Apache Reverse Proxy |
  
|
Apache Reverse Proxy |
|
Best practice of securing your WebOffice 10.2 SP3 application when providing it in the internet is to use a reverse proxy web server. The reverse proxy architecture enables you to run intranet and internet services using only one server installation. This reduces TCO (total cost of ownership) significantly (in comparison to double the server and software infrastructure).
Architecture of a reverse proxy
Note: WebOffice 10.2 SP3 is certified for Apache Reverse Proxy.
Note: Apache Tomcat Connector (used for redirecting HTTP port 80 requests from IIS to Apache Tomcat) does not support forwarding of specific HTTP header information that is needed for correct reverse proxy function. Therefore you must not take use of Apache Tomcat Connector when working with Apache Reverse Proxy and specific HTTP header attributes.
To work with Apache Reverse Proxy the configuration file httpd.conf (in <Apache installation folder>/conf) has to be customized. It is necessary that Apache Reverse Proxy transmits a certain header (syn_urlmap) so WebOffice 10.2 SP3 can remap the URL.
The first step is to load the module mod_headers:
| • | open the httpd.conf file |
| • | uncomment the line (2x): LoadModule headers_module modules/mod_headers.so |
The second step is to configure the application and redirect paths. Beside the application path is necessary to provide every path that is accessed by WebOffice 10.2 SP3 or ArcGIS 10.2 for Server, e.g. ArcGIS output location.
<Location /WebOffice>
ProxyPass http://<SERVERNAME_intern>:8080/WebOffice/
ProxyPassReverse http://<SERVERNAME_intern>:8080/WebOffice/
RequestHeader set syn_urlmap http://<SERVERNAME_intern>:8080/WebOffice;http(s)://<SERVERNAME_extern>/WebOffice|
http://<SERVERNAME_intern>:6080/arcgisoutput;http(s)://<SERVERNAME_extern>/arcgisoutput|
http://<SERVERNAME_intern>:6080/arcgiscache;http(s)://<SERVERNAME_extern>/arcgiscache|
http://<SERVERNAME_intern>:6080/arcgis;http(s)://<SERVERNAME_extern>/arcgis|
/WebOffice_intern;/WebOffice_extern
</Location>
<Location /arcgisoutput>
ProxyPass http://<SERVERNAME_intern>:6080/arcgisoutput/
ProxyPassReverse http://<SERVERNAME_intern>:6080/arcgisoutput/
</Location>
<Location /arcgiscache>
ProxyPass http://<SERVERNAME_intern>:6080/arcgiscache/
ProxyPassReverse http://<SERVERNAME_intern>:6080/arcgiscache/
</Location>
<Location /arcgis>
ProxyPass http://<SERVERNAME_intern>:6080/arcgis/
ProxyPassReverse http://<SERVERNAME_intern>:6080/arcgis/
</Location>
Note: When mapping the paths use both, absolute and relative paths. Be sure that the mapping of the relative paths is at the end of syn_urlmap.
Note: Using various GIS Servers distinct folder names for arcgiscache and arcgisoutput locations have to be provided. E.g. arcgiscache1 on one GIS Server, arcgiscache2 on another.
Note: WebOffice extract server is configured for a virtual directory in IIS, which runs by default on port 80. Therefore you should not specify the port :8080 in the URL.
Note: It is always useful to restrict the access to certain pages like SynAdmin or certain jsp files, therefore use e.g. ProxyPass /WebOffice/synadmin. Do not restrict externalcall.jsp.
Note: Pay attention to GZIP filter.
Note: Pay attention to Explicitly Supported Scenarios for https.