Reverse proxy configurations in Webservers

As we know that one of the key feature of using Web Server as reverse proxy is redirections.

I have used OHS 1.x, OHS 11g, and so on configuring them as reverse proxy.

So far I was under the impression that you will require modules such as mod_proxy.so, mod_proxy_connect.so, mod_proxy_http.so, mod_wl_ohs.so, mod_wl_20.so, mod_wl_22.so for performing reverse proxy always. But I was wrong!

Recently when I tested the OHS 10.1.4.3 which is based on Apache 1.3, all I had is libproxy.so in the location of Oracle_Home/Apache/Apache/libexec. Even the mod_proxy.c block is commented out in httpd.conf file. When I just used the ProxyPass and ProxyPassReverse syntax for specific applications, it was working fine.

I also used ReWriteEngine plugin (mod_rewrite.so) for performing the reverse proxy. I found that this is not used for reverse proxy always, anyone to contradict this, please shoot a reply.

If you are proxying the requests using ReWriteEngine  then follow the below syntax.

RewriteEngine On
RewriteRule ^/(.*) http://destination_machine:7777/$1 [P]

This syntax will redirects all URLs to destination server (7777) . So, in my case, I had form login page in ProxyServer machine and Application deployed on destination machine. So, in that case, if I protect the application in OAM and test it, it shows page not found. This is because all requests like Login page is also routed and looked in destination machine.

Even if you are using ProxyPass and ProxyPassReverse for proxy purpose, be cautious to the Context where you want exactly.

For example, when I used the below syntax the flow was getting stopped while showing Login page because the Login page is residing in Proxy Machine.

ProxyPass /                    http://destination_machine:7777/

ProxyPassReverse /     http://destination_machine:7777/

So, when I used the below syntax which will proxy only for destination application, it has started working. I had spent almost 2 hours to troubleshoot this issue ;). So, be cautious while choosing the proxy syntaxes.

ProxyPass /application/                    http://destination_machine:7777/application/
ProxyPassReverse /application/            http://destination_machine:7777/application/

About the Author Mahendra

I am engulfed in Oracle Identity & Access Management domain. I have expertise on providing the optimized solutions for user provisioning, web access management, Single Sign-On and federation capabilities etc., I am also well versed with complex integrations within Identity Management and other product domains. I have expertise on building demos and implementation experience on products Oracle Access Manager, Oracle Adaptive Access Manager, Oracle Entitlement Server, Oracle Virtual Directory, Oracle Internet Directory etc., Look @ my blog: http://talkidentity.blogspot.com

Leave a Comment:

25 comments
Vinoth says July 11, 2011

Hi Mahendra,

Reverse proxy is not working fine after following your steps. can you please tell me, is there any other i need to follow to enable the reverse proxy.

OHS – 10g release 2

Reply
Mahendra says July 11, 2011

hi Vinoth,

You would just need mod_proxy.so loaded in httpd.conf. After that, you need to put 2 lines ProxyPass and ProxyPassReverse for the applications that you want to proxy.

Let me know if you find any issues.

-Mahendra.

Reply
sunny says July 12, 2012

Hi Mahendra

I need to configure reverse proxy on OHS to point to the EBS servers. Could you please help me in configuring the same.

Reply
Mahendra says July 12, 2012

@Sunny,

Please try ProxyPass and ProxyPassReverse with URL http://ebs_host_name:port/

Don’t specify any application name. It should look like

ProxyPass / http://ebs_hostname:port/
ProxyPassReverse / http://ebs_hostname:port/

Let me know the results. I have not tried proxying EBS URLs ever before.

-Mahendra.

Reply
patpacific says October 10, 2012

Our reverse proxy server is https://111.112.113.13 and DNS is https://111.112.113.17 which is redirected to https://map.ohs.edu:9010. Are these the correct entries in httpd.conf

ProxyPass / https://map.ohs.edu:9010/
ReversePassProxy / https://map.ohs.edu:9010/

Reply
Anand Narayanan says October 24, 2012

Hi Mahendra,

Can you kindly help me on the steps to do OAM-TAI integration thru reverse proxy please?

Reply
Atul Kumar says October 24, 2012

@Anand Narayanan,
Please share issue and meaning of TAI .

OAM I am assuming is Oracle Access Manager

Reply
Anand Narayanan says October 24, 2012

Hi Atul,

OAM – Oracle Access Manager

TAI – Trust Association Interceptor

The problem – We are using Webgate 10g, OAM 11g, IHS Webserver & Websphere 6.1. We plan to use reverse proxy method to integrate OAM & TAI due to some reason. I did the configurations as per the Oracle document http://docs.oracle.com/cd/E21764_01/upgrade.1111/e17852/manage_was_oamiap.htm. We use OAMs default login page to authenticate and the authentication happens properly but after authentication, authorization is not happening. The application login screen is thrown again by TAI rather doing a reverse proxy & authorize me.

Reply
Anand Narayanan says October 25, 2012

Hi Atul,

Through trace we found that the following error is been thrown –

0000000a TrustAssociat E SECJ0125E: Trust Association Init Unable to load Trust Association class oracle.security.was.providers.tai.OAMTrustAssociationInterceptorImpl

The jars told by Oracle are properly set but still believe WAS is not able to load the OAMTrustAssociationInterceptor.jar.

Reply
Atul Kumar says October 25, 2012

@Anand Narayanan,
Not clear about your issue, does same thing works without reverse proxy.

Reply
Anand Narayanan says October 25, 2012

Atul,

We tried reverse proxy method only and it didn’t work.

Reply
dev says November 12, 2012

Hi Atul and Mahendra,
I am using OAM 10.1.4.3.0 annd have a OHS 11.1.1.2 as a reverse proxy server on which the webgate is installed. I am protecting an application which is on a different destination hosting an java application server.

I have done all the steps but when i try to reverse proxy the URL in the browser the URL changes from my web server host to the application server hostname and port.
Does this mean that i am loosing the context here. BEcuase the target application is not able to redirect to the home page as they are saying that the session is getting invalidated.

For exmaple the OHS server URL is http://xyz:9999 and in here i am reverse proxying to the application whose URL is http://abc:8885/BPCS/inetrnallogin.jsp . Now when i type http://xyz:9999/BPCS/inetrnallogin.jsp in the browser it is bringing me the login page as per the policy rule and after successfull login in the browser the URL is changing from xyz to http://abc:8885/BPCS/inetrnallogin.jsp.

I do not understand why this URL redirection is happening . and the end result is that i am going to the login page of the external application but not the home page. The application owner are saying that they are able to see the header variable having the user id is getting passed but the session is getting invalidated.

Can i know why this URL changing is taking place and how to tackle it. Also can you please give any ssugestions for the problem whose description i have provided.

Regards
Dev

Reply
    Atul Kumar says November 12, 2012

    @ dev,
    This could be that there is HTTP Frontend URL defined in application server that is forcing application to redirect back to apps server hostname.
    This could also be because of proxy configuration in OHS.

    What is your proxy-entry in HTTP server (one that forwards request from HTTP server to app server) ?
    What application server is this where application is deployed.

    Reply
dev says November 12, 2012

Dear Atul,
I found something . I was able to resolve the URL redirection thing for normal Java based application but now i am facing this issue only for oracle based application like OBIEE 10.1.3.4.1 which is hosted on a OC4J Application server. How to check for the Front End URL thing which u spoke about. Please let me know that

In the OHS httpd.conf i have the following code

ProxyPass /analytics http://abc:7777/analytics
ProxyPassReverse /analytics http://abc:7777/analytics

Regards
Dev

Reply
Atul Kumar says November 12, 2012

@ Dev,

Try like this and see if this helps (restart OHS) where xyz is OHS server and listening on 9999 . abc is apps server host and listening on port 7777

NameVirtualHost *:9999

ServerName http://xyz:9999
RewriteEngine On
RewriteOptions inherit
UseCanonicalName On
ProxyPass /analytics http://abc:7777/analytics
ProxyPassReverse /analytics http://abc:7777/analytics

Reply
dev says November 12, 2012

Dear Atul,
I tried to do the configuration as u suggested. But the behaviour remains the same. I even checked for the Front end URL redirection thing for OBIEE 10g OC4J server but could not find anything specific. I still do not understand what is happening.

Regards
Dev

Reply
venkat says February 18, 2013

Hi,

Am trying to attempt a proxy and reverse proxy as follows.
Its not working.
Please try if you can help.

ProxyPass /abc http://HOST:PORT/context/faces/abc
ProxyPassReverse /abc http://HOST:PORT/context/faces/abc

Regards,
Venkat

Reply
Mahendra says February 19, 2013

Venkat,

Is this JSF application? What is the error you’re seeing in web server logs?

-Mahendra

Reply
venkat says February 20, 2013

Mahendra,

In my log i can see that it is looking for context root in my docs folder.

This is ADF application.


Venkat

Reply
vikram says April 9, 2013

Venkat-

Is ohs configured to the WAS directly or to WAS-proxy. Internally WAS has proxy listening on default port 21024.
1.Which port on WAS is OHS pointing to?
2.Where did you load the .jar file from?

Reply
Tiro says June 23, 2015

Hi Mahendra,
This is realty great post and is very helpful for over simplifying the reverse proxy complexity. the examples you and other mentioned here is working for me smoothly, however, I have one small problem; i can’t redirect my traffic to context root or my testing site “wwww4.portal.com” without typing the full url “www4.portal.com/wps/portal”. below is the config i am using, please let me know if i am missing an additional configuration so when users type “www4.portal.com” it autofills the rest of the url that is “www4.portal.com/wps/portal”.

Listen 192.169.1.12:80

ServerName wwww4.portal.com
ServerAlias wwww4.portal.com

ProxyRequests off
ProxyPreserveHost on

ProxyPass / http://examserver1.portal.com/
ProxyPassReverse / http://examserver1.portal.com/

Reply
Rudolp says July 16, 2015

We are Configuring IBM WebSphere for OAM SSO and the IAP and unable to find the below jar file. Was this jar available part of separate package OAMTrustAssociationInterceptor.jar
oamtai.xml

Reply
    Atul Kumar says July 16, 2015

    @Rudolp,
    Contact Oracle Support please and ask for this file . They will provide else they will put you in touch with OAM development .

    Reply
Suresh says July 20, 2015

In Creating the Interceptor Entry in the IBM WebSphere Console under “Managing OAM identity Assertor for WebSphere”… do we need to create the property ws.ext.dirs for OAMTrustAssociationInterceptor.jar. We are not able to find the property under Java Virtual Machine, Custom Properties as per the oracle documents. Any one tried successfully for OAM TAI integration.

Reply
Suresh says July 22, 2015

Hi Anand,

I am also getting the same error, using IHS as reverse proxy

0000000a TrustAssociat E SECJ0125E: Trust Association Init Unable to load Trust Association class oracle.security.was.providers.tai.OAMTrustAssociationInterceptorImpl

Did you resolve the issue?

Reply
Add Your Reply

Not found