Configure the Reverse Proxy
The following sections provide configuration examples for using different reverse proxy servers.
Apache 2
Apache 2 is a free open source Web server that you can configure as a reverse proxy by using the mod_proxy
module.
The following configuration example exposes the IDOL Site Admin running on siteadmin.example.com
at https://localhost:443/siteadmin
, using AJP to enable remote authentication. The application AJP port is 8009, and the HTTPS port is 8443.
For this configuration, you must enable the mod_proxy
, mod_proxy_ajp
, mod_proxy_wstunnel
, and mod_ssl
modules.
SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/my-certificate.crt SSLCertificateKeyFile /path/to/my-key.key <Location /siteadmin/> AuthType YOUR_AUTH_MODULE require valid-user ProxyPass "ajp://siteadmin.example.com:8009/" ProxyPassReverse / </Location>
The following configuration example exposes the IDOL Site Admin running on siteadmin.example.com
at https://localhost:8443/siteadmin
, using HTTPS to communicate with the application.
For this configuration, you must enable the mod_proxy
, mod_proxy_http
, mod_proxy_wstunnel
, and mod_ssl
modules.
SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/my-certificate.crt SSLCertificateKeyFile /path/to/my-key.key <Location /siteadmin/> AuthType YOUR_AUTH_MODULE require valid-user ProxyPass "https://siteadmin.example.com:8443/" ProxyPassReverse / </Location>
SAML
You can configure Apache 2 to act as a SAML service provider, which ensures that users are authenticated before passing them through to the application, and sends them to an identity provider if they are not.
For this configuration, you must install and enable the mod_auth_mellon
module.
SSLEngine on SSLProxyEngine on SSLCertificateFile /path/to/my-certificate.crt SSLCertificateKeyFile /path/to/my-key.key <Location /siteadmin/> AuthType "Mellon" AuthName YOUR_AUTH_NAME Require valid-user MellonEnable "auth" MellonSecureCookie On MellonVariable "session_cookie" MellonUser "NAME_ID" MellonEndpointPath "/mellon" MellonDefaultLoginPath "/" # Session TTL seconds MellonSessionLength 86400 MellonSPMetadataFile /path/to/service/provider/metadata MellonSPPrivateKeyFile /path/to/service/provider/key/file MellonSPCertFile /path/to/service/provier/cert/file MellonIdPMetadataFile /path/to/idp/metadata/file ProxyPass "https://siteadmin.example.com:8443/" ProxyPassReverse / </Location>
NGINX
Nginx is a free open source Web server and reverse proxy. It does not support the AJP protocol, so remote authentication is not possible.
The following example configuration exposes the IDOL Site Admin instance running on https://siteadmin.example.com:8443/siteadmin
at https://localhost:443/siteadmin
.
server { listen 443 ssl default_server; ssl_certificate /path/to/my-certificate.crt; ssl_certificate_key /path/to/my-key.key location /siteadmin/ { proxy_pass https://siteadmin.example.com:8443/siteadmin; proxy_cookie_path /siteadmin; } }
Internet Information Services (IIS)
IIS is a Web server created by Microsoft that is built into many versions of Windows. You can configure it as a reverse proxy in HTTP mode, by using the URL Rewrite and Application Request Routing (ARR) modules. In later versions of IIS, the Web server can automatically proxy WebSockets connections.
You can enable the AJP protocol by using the Apache Tomcat ISAPI redirector module.
To reverse proxy in HTTP mode, you must configure a URL Rewrite rule that redirects incoming requests to the application, and another rule that rewrites Location headers in the response.