Introduction
HTTPS Reverse Proxy. In order to define a HTTPS reverse proxy you will need to configure Apache to handle HTTPS requests. You can see how to do this here. The following examples rely on this configuration. The HTTPS reverse proxy definitions are similar to those seen previously, with the addition of the SSL related parameters. Now back to your Apache config. Modproxyconnect is only needed for a forward HTTPS proxy, you're setting up a reverse proxy and don't need AllowCONNECT. Your reverse proxy also needs its own TLS certificate, which is missing in your code. The directives above secures your Apache server and sets up the reverse proxy to the Tomcat server. In this example, the Tomcat server and Apache webserver are on the same machine and Tomcat is listening on the default port of 8080.
In this document we are using Apache 2.4.17 x64 from Apache Haus. Please note that CA does not officially endorse Apache Haus or this specific version of Apache httpd for windows over any other httpd distribution/version, it is just the one I am using for this document.
There will be three servers involved in this scenario:
1. <LBSERVER> is the load balancing server. This is the server where we are installing Apache httpd.
2. <ENTM> is the primary Enterprise Management server
3. <LBENTM> is the load balancing Enterprise Management server
The assumption has been made that both <ENTM> and <LBENTM> are installed and working and serving SSL from port 18443. It is very important that this is the case. There is no point in implementing a reverse proxy to servers that do not work themselves, it just adds an additional layer to debug.
The aim is to have Apache httpd serving SSL on only port 8443 on <LBSERVER> acting as a reverse proxy to <ENTM> and <LBENTM>. No other ports will be served by Apache httpd.
I have also added a rewrite to that users who go to https://<LBSERVER>:8443/ will automatically be redirected to https://<LBSERVER>:8443/iam/ac.
***** YOU MUST MAKE SURE THAT NOTHING IS RUNNING ON PORT 8443 on <LBSERVER> BEFORE CONTINUING *****
Use the following command to determine if anything is running on port 8443:
If it returns nothing then nothing is running on port 8443 and you are set to go.
Section 1 - Download and Install Apache 2.4.17 x64:
1. On <LBSERVER> go to the following url:
Download:
A) Apache 2.4.x VC11 -> Apache 2.4.17 x64
B) Microsoft Visual C++ 2012 Redistributable
I will refer to the folder you have downloaded these files to as <download> from here on.
2. Unzip httpd-2.4.17-x64-vc11.zip to <download>httpd-2.4.17-x64-vc11.
3. Open <download>httpd-2.4.17-x64-vc11readme_first.html and review the installation instructions. I have included installation instructions below, but they may need to be adapted for your system or due to and changes made by Apache Haus if you are using a different version of Apache httpd 2.4.
4. Copy the <download>httpd-2.4.17-x64-vc11Apache24 folder to c:, so you have a c:Apache24 folder.
Section 2 - Generate the SSL keys and certificate
1. On <LBSERVER> open a command prompt and navigate to c:Apache24bin:
2. On the command prompt, run the following command:
Follow the prompts as requested (***** remember any pass phrases etc that you use! *****) When finished this will have created two files:
3. On the command prompt, run the following command:
Follow the prompts as requested. This will create the following file:
4. On the command prompt, run the following command:
This will create the following file:
5. The following files should now exist:
Section 3 - Configure Apache httpd
1. on <LBSERVER> edit C:Apache24confhttpd.conf.
To comment out a line in httpd.conf place a # symbol at the beginning of the line.
To uncomment a line in httpd.conf remove the # symbol at the beginning of the line.
Comment out:
Find the following lines and uncomment them. These lines are not contigious so will need to be found and uncommented one by one:
Find:
And change it to something appropriate e.g. replacing <LBSERVER> with the FQDN of your this server:
Add at the end of the file add the following lines, replacing <ENTM> and <LBENTM> with the hostname or FQDNs of the ENTM and load balancing ENTM respectively, and <LBSERVER> with the FQDN of this server:
2. Edit extrahttpd-ahssl.conf:
Comment out:
Comment out all of the following lines:
Section 4 - Starting And Testing Apache httpd, And Making It A Service
Apache2 Reverse Proxy Ssl
It is possible and easy to setup Apache httpd to run as a windows service, but we will test it first by running in a command prompt to see if there are any errors. Note that debugging errors for Apache httpd is beyond the scope of this document - any errors I came across I fixed in the configuration above - and CA Technical Support. However, Google is your friend. Apache httpd is the most widely used web server on the internet so if you encounter a problem, someone probably already has and has a solution, at least that was my experience when writing this document.
Apache Reverse Proxy Setup
1. On <LBSERVER> open a command prompt and navigate to c:Apache24bin:
2. Start httpd:
After entering the command wait a few seconds. httpd should stay running and not return to a command prompt. If it does and/or any errors are displayed they will need to be investigated and resolved before continuing. To stop it just press CTRL + c in the command prompt. After a second or two it will stop.
3. Make sure httpd is running as per step 2, and log in and test by pointing a browser to (where <LBSERVER> is the hostname or FDQN of the server we have installed Apache httpd to):
You may be prompted with some SSL warnings due to using a self signed certificate as per Section 2 - Generate the SSL keys and certificate. Once past these you should be presented with the ControlMinder/PIM login. Test a few things.
4. Assuming everything appears to be working, run a few different browser sessions (that is different session, not just different tabs or windows of the same browser session) on different client machines.
Apache Ssl Reverse Proxy
Open c:Apache24logsproxy-access.log and you should see entries like the below:
123.123.123.123 is the IP Address of the client where the browser is running.
https://<ENTM>:18443 will be either the hostname/FQDN of the ENTM or LBENTM. There should be a good mix of <ENTM> and <LBENTM> to show that the load balancing is working - if you have used different browser sessions, opening new tabs and/or windows of existing browser sessions does not work to test this.
https://<LBSERVER>:8443 is the hostname/FQDN of the server we installed Apache httpd on.
Httpd Reverse Proxy
5. Once you are satisfied that Apache httpd is running as a reverse proxy correctly, we can set it up as a service. Open a command prompt and navigate to c:Apache24bin
6. Execute the following command:
This will return something like:
There should be no errors as we have already fixed them before progressing from step 2.
7. In Windows Services, there should now be an Apache2.4 service. This is stopped and started like any other service. By default this is set to start automatically when the server is started, you may or may not want to change this.
You have now finished installing the reverse proxy/load balancer.