[Message Prev][Message
Next][Thread Prev][Thread Next][Message
Index][Thread Index]
RE: xAP Intranet Behind a Reverse Proxy...
- Subject: RE: xAP Intranet Behind a Reverse Proxy...
- From: "Sullivan, Glenn" <gsullivan@xxxxxxxxxxxxxx>
- Date: Fri, 14 Apr 2006 13:11:37 -0400
------_=_NextPart_001_01C65FE6.7D42D4E1
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
I forgot one step, but you guys would have caught it... when you
initially install Apache, you need to install the Microsoft Visual C
redist, which is included with the package...
=20
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.=20
=20
________________________________
From: xap_automation@xxxxxxx
[mailto:xap_automation@xxxxxxx] On
Behalf Of Sullivan, Glenn
Sent: Friday, April 14, 2006 11:32 AM
To: xap_automation@xxxxxxx
Subject: RE: [xap_automation] xAP Intranet Behind a Reverse Proxy...
Here we go... I got it all working, on a windows box. I'm going to
write this as if you are starting from scratch... I was.
What I wanted was two sites: One for public content, and one that was
secure. And "subdirectories" on the secure site proxying to my
TiVo,
etc...
First, stop IIS by stopping the IISAdmin Service. If you're savvy
enough, you can just change the ports it runs on, and then proxy to that
server too, but for now, get it out of the way.
I started with out Apache 2, but couldn't find a binary compile of the
mod_proxy_html module, which I needed to make this work. So I switched
to Apache 2.2...
* Download and extract the Binary Build of Apache 2.2 from
apachelounge.com. You'll need to register with the site to get it, but
it's free.
I chose to extract to c:\Program Files\Apache Group\Apache2,
since that's where Apache 2 (I renamed the old directory first...) was
installed. We'll call this "SERVERROOT
http://www.apachelounge.com/download/
<http://www.apachelounge.com/download/>=20=20
* Download The Binary Build of mod_proxy_html from the same site.=20
* Create the folder SERVERROOT\modules\mod_proxy_html and extract
three file from the mod_proxy_html package into it:=20
* mod_proxy_html.so=20
* Microsoft.VC80.CRT.manifest=20
* msvcr80.dll=20
* Go to: http://www.zlatkovic.com/pub/libxml/
<http://www.zlatkovic.com/pub/libxml/>
and download:=20
* libxml2-2.6.23+.win32.zip
Extract libxml2.dll from the bin directory in the zip
file to SERVERROOT\bin=20
* iconv-1.9.1.win32.zip
Extract iconv.dll from the bin directory in the zip file
to SERVERROOT\bin=20
* zlib-1.2.3.win32.zip
Extract zlib1.dll and minigzip.exe from the bin
directory in the zip file to SERVERROOT\bin=20
* Create 3 locations to hold the Local web files... i.e., not the
proxied stuff, but the actual sites.
Base Site - We won't be using this, except to trap
errors in our virtual hosts. I used c:\INetPub\Apache Root\BaseSite
Public site - This is the publicly accessible site. I
chose c:\INetPub\Apache Root\Public
Secure Site - Here is your secure site. I used
C:\INetPub\Apache Root\Secure=20
* Create a "html" directory under each web sites directory. This
will hold the local site. Put a basic HTML file into each html
directory, named index.html, that make it easy to see which one you've
hit. I used something simple, replacing the work "Base" with
"Public"
and "Secure" as appropriate...
<HTML>
<BODY>
Base Index
</BODY>
</HTML>=20
* (Optional) if you think you might want to run scripts on either
site (again, not proxied, but locally), either create one central
cgi-bin directory, or one for each site. If you don't know what I'm
talking about, "fahghet about it..."=20
* Open up SERVERROOT\conf\httd.conf=20
* Change "ServerRoot" to reflect the path you chose to
install Apache to, using Unix Style path notation. Here is mine:
ServerRoot "C:/Program Files/Apache
Group/Apache2"=20
* Change the ServerAdmin line to a real email address, to
meet the RFCs=20
* Leave ServerName set to localhost:80. We are going to
use Name Based Virtual Hosts, so we don't care about the "base"
name or
address.=20
* Change DocumentRoot to point to the html directory under
your base site directory. Again, not to be used normally, but if you
see the pages in this folder, you know something is set up wrong. I
used:
DocumentRoot "c:/INetPub/Apache
Root/BaseSite/html"=20
* Look for this line, just a few lines below DocumentRoot:
# This should be changed to whatever you set
DocumentRoot to.
Change the "<Document" line that follows it to reflect
your DocumentRoot above.=20
* Find a remove the pound sign from the beginning of this
line, almost at the end of the file:
#Include conf/extra/httpd-vhosts.conf=20
* Find the section of modules, close to the top of the
file. Uncomment the following list of Modules=20
* LoadModule headers_module modules/mod_headers.so
* LoadModule proxy_module modules/mod_proxy.so=20
* LoadModule proxy_http_module
modules/mod_proxy_http.so=20
* LoadModule rewrite_module modules/mod_rewrite.so
* Add the following module definition at the bottom of the
list of modules:
LoadModule proxy_html_module
modules/mod_proxy_html/mod_proxy_html.so=20
* Close and Save the httpd.conf file=20
* Open up SERVERROOT\conf\extra\httpd-vhosts.conf=20
* Comment out the virtual hosts that are there by
default... put a pound sign as the first character in each line.=20
* Create just the public site for now... add this code:
<VirtualHost *:80>
#Document Root should point to your public html
directory that you create above...
DocumentRoot "C:/Inetpub/Apache
Root/public/html"
#ServerName should be the DNS name of the public
site.
ServerName www.sitename.com
<file://www.sitename.com>=20
#(Optional) remove this line if you don't need
scripts... I do.
ScriptAlias cgi-bin "C:/Inetpub/Apache
Root/public/cgi-bin"
</VirtualHost>=20
* Close and Save the httpd-vhosts.conf file.=20
* Open a command prompt, and navigate to SERVERROOt\bin.=20
* At the command prompt, type "httpd -S" to verify the config
files. Assuming that you get no error messages...=20
* At the command prompt, type "httpd" to start up apache.=20
* If you do not have access to your own DNS servers, or if the
public name that you used above does not route to the IP address of the
machine that you are working on, you will have to modify your hosts file
so that www.sitename.com <file://www.sitename.com> will resolve to
your
IP address. This is a great test, and necessary, because if we try to
browse via IP address, our name base virtual host won't work...=20
* Open up %systemroot%\system32\drivers\etc\hosts in a
text editor=20
* Add the following lines, replacing the dummy IP address
below with the IP address of the machine apache is installed on.
123.456.789.123 www.sitename.com
<file://www.sitename.com>=20
123.456.789.123 secure.sitename.com=20
* Save the file.=20
* Fire up a web browser, and navigate to http://123.456.789.123
<http://123.456.789.123> (use your own
IP) and you should see your base
page.=20
* Fire up a web browser, and navigate to http://www.sitename.com
<http://www.sitename.com> (use your
own name) and you should see your
public page.=20
* Assuming that all worked, hit ctrl-c in the command prompt
window to stop the apache server.=20
* Next, we create the password file for the secure site...=20
* Assuming that you still have the command prompt open, in
the apache bin directory, execute the following command, replacing
"username" with the username that you want to be valid at the
secure
site:
htpasswd -c .htpasswd username=20
* Provide a password when prompted.=20
* Move .htpasswd from the bin directory to the directory
that you chose for your secure site. Don't put it into the HTML
directory, but in the root of the secure directory.=20
* Open back up the SERVERROOT\conf\extra\httpd-vhosts.conf file.=20
* Below the public site, we'll create the secure virtual host.
Here is mine, with comments explaining what each thing does:
<VirtualHost *:80>
DocumentRoot "C:/Inetpub/Apache Root/Secure/html"
ServerName secure.sitename.com
#(Optional) for scripts...
ScriptAlias cgi-bin "C:/Inetpub/Apache
Root/Secure/cgi-bin"
=09
#Set Up Directory Security
<Directory />
AuthName "only for registered users"
AuthType Basic
AuthUserFile "C:/Inetpub/Apache
Root/Secure/.htpasswd"
<Limit GET>
require valid-user
</Limit>
</Directory>
=09=20=20=20=20=20=20=20
#Turn on the ReWrite Engine, to help with redirections
that proxy doesn't catch
RewriteEngine on
RewriteLog "c:/INetPub/Apache Root/Rewrite.log"
#While debugging, set the LogLevel high. But NOT IN
PRODUCTION!!
RewriteLogLevel 9
=09
#Convert all URL's to Lower Case
Rewritemap lowercase int:tolower
RewriteCond $1 [A-Z]
RewriteRule ^/(.*)$ /${lowercase:$1} [R=3D301,L]
=09
#xAP Intranet App refresh fix... since xAP applications
refresh to
# /index.xsp, and do so with a window.location
javascript command
# (which unfortunately doesn't send a referrer value, so
it's impossible
# to tell which Intranet App is refreshing.) You must
choose one, and
# all of them will refresh to that page. I don't see
another option.
#
# Set the RewriteRule to the page that you want
RewriteCond %{REQUEST_URI} ^/index.xsp$
RewriteRule / /switchboard/index.xsp [R=3D301,L]
=09
#Background images in tables, and style sheet URLS,
can't be proxied
# correctly. We need to rewrite those URLs...
#
# xAP Switchboard background fix
RewriteCond %{HTTP_REFERER} switchboard
RewriteCond %{REQUEST_URI} ^/images/(.*)
RewriteRule ^/images/(.*) /switchboard/images/$1
[R=3D301,L]
=09
#xAP News background fix
RewriteCond %{HTTP_REFERER} news
RewriteCond %{REQUEST_URI} ^/images/(.*)
RewriteRule ^/images/(.*) /news/images/$1
[R=3D301,L]
=09
#Turn Off "Forward" proxying... we want to reverse
proxy, not be a bounce
# off site for hackers and spammers...
ProxyRequests off
=09
#Proxy to the TiVo
# This is easy, because TivoWeb provides a setting which
tacks a directory to
# the front of each URL automatically... Change the IP
as necessary...
ProxyPass /tivo http://192.168.64.251
<http://192.168.64.251>=20
<Location /tivo/>
ProxyPassReverse /
</Location>
=09
#Proxy to Switchboard
ProxyPass /switchboard
http://192.168.64.2:52340 <http://192.168.64.2:52340>=20
#Remap all URLs from the IP:PORT of switchboard to
/switchboard
# This takes care of ABSOLUTE URLs.
ProxyHTMLURLMap http://192.168.64.2:52340
<http://192.168.64.2:52340>
/switchboard
<Location /switchboard>
# ProxyPassReverse takes care of meta-tags.
Switchboard doesn't have them,
# but it is bad form to not include them...
ProxyPassReverse /
# Turn on the URLMap Filters, to re-write URLs
SetOutputFilter proxy-html
# Links to deletelog.gif start with 'web/'
instead of '/web/'
# This rule catches and re-writes them
ProxyHTMLURLMap web /switchboard/web =
=20
# This rule is to catch everything else
ProxyHTMLURLMap / /switchboard/
# and This Rule is to stop us from recursively
re-writing the links multiple times
ProxyHTMLURLMap /switchboard /switchboard
#Disable compressed HTML
RequestHeader unset Accept-Encoding
</Location>=20=20=20=20
=09
#Proxy to news=20
ProxyPass /news http://192.168.64.2:54000
<http://192.168.64.2:54000>=20
#Remap all URLs from the IP:PORT of switchboard to /news
# This takes care of ABSOLUTE URLs.
ProxyHTMLURLMap http://192.168.64.2:54000
<http://192.168.64.2:54000>
/news
<Location /news>
# ProxyPassReverse takes care of meta-tags.
Switchboard doesn't have them,
# but it is bad form to not include them...
ProxyPassReverse /
# Turn on the URLMap Filters, to re-write URLs
SetOutputFilter proxy-html
# Not sure if anything else doesn't have the
leading slash.
# This rule catches and re-writes them
ProxyHTMLURLMap web /news/web=20=20=20=20=20=20
# This rule is to catch everything else
ProxyHTMLURLMap / /news/
# and This Rule is to stop us from recursively
re-writing the links multiple times
ProxyHTMLURLMap /news /news
#Disable compressed HTML
RequestHeader unset Accept-Encoding
</Location>
=09
</VirtualHost>=20
* Once again, run "httpd -S" to verify that you've got it
right.=20
* Assuming so, run httpd with no switches, to start the server=20
* Navigate to http://secure.sitename.com/tivo
<http://secure.sitename.com/tivo>
for the tivo=20
* Navigate to http://secure.sitename.com/switchboard
<http://secure.sitename.com/switchboard>
for switchboard=20
* Navigate to http://secure.sitename.com/news
<http://secure.sitename.com/news>
for the news=20
* To install httd as a service, run "httpd -k install" and it
will
create a Windows Service to run under.=20
=09
I hope this helps... sorry for the long winded description, but I know
I'll be glad it's here in 5 years when my existing server goes t!ts up
and I have to start over...
Glenn Sullivan, MCSE+I MCDBA=20
David Clark Company Inc.=20
-----Original Message-----=20
From: xap_automation@xxxxxxx
[mailto:xap_automation@xxxxxxx
<mailto:xap_automation@xxxxxxx>
] On Behalf Of James=20
Sent: Wednesday, April 12, 2006 3:34 PM=20
To: xap_automation@xxxxxxx=20
Subject: Re: [xap_automation] xAP Intranet Behind a Reverse Proxy...=20
Hi,=20
Have to say i've never tried this with an inrtanet app. I do remember
once trying an apache reverse proxy and i'm sure i just used the usual
mod_proxy but i do remember having to set ProxyPass and ProxyPassReverse
for it to work right.
Currently the web ports are preset and not changable but i'll add a
config option for it. I might well also allow it to just use random port
if it can't bind as all the intranet apps will re-link to whatever the
port ( although if setting up a reverse proxy that won't be useful at
all)
I'll be very interested to know how you get on=20
James=20
Sullivan, Glenn wrote:=20
> I figured out what I believe will be a solution... Apache has a module
> called MOD_PROXY_HTML which can rewrite a page's hyperlinks so that=20
> they resolve correctly.=20
>=20
> I'm downloading the source now... I'll report how I get on.=20
>=20
> How does an Intranet App pick it's web port? I may have to write a=20
> xAP module for apache to change them dynamically...=20
>=20
>=20
> Glenn Sullivan, MCSE+I MCDBA=20
> David Clark Company Inc.=20
> -----Original Message-----=20
> From: xap_automation@xxxxxxx=20
> [mailto:xap_automation@xxxxxxx
<mailto:xap_automation@xxxxxxx>
] On Behalf Of Sullivan, Glenn=20
> Sent: Monday, April 10, 2006 9:09 AM=20
> To: xap_automation@xxxxxxx=20
> Subject: [xap_automation] xAP Intranet Behind a Reverse Proxy...=20
>=20
> Is there any facility for setting the BASEREF of xAP Intranet
pages?=20
>=20
> I have recently set up an Apache Server to reverse proxy all of my=20
> internal services out to the real world. I have tried to proxy=20
> through the Switchboard page, but all of the URL's are absolute,
and=20
> not relative.=20
>=20
> I get the HTML of the page, but all of the links and images are=20
> broken...=20
>=20
> If not, I can set up another virtual site, and link to it. I was just
> trying to make it as simple as possible, like TivoWeb is...=20
>=20
> TIA,=20
>=20
> Glenn Sullivan, MCSE+I MCDBA=20
> David Clark Company Inc.=20
>=20
>=20
>=20=20
> Yahoo! Groups Links=20
>=20
>=20
>=20
>=20=20
>=20
>=20
>=20
>=20
>=20
>=20=20
> Yahoo! Groups Links=20
>=20
>=20
>=20
>=20=20
>=20
>=20
>=20
>=20=20=20
xAP_Automation Main Index |
xAP_Automation Thread Index |
xAP_Automation Home |
Archives Home
|