I'm new to the Java Web Proxy 4.0.11 and am trying to configure it as a reverse proxy in front of another web server. I followed the example in the admin guide to configure it, but the proxy returns a "403 Forbidden" for all requests. Below is my obj.conf. I suspect that it is falling through the NameTrans in the default object and hitting the Service fn=deny-service. I tried commenting this out, and when I do this, I receive a "405 Method Not Allowed".
When the browser makes a request to the reverse proxy it thinks it is talking to a web server and the item requested is not fully qualified as in:
GET /abc/def.html HTTP/1.0
You'll need to create a mapping like:
NameTrans fn="map" from="/" to="http://deve-bcclearning.tanagerinc.com/" rewrite-host="true"
The deny-service is for all the items that the proxy is not configured to retrieve.
Note that some of the objects that are at the bottom of the obj.conf are used in the forward proxy mode and are not needed for reverse proxy mode (if you are looking to tighten up the security).
But now I need to redirect http to https via the reverse proxy. I created a port 80 listener and tried to do this via a redirect URL, but couldn't get it to work. It seems like the redirect that you posted earlier takes precedence over any other that I add. If I do nothing, then someone can easily change the https to http in a url and the proxy will happily pass it on to the web server.
Since my intention is to host the certificate on the reverse proxy, I need to be able to perform this redirect. Is the solution to create a second proxy server (on the same physical hardware) with a port 80 listener and perform the redirect there via a redirect NameTrans?
I did give that a try, but unfortunately it didn't work. I think what I would need it to do is process multiple NameTrans statements, because first I need it to redirect a request for "/" on port 80 to "/" on 443, then I need that same request reverse proxied through to the real web server, which is only listening on port 80.
I've updated my config from the one above, below is the relevant portion.
I have one proxy server that handles the secure connections, and reverse proxies to the real web server:
This seems rather inelegant, but I can't seem to figure out how to get a single proxy server to handle the redirect from port 80 to 443 before performing the reverse proxy. I could handle the redirects at the web server, but that seems to defeat the purpose of putting a proxy in front of the webserver.
Any opinions on how to do this better are welcome!
If I understand what you are trying to do: you would like to have the reverse proxy accept SSL traffic and pass it to an non-SSL webserver, and you would also like to have a non-SSL endpoint on the proxy server to redirect traffic to the SSL reverse proxy. Correct?
You should be able to do this with a single instance of the proxy by having it listen on two sockets, one with no security for the non-SSL endpoint and one with security for the SSL endpoint. Then in the obj.conf you can try the following setup. I think some of the mappings and protocol/hostname combinations in your post don't make sense so I altered some of the hostnames below. I also added trailing /'s to keep the partial URL's clearly delimited.
This works fine when you open your browser to http://deve-bcclearning.tanagerinc.com, it redirects properly to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp
But, when you open your browser directly to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp, you receive 404 - The requested URL / was not found on this server.
I would have thought that a request for "/" via https would have been handled by the NameTrans map above, but it seems to be passing right through that, and I don't understand why. Can anyone shed some light on this for me?
Correct, the proxy is listening on both 443 (secure) and 80 (non-secure), but the web server that it reverse proxys to is only listening on 80 (non-secure). My objective is to host the certificate for the website on the proxy, while the webserver listens only on 80 (non secure). I have the certificate installed on the proxy, which works fine.
The target web server is running on a separate Solaris server from the proxy. Since this is a development environment, there is no firewall between the proxy server and the web server.
The reason for my question is that the config you posted seems to have everything on the same server with the proxy and web server both trying to use port 80. I had altered the server names in my earlier response to make the distinction a little clearer.
When the browser connects non-securely to the proxy, the client tag will be used and and requests under the doc root of / (all requests) will be redirected to the login.jsp page. When the browser connects securely to the proxy the NameTrans fn="map" will be used and requests under / will be connected to the to= location. The reverse-map will be used if the response from the web server is a redirect (like 302) and will try to edit the HTTP Location: header looking for the from= string (most likely the beginning of the webserver url) and replacing it with the to= value (should be the beginning of the proxy url).
My apologies, I left out an important detail. The clients resolve the name deve-bcclearning.tanagerinc.com to the IP of the proxy. The proxy (via its local hosts file) resolves the name deve-bcclearning.tanagerinc.com to the IP of the web server that the proxy sits in front of. This is the reason that I have both listeners on the proxy, since in this configuration it needs to respond on both port 80 and port 443.
The configuration that I'm using works fine except when a client tries to access https://deve-bcclearning.tanagerinc.com. What that request is made, the client receives a 404 - "the URL / is not found on the server".
I think the problem is that when the client requests "/" via port 443, they need to be redirected to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp. When they request anything else, (as long as it is https), they need to be mapped through to the web server.
The only way I can come up with to handle that situation is to have a Rewrite rule on my webserver that rewrites the request for "/" to https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp. I've tried this, and it works fine. But it seems to me that this would be best handled at the proxy. I just can't seem to find a way to make it work.
What is the current (or previous) behavior of the web server when requests for pages come in and the login.jsp page hasn't been visited first? What about urls deeper into the weeb site beyond the / doc root? It looks like there is the concept of authenticated vs. not authenticated already since there is a login.jsp.
RewriteRule ^/$ https://deve-bcclearning.tanagerinc.com/plateau/user/login.jsp
So that a request for "/" gets redirected to the login page.
If a user hasn't already logged in and tries to access a URL, they are redirected back to the login page. This is done by the app, not the web server. The app keeps track of whether the user has authenticated or not, and redirects them back if they haven't.
So the web server didn't redirect requests for / to the login page before the proxy was added, but the proxy should do this? You could try adding a second client tag section just like the previous one with <Client uri="/> instead. The resulting config would make requests for any path under http redirect to the login page, while only requests for / under https would get redirected.
As I mentioned earlier, the returned pages could contain absolute urls for things. The reverse map only takes care of the redirect responses. But if the page contains absolute urls for images, etc. which would probably be http and refer to the web server name, then the effect of hard redirect for http requests to the login page would be a problem. Since you are trying to make the proxy look just like the web server from the browser's perspective by manipulating the dns names and host file of the proxy, then you might be able to avoid this by changing the redirect in the security="off" case to use url-prefix="https://deve-bcclearning.tanagerinc.com/". This would cause more roundtrips if the content has absolute urls, but at least they might keep working if they exist.
I'm new to web proxies and am not sure if it is best practice to try and have the web proxy perform any redirects necessary or whether to allow the web server to perform them. It seems to me that it would be faster if the proxy did any redirects necessary, looking at things from a pure performance standpoint.
I did try adding a second redirect in the client tag. Unfortunately, this didn't work because the from directive specifies a prefix, and a prefix of "/" is translated as "any request" rather than a request for "/", which is what I need. If I direct every request to the login page, then the site obviously won't work correctly. Since the redirect function doesn't allow for regular expressions in the from directive, it can't be made to do what I want.
After looking through the config file reference, I thought that using the home-page function would work, but It is geared more for translating a request for "/" to a physical path. I tried having it translate "/" to /plateau/user/login.jsp, but I think the proxy looks for this on its own file system, rather than proxying it to the real web server, so the proxy denies the request, saying that the client doesn't have access to the resource.
I can't think of another way to have the proxy do this redirect, so my only choice in this case is to have it done at the web server.
Please let me know if you have any further thoughts here. Thanks for your help and patience.