Apache Reverse Proxy

Best practice of securing your WebOffice 10.9 SP1 application when providing it in the internet is to use a reverse proxy web server. The reverse proxy architecture enables you to run intranet and internet services using only one server installation. This reduces TCO (total cost of ownership) significantly (in comparison to double the server and software infrastructure).

 

Architecture of a reverse proxy

Architecture of a reverse proxy

 

icon_comment

WebOffice 10.9 SP1 is certified for Apache Reverse Proxy.

Apache Tomcat Connector (used for redirecting HTTP port 80 requests from IIS to Apache Tomcat) does not support forwarding of specific HTTP header information that is needed for correct reverse proxy function. Therefore you must not take use of Apache Tomcat Connector when working with Apache Reverse Proxy and specific HTTP header attributes.

 

To work with Apache Reverse Proxy the configuration file httpd.conf (in <Apache installation folder>/conf) has to be customized. It is necessary that Apache Reverse Proxy transmits a certain header (syn_urlmap) so WebOffice 10.9 SP1 can remap the URL.

 

 

The first step is to load the module mod_headers:

open the httpd.conf file

comment the line (2x): LoadModule headers_module modules/mod_headers.so

 

The second step is to configure the application and redirect paths. Beside the application path is necessary to provide every path that is accessed by WebOffice 10.9 SP1 or ArcGIS Server, e.g. ArcGIS output location.

 

<Location /WebOffice>

 ProxyPass https://<SERVERNAME_intern>:8443/WebOffice/

 ProxyPassReverse https://<SERVERNAME_intern>:8443/WebOffice/

 RequestHeader set syn_urlmap https://<SERVERNAME_intern>:8443/WebOffice;https://<SERVERNAME_extern>/WebOffice|

 https://<SERVERNAME_intern>:6443/arcgis;https://<SERVERNAME_extern>/arcgis|

 /WebOffice_intern;/WebOffice_extern

</Location>

 

<Location /arcgis>

ProxyPass https://<SERVERNAME_intern>:6443/arcgis/

ProxyPassReverse https://<SERVERNAME_intern>:6443/arcgis/

</Location>

 

 

icon_comment

When using the JavaScript clients WebOffice flex and WebOffice core, problems may occur if a forward slash / is set at the end of the ProxyPass and ProxyPassReverse lines in the code. In this case please remove the slash at the end of the lines.

When mapping the paths use both, absolute and relative paths. Be sure that the mapping of the relative paths is at the end of syn_urlmap.

Since ArcGIS for Server 10.0 the locations for arcgiscache and arcgisoutput are not addressed directly anymore, but via arcgis.

WebOffice extract server is configured for a virtual directory in IIS, which runs by default on port 80. Therefore you should not specify the port :8080 in the URL.

It is always useful to restrict the access to certain pages like SynAdmin or certain jsp files. This can also be prevented by using the correct ProxyPass setting, whereby the exception is initiated by the exclamation mark (!). It is important to define the exception before configuring the actual proxy command; therefore use e.g. ProxyPass /WebOffice/synadmin !

Do not restrict externalcall.jsp.

 

icon_cross-reference

You can find detailed information about the adjustment of ArcGIS Server when using a reverse proxy server on the web page https://server.arcgis.com/en/server/latest/administer/windows/using-a-reverse-proxy-server-with-arcgis-server.htm.

Pay attention to GZIP filter.

Pay attention to Explicitly Supported Scenarios for https.