Configure IDOL Site Admin to Use the Reverse Proxy

You configure IDOL Site Admin to use a reverse proxy by setting the server.reverseProxy system property.

When you set server.reverseProxy to true, the IDOL Site Admin application listens for AJP connections on a port that you can define by using the server.ajp.port system property.

In AJP mode, the reverse proxy must translate incoming HTTP(S) connections from your clients into AJP connections to IDOL Site Admin. The application reads the user name from incoming requests, so you must set up remote authentication. You cannot encrypt the connection from the reverse proxy to the application.

You can also use a HTTP reverse proxy. You cannot use remote authentication in this mode. Users authenticate by using the proxied login page. However, you can encrypt the connection with SSL.

In both these methods, the reverse proxy must rewrite the request path, response Location headers, and cookie paths.

By default, server.reverseProxy is false. In this case, the IDOL Site Admin application is available only over HTTP or HTTPS, without a reverse proxy.

Set the Reverse Proxy System Property

You can use the following procedure to set the server.reverseProxy system property.

To configure IDOL Site Admin to use a reverse proxy

  1. At the command line, send the java run command with the server.reverseProxy argument set to true. For example:

    java -Dserver.reverseProxy=true -Didol.siteadmin.home=[home directory] -Dserver.port=[port] -jar siteadmin.jar

    By default, this option opens an AJP port on port 8009. To use a different port, set the server.ajp.port argument to the correct port number.

  2. Specify the roles to assign to your users by setting the isa.reverse-proxy.pre-authenticated-roles system property:

    • Set isa.reverse-proxy.pre-authenticated-roles to a comma-separated list of IDOL Site Admin Community role names (see User Roles) to use hard-coded role names.

    • Set isa.reverse-proxy.pre-authenticated-roles and leave the value blank to use roles from the Community component. For example:

      java -Dserver.reverseProxy=true -Didol.siteadmin.home=[home directory] -Dserver.port=[port] -jar siteadmin -Disa.reverse-proxy.pre-authenticated-roles=

      To use this option, you must ensure that your Community component configuration file has CheckEntitlement set to False (the default value).

    The default value for this property is admin.

    NOTE: This setting does not assign any roles in the Community component. It gives all users that use the reverse proxy the same permissions to access IDOL Site Admin.

  3. Use one of the following options, to use a reverse proxy in AJP or HTTP mode:

    • AJP mode. Configure your reverse proxy to handle authentication by setting the remote_user attribute in the AJP request.

    • HTTP mode. Set the isa.reverse-proxy.pre-authenticated-username system property to a specific user name. This option bypasses authentication so that any user that accesses IDOL Site Admin is logged in automatically as that user name. See Configure IDOL Site Admin to Use a Single Pre-Authenticated User.

  4. Restart IDOL Site Admin to apply your configuration changes.

If you run IDOL Site Admin as a service on Windows, you can also add the server.reverseProxy property to the siteadmin.xml file.

If you run IDOL Site Admin as a service on Linux, you can add the arguments to the existing arguments variable in the start scripts (siteadmin.sh for SystemV, siteadmin.conf for Upstart, or siteadmin.service for systemd).

When you modify the IDOL Site Admin configuration by modifying the XML file or start scripts, you must restart IDOL Site Admin to apply your configuration changes.

On Upstart, you must also run initctl reload-configuration before you restart, to apply the init file changes. You can then run service siteadmin restart to restart the service.