RE: xAP Intranet Behind a Reverse Proxy...

["Sullivan, Glenn" <gsullivan@xxxxxxxxxxxxxx>]

------_=_NextPart_001_01C65FD8.A3CD0FD9
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

Here we go... I got it all working, on a windows box.  I'm going to
write this as if you are starting from scratch... I was.

What I wanted was two sites: One for public content, and one that was
secure.  And "subdirectories" on the secure site proxying to my
TiVo,
etc...

First, stop IIS by stopping the IISAdmin Service.  If you're savvy
enough, you can just change the ports it runs on, and then proxy to that
server too, but for now, get it out of the way.

I started with out Apache 2, but couldn't find a binary compile of the
mod_proxy_html module, which I needed to make this work.  So I switched
to Apache 2.2...

*	Download and extract the Binary Build of Apache 2.2 from
apachelounge.com.  You'll need to register with the site to get it, but
it's free.
I chose to extract to c:\Program Files\Apache Group\Apache2, since
that's where Apache 2 (I renamed the old directory first...) was
installed.  We'll call this "SERVERROOT
http://www.apachelounge.com/download/
*	Download The Binary Build of mod_proxy_html from the same site.
*	Create the folder SERVERROOT\modules\mod_proxy_html and extract
three file from the mod_proxy_html package into it:
*	mod_proxy_html.so
*	Microsoft.VC80.CRT.manifest
*	msvcr80.dll
*	Go to: http://www.zlatkovic.com/pub/libxml/
and download:
*	libxml2-2.6.23+.win32.zip
Extract libxml2.dll from the bin directory in the zip file to
SERVERROOT\bin
*	iconv-1.9.1.win32.zip
Extract iconv.dll from the bin directory in the zip file to
SERVERROOT\bin
*	zlib-1.2.3.win32.zip
Extract zlib1.dll and minigzip.exe from the bin directory in the zip
file to SERVERROOT\bin
*	Create 3 locations to hold the Local web files... i.e., not the
proxied stuff, but the actual sites.
Base Site - We won't be using this, except to trap errors in our
virtual hosts. I used c:\INetPub\Apache Root\BaseSite
Public site - This is the publicly accessible site.  I chose
c:\INetPub\Apache Root\Public
Secure Site - Here is your secure site.  I used
C:\INetPub\Apache Root\Secure
*	Create a "html" directory under each web sites directory.  This
will hold the local site.  Put a basic HTML file into each html
directory, named index.html, that make it easy to see which one you've
hit.  I used something simple, replacing the work "Base" with
"Public"
and "Secure" as appropriate...
<HTML>
<BODY>
Base Index
</BODY>
</HTML>
*	(Optional) if you think you might want to run scripts on either
site (again, not proxied, but locally), either create one central
cgi-bin directory, or one for each site.  If you don't know what I'm
talking about, "fahghet about it..."
*	Open up SERVERROOT\conf\httd.conf
*	Change "ServerRoot" to reflect the path you chose to install
Apache to, using Unix Style path notation. Here is mine:
ServerRoot "C:/Program Files/Apache Group/Apache2"
*	Change the ServerAdmin line to a real email address, to meet the
RFCs
*	Leave ServerName set to localhost:80.  We are going to use Name
Based Virtual Hosts, so we don't care about the "base" name or
address.
*	Change DocumentRoot to point to the html directory under your
base site directory.  Again, not to be used normally, but if you see the
pages in this folder, you know something is set up wrong.  I used:
DocumentRoot "c:/INetPub/Apache Root/BaseSite/html"
*	Look for this line, just a few lines below DocumentRoot:
# This should be changed to whatever you set DocumentRoot to.
Change the "<Document" line that follows it to reflect your
DocumentRoot
above.
*	Find a remove the pound sign from the beginning of this line,
almost at the end of the file:
#Include conf/extra/httpd-vhosts.conf
*	Find the section of modules, close to the top of the file.
Uncomment the following list of Modules
*	LoadModule headers_module modules/mod_headers.so
*	LoadModule proxy_module modules/mod_proxy.so
*	LoadModule proxy_http_module modules/mod_proxy_http.so
*	LoadModule rewrite_module modules/mod_rewrite.so
*	Add the following module definition at the bottom of the list of
modules:
LoadModule proxy_html_module
modules/mod_proxy_html/mod_proxy_html.so
*	Close and Save the httpd.conf file
*	Open up SERVERROOT\conf\extra\httpd-vhosts.conf
*	Comment out the virtual hosts that are there by default... put a
pound sign as the first character in each line.
*	Create just the public site for now... add this code:
<VirtualHost *:80>
#Document Root should point to your public html directory that
you create above...
DocumentRoot "C:/Inetpub/Apache Root/public/html"
#ServerName should be the DNS name of the public site.
ServerName www.sitename.com
#(Optional) remove this line if you don't need scripts... I do.
ScriptAlias cgi-bin "C:/Inetpub/Apache Root/public/cgi-bin"
</VirtualHost>
*	Close and Save the httpd-vhosts.conf file.
*	Open a command prompt, and navigate to SERVERROOt\bin.
*	At the command prompt, type "httpd -S" to verify the config
files.  Assuming that you get no error messages...
*	At the command prompt, type "httpd" to start up apache.
*	If you do not have access to your own DNS servers, or if the
public name that you used above does not route to the IP address of the
machine that you are working on, you will have to modify your hosts file
so that www.sitename.com will resolve to your IP address.  This is a
great test, and necessary, because if we try to browse via IP address,
our name base virtual host won't work...
*	Open up %systemroot%\system32\drivers\etc\hosts in a text editor
*	Add the following lines, replacing the dummy IP address below
with the IP address of the machine apache is installed on.
123.456.789.123	www.sitename.com
123.456.789.123	secure.sitename.com
*	Save the file.
*	Fire up a web browser, and navigate to http://123.456.789.123
(use your own IP) and you should see your base page.
*	Fire up a web browser, and navigate to http://www.sitename.com
(use your own name) and you should see your public page.
*	Assuming that all worked, hit ctrl-c in the command prompt
window to stop the apache server.
*	Next, we create the password file for the secure site...
*	Assuming that you still have the command prompt open, in the
apache bin directory, execute the following command, replacing
"username" with the username that you want to be valid at the
secure
site:
htpasswd -c .htpasswd username
*	Provide a password when prompted.
*	Move .htpasswd from the bin directory to the directory that you
chose for your secure site.  Don't put it into the HTML directory, but
in the root of the secure directory.
*	Open back up the SERVERROOT\conf\extra\httpd-vhosts.conf file.
*	Below the public site, we'll create the secure virtual host.
Here is mine, with comments explaining what each thing does:
<VirtualHost *:80>
DocumentRoot "C:/Inetpub/Apache Root/Secure/html"
ServerName secure.sitename.com
#(Optional) for scripts...
ScriptAlias cgi-bin "C:/Inetpub/Apache Root/Secure/cgi-bin"

#Set Up Directory Security
<Directory />
AuthName "only for registered users"
AuthType Basic
AuthUserFile "C:/Inetpub/Apache Root/Secure/.htpasswd"
<Limit GET>
require valid-user
</Limit>
</Directory>
=09
#Turn on the ReWrite Engine, to help with redirections that
proxy doesn't catch
RewriteEngine on
RewriteLog "c:/INetPub/Apache Root/Rewrite.log"
#While debugging, set the LogLevel high.  But NOT IN
PRODUCTION!!
RewriteLogLevel 9

#Convert all URL's to Lower Case
Rewritemap lowercase int:tolower
RewriteCond $1 [A-Z]
RewriteRule ^/(.*)$ /${lowercase:$1} [R=3D301,L]

#xAP Intranet App refresh fix... since xAP applications refresh
to=20
# /index.xsp, and do so with a window.location javascript
command
# (which unfortunately doesn't send a referrer value, so it's
impossible
# to tell which Intranet App is refreshing.)  You must choose
one, and
# all of them will refresh to that page.  I don't see another
option.
#
# Set the RewriteRule to the page that you want
RewriteCond	%{REQUEST_URI}	^/index.xsp$
RewriteRule	/	/switchboard/index.xsp [R=3D301,L]

#Background images in tables, and style sheet URLS, can't be
proxied
#  correctly.  We need to rewrite those URLs...
#
#  xAP Switchboard background fix
RewriteCond	%{HTTP_REFERER}	switchboard
RewriteCond	%{REQUEST_URI}	^/images/(.*)
RewriteRule	^/images/(.*)	/switchboard/images/$1 [R=3D301,L]

#xAP News background fix
RewriteCond	%{HTTP_REFERER}	news
RewriteCond	%{REQUEST_URI}	^/images/(.*)
RewriteRule	^/images/(.*)	/news/images/$1 [R=3D301,L]

#Turn Off "Forward" proxying... we want to reverse proxy, not be
a bounce
#  off site for hackers and spammers...
ProxyRequests off

#Proxy to the TiVo
# This is easy, because TivoWeb provides a setting which tacks a
directory to
#  the front of each URL automatically...  Change the IP as
necessary...
ProxyPass	/tivo	http://192.168.64.251
<Location /tivo/>
ProxyPassReverse	/
</Location>

#Proxy to Switchboard
ProxyPass	/switchboard	http://192.168.64.2:52340
#Remap all URLs from the IP:PORT of switchboard to /switchboard
#  This takes care of ABSOLUTE URLs.
ProxyHTMLURLMap	http://192.168.64.2:52340	/switchboard
<Location /switchboard>
# ProxyPassReverse takes care of meta-tags.  Switchboard
doesn't have them,=20
# but it is bad form to not include them...
ProxyPassReverse	/
# Turn on the URLMap Filters, to re-write URLs
SetOutputFilter	proxy-html
# Links to deletelog.gif start with 'web/' instead of
'/web/'
# This rule catches and re-writes them
ProxyHTMLURLMap	web	/switchboard/web=09
# This rule is to catch everything else
ProxyHTMLURLMap	/	/switchboard/
# and This Rule is to stop us from recursively
re-writing the links multiple times
ProxyHTMLURLMap	/switchboard	/switchboard
#Disable compressed HTML
RequestHeader	unset	Accept-Encoding
</Location>=09

#Proxy to news=09
ProxyPass	/news	http://192.168.64.2:54000
#Remap all URLs from the IP:PORT of switchboard to /news
#  This takes care of ABSOLUTE URLs.
ProxyHTMLURLMap	http://192.168.64.2:54000	/news
<Location /news>
# ProxyPassReverse takes care of meta-tags.  Switchboard
doesn't have them,=20
# but it is bad form to not include them...
ProxyPassReverse	/
# Turn on the URLMap Filters, to re-write URLs
SetOutputFilter	proxy-html
# Not sure if anything else doesn't have the leading
slash.
# This rule catches and re-writes them
ProxyHTMLURLMap	web	/news/web=09
# This rule is to catch everything else
ProxyHTMLURLMap	/	/news/
# and This Rule is to stop us from recursively
re-writing the links multiple times
ProxyHTMLURLMap	/news	/news
#Disable compressed HTML
RequestHeader	unset	Accept-Encoding
</Location>

</VirtualHost>
*	Once again, run "httpd -S" to verify that you've got it right.
*	Assuming so, run httpd with no switches, to start the server
*	Navigate to http://secure.sitename.com/tivo
for the tivo
*	Navigate to http://secure.sitename.com/switchboard
for
switchboard
*	Navigate to http://secure.sitename.com/news
for the news
*	To install httd as a service, run "httpd -k install" and it
will
create a Windows Service to run under.

I hope this helps... sorry for the long winded description, but I know
I'll be glad it's here in 5 years when my existing server goes t!ts up
and I have to start over...

Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.=20
-----Original Message-----
From: xap_automation@xxxxxxx
[mailto:xap_automation@xxxxxxx] On
Behalf Of James
Sent: Wednesday, April 12, 2006 3:34 PM
To: xap_automation@xxxxxxx
Subject: Re: [xap_automation] xAP Intranet Behind a Reverse Proxy...

Hi,

Have to say i've never tried this with an inrtanet app. I do remember
once trying an apache reverse proxy and i'm sure i just used the usual
mod_proxy but i do remember having to set ProxyPass and ProxyPassReverse
for it to work right.
Currently the web ports are preset and not changable but i'll add a
config option for it. I might well also allow it to just use random port
if it can't bind as all the intranet apps will re-link to whatever the
port ( although if setting up a reverse proxy that won't be useful at
all)

I'll be very interested to know how you get on

James

Sullivan, Glenn wrote:
> I figured out what I believe will be a solution... Apache has a module

> called MOD_PROXY_HTML which can rewrite a page's hyperlinks so that=20
> they resolve correctly.
>
> I'm downloading the source now... I'll report how I get on.
>
> How does an Intranet App pick it's web port?  I may have to write a=20
> xAP module for apache to change them dynamically...
>
>
> Glenn Sullivan, MCSE+I MCDBA
> David Clark Company Inc.=20
> -----Original Message-----
> From: xap_automation@xxxxxxx
> [mailto:xap_automation@xxxxxxx] On
Behalf Of Sullivan, Glenn
> Sent: Monday, April 10, 2006 9:09 AM
> To: xap_automation@xxxxxxx
> Subject: [xap_automation] xAP Intranet Behind a Reverse Proxy...
>
> Is there any facility for setting the BASEREF of xAP Intranet pages?
>
> I have recently set up an Apache Server to reverse proxy all of my=20
> internal services out to the real world.  I have tried to proxy=20
> through the Switchboard page, but all of the URL's are absolute,
and=20
> not relative.
>
> I get the HTML of the page, but all of the links and images are=20
> broken...
>
> If not, I can set up another virtual site, and link to it.  I was just

> trying to make it as simple as possible, like TivoWeb is...
>
> TIA,
>
> Glenn Sullivan, MCSE+I MCDBA
> David Clark Company Inc.=20
>
>
>=20=20
> Yahoo! Groups Links
>
>
>
>=20=20
>
>
>
>
>
>=20=20
> Yahoo! Groups Links
>
>
>
>=20=20
>
>
>
>=20=20=20



=20