Configuring the Reverse Proxy Server

To install the reverse proxy server, you need to manipulate the DNS configurations to support the reverse proxy.

  • *** What should I use as the OS? The POC uses Ubuntu. Is this the logical OS to use in the examples?
  1. Enable the following modules to enable Apache2 to act as a reverse proxy for CDSW installations:
    sudo a2enmod proxy 
    sudo a2enmod proxy_http 
    sudo a2enmod proxy_balancer 
    sudo a2enmod lbmethod_byrequests 
    sudo a2enmod proxy_wstunnel 
    sudo a2enmod ssl 
    sudo a2enmod proxy_ajp 
    sudo a2enmod rewrite 
    sudo a2enmod deflate 
    sudo a2enmod headers 
    sudo a2enmod proxy_connect 
    sudo a2enmod proxy_html 
    sudo a2enmod proxy_http2
  2. Create the configuration file /etc/apache2/sites-enabled/000-deafult.conf and add the following to enable reverse proxy for CDSW:
    <VirtualHost *:443>
       ServerAlias *
       SSLEngine on
       SSLProxyEngine on
       RewriteEngine On
       RewriteCond %{HTTP:Connection} Upgrade [NC]
       RewriteCond %{HTTP:Upgrade} websocket [NC]
       RewriteRule /(.*) wss://$1 [P,L]
       ProxyPass / nocanon
       ProxyPassReverse / nocanon
       SSLCertificateFile /root/ca/cdsw/
       SSLCertificateKeyFile /root/ca/cdsw/private.key
       SSLCertificateChainFile /root/ca/intermediate/certs/ca-chain.cert.pem
       Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
       Header always set Access-Control-Allow-Origin "*"
       Header always set Access-Control-Max-Age "1000"
       Header always set Access-Control-Allow-Headers "x-requested-with, Content-Type, origin, authorization, accept, client-security-token"
       ProxyPreserveHost On
       ProxyRequests Off
       RewriteEngine On
       RewriteRule ^(.*) - [E=CLIENT_IP:%{REMOTE_ADDR},L]
       RequestHeader set X-Forwarded-For %{CLIENT_IP}e
       RequestHeader set X-Forwarded-Proto https
       RequestHeader set X-Forwarded-SSL on
       RequestHeader set X-Forwarded-Port 443
       AllowEncodedSlashes On
  3. Ensure that port 443 is associated with the host and is listed first in the default SSL configuration, /etc/apache2/sites-enabled/000-default-ssl.conf.
    root@ip-10-80-161-148:/etc/apache2/sites-enabled# apachectl -S 
    VirtualHost configuration: *:443 (/etc/apache2/sites-enabled/000-default.conf:1) 
    ServerRoot: "/etc/apache2" 
    Main DocumentRoot: "/var/www/html" 
    Main ErrorLog: "/var/log/apache2/error.log" 
    Mutex proxy-balancer-shm: using_defaults 
    Mutex rewrite-map: using_defaults 
    Mutex ssl-stapling-refresh: using_defaults 
    Mutex ssl-stapling: using_defaults 
    Mutex proxy: using_defaults 
    Mutex ssl-cache: using_defaults 
    Mutex default: dir="/var/run/apache2/" mechanism=default 
    Mutex watchdog-callback: using_defaults 
    PidFile: "/var/run/apache2/" 
    Define: DUMP_VHOSTS 
    Define: DUMP_RUN_CFG 
    User: name="www-data" id=33 
    Group: name="www-data" id=33
    You need to ensure this configuration because there is a default SSL configuration that listens to port 443 and the Apache HTTP server serves the request in the order it is defined in the configuration.