deny, allow
#    Deny from all
      Allow from all
#   Allow from .domain.com
</Proxy>

    • URLs to be protected are mentioned in both the ProxyPass and the ProxyPassReverse directives.

      For example:

      <IfModule mod_proxy.c>
ProxyRequests Off
ProxyPass /testproxy http://bedford: 8809/testrev/
ProxyPassReverse /testproxy http://bedford: 8809/testrev/
ProxyPass /test2 http://bedford: 8809/testrev/
ProxyPassReverse /test2 http://bedford: 8809/testrev/
  5. Restart the Web server after any modifications to the httpd.conf file.
  6. Testing: To access the proxy URL, access http://<proxy_host>:80/testproxy/

    Note:

    While testing, make sure the URLs have a trailing forward slash. Sometimes resources cannot be accessed without the forward slash at the end.

  7. Enabling SSL on Reverse Proxy Server: Use the documentation on the IHS default page.

    For example, sample SSL settings in the DSO section of the httpd.conf file load the ibm_ssl_module as:

       LoadModule ibm_ssl_module modules/mod_ibm_ssl.so
  8. Include the following directives in your httpd.conf file: 
       SSLEnable
      Keyfile /opt/IBMIHS/bin/key.kdb
      SSLClientAuth none
      SSLProxyEngine on
  9. Restart server.
  10. Access the Web server URL and confirm that the browser is presented with a certificate.

    Note:

    You can switch back to open mode for the Web server simply by commenting out the preceding directives and restarting the server.

  11. key.kdb: To generate the key.kdb, use the ikeyman utility (preferably in GUI mode) provided in the IHS_install_dir/bin directory.

    Note:

    The ikeyman utility uses the gsk7bas utility. However, you need to apply fix pack PQ83048 on gsk7bas.

  12. Perform the following steps: