RE: xAP Intranet Behind a Reverse Proxy...

["Sullivan, Glenn" <gsullivan@xxxxxxxxxxxxxx>]

------_=_NextPart_001_01C660AB.7A2EC839
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

And one other thing: If you set the directory security up in <DIRECTORY
/> tags, you are only securing LOCAL FILES.

It should have been:
#Set Up Directory Security
<Location />
AuthName "only for registered users"
AuthType Basic
AuthUserFile "C:/Inetpub/Apache Root/Secure/.htpasswd"
<Limit GET>
require valid-user
</Limit>
</Location>


________________________________

From: xap_automation@xxxxxxx on behalf of Sullivan, Glenn
Sent: Fri 4/14/2006 1:11 PM
To: xap_automation@xxxxxxx
Subject: RE: [xap_automation] xAP Intranet Behind a Reverse Proxy...


I forgot one step, but you guys would have caught it... when you initially
install Apache, you need to install the Microsoft Visual C redist, which is
included with the package...


Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.



________________________________

From: xap_automation@xxxxxxx [mailto:xap_automation@xxxxxxx] On
Behalf Of Sullivan, Glenn
Sent: Friday, April 14, 2006 11:32 AM
To: xap_automation@xxxxxxx
Subject: RE: [xap_automation] xAP Intranet Behind a Reverse Proxy...


Here we go... I got it all working, on a windows box.  I'm going to write
this as if you are starting from scratch... I was.

What I wanted was two sites: One for public content, and one that was
secure.  And "subdirectories" on the secure site proxying to my
TiVo, etc...

First, stop IIS by stopping the IISAdmin Service.  If you're savvy enough,
you can just change the ports it runs on, and then proxy to that server
too, but for now, get it out of the way.

I started with out Apache 2, but couldn't find a binary compile of the
mod_proxy_html module, which I needed to make this work.  So I switched to
Apache 2.2...

*	Download and extract the Binary Build of Apache 2.2 from
apachelounge.com.  You'll need to register with the site to get it, but
it's free.
I chose to extract to c:\Program Files\Apache Group\Apache2, since that's
where Apache 2 (I renamed the old directory first...) was installed.  We'll
call this "SERVERROOT
http://www.apachelounge.com/download/
<http://www.apachelounge.com/download/>
*	Download The Binary Build of mod_proxy_html from the same site.
*	Create the folder SERVERROOT\modules\mod_proxy_html and extract three
file from the mod_proxy_html package into it:

*	mod_proxy_html.so
*	Microsoft.VC80.CRT.manifest
*	msvcr80.dll

*	Go to: http://www.zlatkovic.com/pub/libxml/
<http://www.zlatkovic.com/pub/libxml/>
 and download:

*	libxml2-2.6.23+.win32.zip
Extract libxml2.dll from the bin directory in the zip file to
SERVERROOT\bin
*	iconv-1.9.1.win32.zip
Extract iconv.dll from the bin directory in the zip file to SERVERROOT\bin
*	zlib-1.2.3.win32.zip
Extract zlib1.dll and minigzip.exe from the bin directory in the zip file
to SERVERROOT\bin

*	Create 3 locations to hold the Local web files... i.e., not the proxied
stuff, but the actual sites.
Base Site - We won't be using this, except to trap errors in our virtual
hosts. I used c:\INetPub\Apache Root\BaseSite
Public site - This is the publicly accessible site.  I chose
c:\INetPub\Apache Root\Public
Secure Site - Here is your secure site.  I used C:\INetPub\Apache
Root\Secure
*	Create a "html" directory under each web sites directory.  This
will hold the local site.  Put a basic HTML file into each html directory,
named index.html, that make it easy to see which one you've hit.  I used
something simple, replacing the work "Base" with
"Public" and "Secure" as appropriate...
<HTML>
<BODY>
Base Index
</BODY>
</HTML>
*	(Optional) if you think you might want to run scripts on either site
(again, not proxied, but locally), either create one central cgi-bin
directory, or one for each site.  If you don't know what I'm talking about,
"fahghet about it..."
*	Open up SERVERROOT\conf\httd.conf

*	Change "ServerRoot" to reflect the path you chose to install
Apache to, using Unix Style path notation. Here is mine:
ServerRoot "C:/Program Files/Apache Group/Apache2"
*	Change the ServerAdmin line to a real email address, to meet the RFCs
*	Leave ServerName set to localhost:80.  We are going to use Name Based
Virtual Hosts, so we don't care about the "base" name or address.
*	Change DocumentRoot to point to the html directory under your base site
directory.  Again, not to be used normally, but if you see the pages in
this folder, you know something is set up wrong.  I used:
DocumentRoot "c:/INetPub/Apache Root/BaseSite/html"
*	Look for this line, just a few lines below DocumentRoot:
# This should be changed to whatever you set DocumentRoot to.
Change the "<Document" line that follows it to reflect your
DocumentRoot above.
*	Find a remove the pound sign from the beginning of this line, almost at
the end of the file:
#Include conf/extra/httpd-vhosts.conf
*	Find the section of modules, close to the top of the file.  Uncomment the
following list of Modules

*	LoadModule headers_module modules/mod_headers.so
*	LoadModule proxy_module modules/mod_proxy.so
*	LoadModule proxy_http_module modules/mod_proxy_http.so
*	LoadModule rewrite_module modules/mod_rewrite.so

*	Add the following module definition at the bottom of the list of modules:
LoadModule proxy_html_module modules/mod_proxy_html/mod_proxy_html.so
*	Close and Save the httpd.conf file

*	Open up SERVERROOT\conf\extra\httpd-vhosts.conf

*	Comment out the virtual hosts that are there by default... put a pound
sign as the first character in each line.
*	Create just the public site for now... add this code:
<VirtualHost *:80>
#Document Root should point to your public html directory that you create
above...
DocumentRoot "C:/Inetpub/Apache Root/public/html"
#ServerName should be the DNS name of the public site.
ServerName www.sitename.com <file://www.sitename.com>
#(Optional) remove this line if you don't need scripts... I do.
ScriptAlias cgi-bin "C:/Inetpub/Apache Root/public/cgi-bin"
</VirtualHost>
*	Close and Save the httpd-vhosts.conf file.

*	Open a command prompt, and navigate to SERVERROOt\bin.
*	At the command prompt, type "httpd -S" to verify the config
files.  Assuming that you get no error messages...
*	At the command prompt, type "httpd" to start up apache.
*	If you do not have access to your own DNS servers, or if the public name
that you used above does not route to the IP address of the machine that
you are working on, you will have to modify your hosts file so that
www.sitename.com <file://www.sitename.com>  will resolve to your IP
address.  This is a great test, and necessary, because if we try to browse
via IP address, our name base virtual host won't work...

*	Open up %systemroot%\system32\drivers\etc\hosts in a text editor
*	Add the following lines, replacing the dummy IP address below with the IP
address of the machine apache is installed on.
123.456.789.123 www.sitename.com <file://www.sitename.com>
123.456.789.123 secure.sitename.com
*	Save the file.

*	Fire up a web browser, and navigate to http://123.456.789.123 <http://123.456.789.123>
 (use your own IP) and you should see your base page.
*	Fire up a web browser, and navigate to http://www.sitename.com <http://www.sitename.com>  (use your
own name) and you should see your public page.
*	Assuming that all worked, hit ctrl-c in the command prompt window to stop
the apache server.
*	Next, we create the password file for the secure site...

*	Assuming that you still have the command prompt open, in the apache bin
directory, execute the following command, replacing "username"
with the username that you want to be valid at the secure site:
htpasswd -c .htpasswd username
*	Provide a password when prompted.
*	Move .htpasswd from the bin directory to the directory that you chose for
your secure site.  Don't put it into the HTML directory, but in the root of
the secure directory.

*	Open back up the SERVERROOT\conf\extra\httpd-vhosts.conf file.
*	Below the public site, we'll create the secure virtual host.  Here is
mine, with comments explaining what each thing does:
<VirtualHost *:80>
DocumentRoot "C:/Inetpub/Apache Root/Secure/html"
ServerName secure.sitename.com
#(Optional) for scripts...
ScriptAlias cgi-bin "C:/Inetpub/Apache Root/Secure/cgi-bin"

#Set Up Directory Security
<Directory />
AuthName "only for registered users"
AuthType Basic
AuthUserFile "C:/Inetpub/Apache Root/Secure/.htpasswd"
<Limit GET>
require valid-user
</Limit>
</Directory>

#Turn on the ReWrite Engine, to help with redirections that proxy doesn't
catch
RewriteEngine on
RewriteLog "c:/INetPub/Apache Root/Rewrite.log"
#While debugging, set the LogLevel high.  But NOT IN PRODUCTION!!
RewriteLogLevel 9

#Convert all URL's to Lower Case
Rewritemap lowercase int:tolower
RewriteCond $1 [A-Z]
RewriteRule ^/(.*)$ /${lowercase:$1} [R=301,L]

#xAP Intranet App refresh fix... since xAP applications refresh to
# /index.xsp, and do so with a window.location javascript command
# (which unfortunately doesn't send a referrer value, so it's impossible
# to tell which Intranet App is refreshing.)  You must choose one, and
# all of them will refresh to that page.  I don't see another option.
#
# Set the RewriteRule to the page that you want
RewriteCond     %{REQUEST_URI}  ^/index.xsp$
RewriteRule     /       /switchboard/index.xsp [R=301,L]

#Background images in tables, and style sheet URLS, can't be proxied
#  correctly.  We need to rewrite those URLs...
#
#  xAP Switchboard background fix
RewriteCond     %{HTTP_REFERER} switchboard
RewriteCond     %{REQUEST_URI}  ^/images/(.*)
RewriteRule     ^/images/(.*)   /switchboard/images/$1 [R=301,L]

#xAP News background fix
RewriteCond     %{HTTP_REFERER} news
RewriteCond     %{REQUEST_URI}  ^/images/(.*)
RewriteRule     ^/images/(.*)   /news/images/$1 [R=301,L]

#Turn Off "Forward" proxying... we want to reverse proxy, not be
a bounce
#  off site for hackers and spammers...
ProxyRequests off

#Proxy to the TiVo
# This is easy, because TivoWeb provides a setting which tacks a directory
to
#  the front of each URL automatically...  Change the IP as necessary...
ProxyPass       /tivo   http://192.168.64.251 <http://192.168.64.251>
<Location /tivo/>
ProxyPassReverse        /
</Location>

#Proxy to Switchboard
ProxyPass       /switchboard    http://192.168.64.2:52340 <http://192.168.64.2:52340>
#Remap all URLs from the IP:PORT of switchboard to /switchboard
#  This takes care of ABSOLUTE URLs.
ProxyHTMLURLMap http://192.168.64.2:52340 <http://192.168.64.2:52340>       
/switchboard
<Location /switchboard>
# ProxyPassReverse takes care of meta-tags.  Switchboard doesn't have them,
# but it is bad form to not include them...
ProxyPassReverse        /
# Turn on the URLMap Filters, to re-write URLs
SetOutputFilter proxy-html
# Links to deletelog.gif start with 'web/' instead of '/web/'
# This rule catches and re-writes them
ProxyHTMLURLMap web     /switchboard/web
# This rule is to catch everything else
ProxyHTMLURLMap /       /switchboard/
# and This Rule is to stop us from recursively re-writing the links
multiple times
ProxyHTMLURLMap /switchboard    /switchboard
#Disable compressed HTML
RequestHeader   unset   Accept-Encoding
</Location>

#Proxy to news
ProxyPass       /news   http://192.168.64.2:54000 <http://192.168.64.2:54000>
#Remap all URLs from the IP:PORT of switchboard to /news
#  This takes care of ABSOLUTE URLs.
ProxyHTMLURLMap http://192.168.64.2:54000 <http://192.168.64.2:54000>       
/news
<Location /news>
# ProxyPassReverse takes care of meta-tags.  Switchboard doesn't have them,
# but it is bad form to not include them...
ProxyPassReverse        /
# Turn on the URLMap Filters, to re-write URLs
SetOutputFilter proxy-html
# Not sure if anything else doesn't have the leading slash.
# This rule catches and re-writes them
ProxyHTMLURLMap web     /news/web
# This rule is to catch everything else
ProxyHTMLURLMap /       /news/
# and This Rule is to stop us from recursively re-writing the links
multiple times
ProxyHTMLURLMap /news   /news
#Disable compressed HTML
RequestHeader   unset   Accept-Encoding
</Location>

</VirtualHost>
*	Once again, run "httpd -S" to verify that you've got it right.
*	Assuming so, run httpd with no switches, to start the server
*	Navigate to http://secure.sitename.com/tivo
<http://secure.sitename.com/tivo>
 for the tivo
*	Navigate to http://secure.sitename.com/switchboard
<http://secure.sitename.com/switchboard>
 for switchboard
*	Navigate to http://secure.sitename.com/news
<http://secure.sitename.com/news>
 for the news
*	To install httd as a service, run "httpd -k install" and it
will create a Windows Service to run under.


I hope this helps... sorry for the long winded description, but I know I'll
be glad it's here in 5 years when my existing server goes t!ts up and I
have to start over...

Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: xap_automation@xxxxxxx [mailto:xap_automation@xxxxxxx
<mailto:xap_automation@xxxxxxx>
] On Behalf Of James
Sent: Wednesday, April 12, 2006 3:34 PM
To: xap_automation@xxxxxxx
Subject: Re: [xap_automation] xAP Intranet Behind a Reverse Proxy...

Hi,

Have to say i've never tried this with an inrtanet app. I do remember once
trying an apache reverse proxy and i'm sure i just used the usual mod_proxy
but i do remember having to set ProxyPass and ProxyPassReverse for it to
work right.

Currently the web ports are preset and not changable but i'll add a config
option for it. I might well also allow it to just use random port if it
can't bind as all the intranet apps will re-link to whatever the port (
although if setting up a reverse proxy that won't be useful at all)

I'll be very interested to know how you get on

James

Sullivan, Glenn wrote:
> I figured out what I believe will be a solution... Apache has a module
> called MOD_PROXY_HTML which can rewrite a page's hyperlinks so that
> they resolve correctly.
>
> I'm downloading the source now... I'll report how I get on.
>
> How does an Intranet App pick it's web port?  I may have to write a
> xAP module for apache to change them dynamically...
>
>
> Glenn Sullivan, MCSE+I MCDBA
> David Clark Company Inc.
> -----Original Message-----
> From: xap_automation@xxxxxxx
> [mailto:xap_automation@xxxxxxx
<mailto:xap_automation@xxxxxxx>
] On Behalf Of Sullivan, Glenn
> Sent: Monday, April 10, 2006 9:09 AM
> To: xap_automation@xxxxxxx
> Subject: [xap_automation] xAP Intranet Behind a Reverse Proxy...
>
> Is there any facility for setting the BASEREF of xAP Intranet pages?
>
> I have recently set up an Apache Server to reverse proxy all of my
> internal services out to the real world.  I have tried to proxy
> through the Switchboard page, but all of the URL's are absolute, and
> not relative.
>
> I get the HTML of the page, but all of the links and images are
> broken...
>
> If not, I can set up another virtual site, and link to it.  I was just
> trying to make it as simple as possible, like TivoWeb is...
>
> TIA,
>
> Glenn Sullivan, MCSE+I MCDBA
> David Clark Company Inc.
>
>
>
> Yahoo! Groups Links
>
>
>
>
>
>
>
>
>
>
> Yahoo! Groups Links
>
>
>
>
>
>
>
>