Configure IDOL Data Admin to Use the Reverse Proxy

You configure IDOL Data Admin to use a reverse proxy by setting the server.reverseProxy system property.

When you set server.reverseProxy to true, the IDOL Data Admin application listens for AJP connections on a port that you can define by using the server.ajp.port system property.

In AJP mode, the reverse proxy must translate incoming HTTP(S) connections from your clients into AJP connections to IDOL Data Admin. The application reads the user name from incoming requests, so you must set up remote authentication. You cannot encrypt the connection from the reverse proxy to the application.

You can also use a HTTP reverse proxy. You cannot use remote authentication in this mode. Users authenticate by using the proxied login page. However, you can encrypt the connection with SSL.

In both these methods, the reverse proxy must rewrite the request path, response Location headers, and cookie paths.

By default, server.reverseProxy is false. In this case, the IDOL Data Admin application is available only over HTTP or HTTPS, without a reverse proxy.

WebSocket Protocol

IDOL Data Admin uses the WebSocket protocol to communicate between the user Web browsers and the Java process. Your reverse proxy must tunnel this communication from the client to the application, in addition to forwarding HTTP/AJP requests.

Set the Reverse Proxy System Property

You can use the following procedure to set the server.reverseProxy system property.

To configure IDOL Data Admin to use a reverse proxy

  • At the command line, send the java run command with the server.reverseProxy argument set to true. For example:

    java -Dserver.reverseProxy=true -Didol.dataadmin.home=[home directory] -Dserver.port=[port] -jar dataadmin.jar

    By default, this option opens an AJP port on port 8009. To use a different port, set the server.ajp.port argument to the correct port number.

    You can also specify the roles to assign to your users by setting the ida.reverse-proxy.pre-authenticated-roles system property:

    • Set ida.reverse-proxy.pre-authenticated-roles to a comma-separated list of IDOL Data Admin Community role names (see User Roles) to use hard-coded role names.

    • Set ida.reverse-proxy.pre-authenticated-roles and leave the value blank to use roles from the Community component. For example:

      java -Dserver.reverseProxy=true -Didol.dataadmin.home=[home directory] -Dserver.port=[port] -jar dataadmin.jar -Dida.reverse-proxy.pre-authenticated-roles=

      To use this option, you must ensure that your Community component configuration file has CheckEntitlement set to False (the default value).

    The default value for this property is IDAUser.

    NOTE: This setting does not assign any roles in the Community component. It gives all users that use the reverse proxy the same permissions to access IDOL Data Admin.

If you run IDOL Data Admin as a service on Windows, you can also add the server.reverseProxy property to the dataadmin.xml file.

If you run IDOL Data Admin as a service on Linux, you can add the arguments to the existing arguments variable in the start scripts (dataadmin.sh for SystemV, dataadmin.conf for Upstart, or dataadmin.service for systemd).

When you modify the IDOL Data Admin configuration by modifying the XML file or start scripts, you must restart IDOL Data Admin to apply your configuration changes.

On Upstart, you must also run initctl reload-configuration before you restart, to apply the init file changes. You can then run service dataadmin restart to restart the service.