[Message Prev][Message
Next][Thread Prev][Thread Next][Message
Index][Thread Index]
RE: xAP Intranet Behind a Reverse Proxy...
- Subject: RE: xAP Intranet Behind a Reverse Proxy...
- From: "Sullivan, Glenn" <gsullivan@xxxxxxxxxxxxxx>
- Date: Mon, 17 Apr 2006 07:35:03 -0400
"Do you know of a similar JavaScript function that would help out
here?"
Unfortunately, after a bit of research, it looks like all refresh
functions (META REFRESH, and all of the JavaScript commands I looked
into) don't pass a referrer. The only real solution that I see is to
have the redirect navigate to
http://<IPAddress>:<Port>/index.xsp, and
then the Rewrite Module could direct it properly with the absolute rule:
ProxyHTMLURLMap http://192.168.64.2:52340
/switchboard
"Is this because of how the Intranet sites display the graphics or a
limitation in the apache module?"
A limitation in the apache module. It only handles HREF remapping, so
the tags with Background=ImageName.jpg do not get rewritten.
"Also do you mind if I copy this how-to in to the mi4 guides
section?"
Not at all. But make sure you incorporate the two "whoops, forgot
something" emails I sent after the fact...
I was going to suggest that you provide a facility (like TiVoWebPlus)
for someone to specify the subdirectory that a given intranet site was
being proxied too, but now I don't think that's a good idea. It would
break the intranet model, and the interoperability between modules, and
you'd need to access the site only through the reverse proxy, not
directly. By doing it this way, you can do either.
I may actually go through the effort to figure out how to turn off
TiVo's built in feature, and proxy to it with the URL ReWrite module, so
that the TiVo works when accessed directly too, instead of just through
the proxy.
Glad I could help,
Glenn Sullivan, MCSE+I MCDBA
David Clark Company Inc.
-----Original Message-----
From: xap_automation@xxxxxxx
[mailto:xap_automation@xxxxxxx] On
Behalf Of James
Sent: Saturday, April 15, 2006 2:05 PM
To: xap_automation@xxxxxxx
Subject: Re: [xap_automation] xAP Intranet Behind a Reverse Proxy...
Hi,
Thanks for all the info.Couple of questions though:
_" #xAP Intranet App refresh fix... since xAP applications refresh to
# /index.xsp, and do so with a window.location javascript command
# (which unfortunately doesn't send a referrer value, so it's impossible
# to tell which Intranet App is refreshing.) "
Do you know of a similar javscript function that would help out here?
__ #Background images in tables, and style sheet URLS, can't be proxied
# correctly. We need to rewrite those URLs...
Is this because of how the Intranet sites display the graphics or a
limitation in the apache module?
__Also do you mind if I copy this how-to in to the mi4 guides section?
Many thanks
James
_Sullivan, Glenn wrote:
>
> Here we go... I got it all working, on a windows box. I'm going to
> write this as if you are starting from scratch... I was.
>
> What I wanted was two sites: One for public content, and one that was
> secure. And "subdirectories" on the secure site proxying to
my TiVo,
> etc...
>
> First, stop IIS by stopping the IISAdmin Service. If you're savvy
> enough, you can just change the ports it runs on, and then proxy to
> that server too, but for now, get it out of the way.
>
> I started with out Apache 2, but couldn't find a binary compile of the
> mod_proxy_html module, which I needed to make this work. So I switched
> to Apache 2.2...
>
> * Download and extract the Binary Build of Apache 2.2 from
> apachelounge.com. You'll need to register with the site to get
> it, but it's free.
> I chose to extract to c:\Program Files\Apache Group\Apache2,
> since that's where Apache 2 (I renamed the old directory
first...)
> was installed. We'll call this "SERVERROOT
> _http://www.apachelounge.com/download/_
> * _Download The Binary Build of mod_proxy_html from the same
site._
> * _Create the folder SERVERROOT\modules\mod_proxy_html and extract
> three file from the mod_proxy_html package into it:_
> o _mod_proxy_html.so_
> o _Microsoft.VC80.CRT.manifest_
> o _msvcr80.dll_
> * _Go to: _
> _http://www.zlatkovic.com/pub/libxml/__
and download:_
> o _libxml2-2.6.23+.win32.zip
> Extract libxml2.dll from the bin directory in the zip file
> to SERVERROOT\bin_
> o _iconv-1.9.1.win32.zip
> Extract iconv.dll from the bin directory in the zip file
> to SERVERROOT\bin_
> o _zlib-1.2.3.win32.zip
> Extract zlib1.dll and minigzip.exe from the bin directory
> in the zip file to SERVERROOT\bin_
> * _Create 3 locations to hold the Local web files... i.e., not the
> proxied stuff, but the actual sites.
> Base Site - We won't be using this, except to trap errors in our
> virtual hosts. I used c:\INetPub\Apache Root\BaseSite
> Public site - This is the publicly accessible site. I chose
> c:\INetPub\Apache Root\Public
> Secure Site - Here is your secure site. I used C:\INetPub\Apache
> Root\Secure_
> * _Create a "html" directory under each web sites
directory. This
> will hold the local site. Put a basic HTML file into each html
> directory, named index.html, that make it easy to see which one
> you've hit. I used something simple, replacing the work
"Base"
> with "Public" and "Secure" as appropriate...
> <HTML>
> <BODY>
> Base Index
> </BODY>
> </HTML>_
> * _(Optional) if you think you might want to run scripts on either
> site (again, not proxied, but locally), either create one
> central cgi-bin directory, or one for each site. If you don't
> know what I'm talking about, "fahghet about it..."_
> * _Open up SERVERROOT\conf\httd.conf_
> o _Change "ServerRoot" to reflect the path you
chose to
> install Apache to, using Unix Style path notation. Here is
> mine:
> ServerRoot "C:/Program Files/Apache
Group/Apache2"_
> o _Change the ServerAdmin line to a real email address, to
> meet the RFCs_
> o _Leave ServerName set to localhost:80. We are going to use
> Name Based Virtual Hosts, so we don't care about the
> "base" name or address._
> o _Change DocumentRoot to point to the html directory under
> your base site directory. Again, not to be used normally,
> but if you see the pages in this folder, you know
> something is set up wrong. I used:
> DocumentRoot "c:/INetPub/Apache
Root/BaseSite/html"_
> o _Look for this line, just a few lines below DocumentRoot:
> # This should be changed to whatever you set DocumentRoot
to.
> Change the "<Document" line that follows it
to reflect
> your DocumentRoot above._
> o _Find a remove the pound sign from the beginning of this
> line, almost at the end of the file:
> #Include conf/extra/httpd-vhosts.conf_
> o _Find the section of modules, close to the top of the
> file. Uncomment the following list of Modules_
> + _LoadModule headers_module modules/mod_headers.so_
> + _LoadModule proxy_module modules/mod_proxy.so_
> + _LoadModule proxy_http_module
modules/mod_proxy_http.so_
> + _LoadModule rewrite_module modules/mod_rewrite.so_
> o _Add the following module definition at the bottom of the
> list of modules:
> LoadModule proxy_html_module
> modules/mod_proxy_html/mod_proxy_html.so_
> o _Close and Save the httpd.conf file_
> * _Open up SERVERROOT\conf\extra\httpd-vhosts.conf_
> o _Comment out the virtual hosts that are there by
default...
> put a pound sign as the first character in each line._
> o _Create just the public site for now... add this code:
> <VirtualHost *:80>
> #Document Root should point to your public html directory
> that you create above...
> DocumentRoot "C:/Inetpub/Apache
Root/public/html"
> #ServerName should be the DNS name of the public site.
> ServerName _
> _www.sitename.com_ <file://www.sitename.com>_
> #(Optional) remove this line if you don't need scripts...
I do.
> ScriptAlias cgi-bin "C:/Inetpub/Apache
Root/public/cgi-bin"
> o </VirtualHost>_ _Close and Save the
httpd-vhosts.conf
file._
> * _Open a command prompt, and navigate to SERVERROOt\bin._
> * _At the command prompt, type "httpd -S" to verify the
config
> files. Assuming that you get no error messages..._
> * _At the command prompt, type "httpd" to start up
apache._
> * _If you do not have access to your own DNS servers, or if the
> public name that you used above does not route to the IP address
> of the machine that you are working on, you will have to modify
> your hosts file so that _
> _www.sitename.com_ <file://www.sitename.com>_ will resolve
to
> your IP address. This is a great test, and necessary, because if
> we try to browse via IP address, our name base virtual host
> won't work..._
> o _Open up %systemroot%\system32\drivers\etc\hosts in a text
> editor_
> o _Add the following lines, replacing the dummy IP address
> below with the IP address of the machine apache is
> installed on.
> 123.456.789.123 _
> _www.sitename.com_ <file://www.sitename.com>_
> o 123.456.789.123 secure.sitename.com_ _Save the file._
> * _Fire up a web browser, and navigate to _
> *MailScanner warning: numerical links are often malicious:*
> _http://123.456.789.123__ (use your own
IP) and you should see
> * your base page._ _Fire up a web browser, and navigate to _
> _http://www.sitename.com__ (use your
own name) and you should
> * see your public page._ _Assuming that all worked, hit ctrl-c in
> the command prompt window to stop the apache server._
> * _Next, we create the password file for the secure site..._
> o _Assuming that you still have the command prompt open, in
> the apache bin directory, execute the following command,
> replacing "username" with the username that you
want to be
> valid at the secure site:
> htpasswd -c .htpasswd username_
> o _Provide a password when prompted._
> o _Move .htpasswd from the bin directory to the directory
> that you chose for your secure site. Don't put it into the
> HTML directory, but in the root of the secure directory._
> * _Open back up the SERVERROOT\conf\extra\httpd-vhosts.conf file._
> * _Below the public site, we'll create the secure virtual host.
> Here is mine, with comments explaining what each thing does:
> <VirtualHost *:80>
> DocumentRoot "C:/Inetpub/Apache Root/Secure/html"
> ServerName secure.sitename.com
> #(Optional) for scripts...
> ScriptAlias cgi-bin "C:/Inetpub/Apache
Root/Secure/cgi-bin"
>
> #Set Up Directory Security
> <Directory />
> AuthName "only for registered users"
> AuthType Basic
> AuthUserFile "C:/Inetpub/Apache Root/Secure/.htpasswd"
> <Limit GET>
> require valid-user
> </Limit>
> </Directory>
>
> #Turn on the ReWrite Engine, to help with redirections that
> proxy doesn't catch
> RewriteEngine on
> RewriteLog "c:/INetPub/Apache Root/Rewrite.log"
> #While debugging, set the LogLevel high. But NOT IN PRODUCTION!!
> RewriteLogLevel 9
>
> #Convert all URL's to Lower Case
> Rewritemap lowercase int:tolower
> RewriteCond $1 [A-Z]
> RewriteRule ^/(.*)$ /${lowercase:$1} [R=301,L]
>
> #xAP Intranet App refresh fix... since xAP applications refresh
to
> # /index.xsp, and do so with a window.location javascript
command
> # (which unfortunately doesn't send a referrer value, so it's
> impossible
> # to tell which Intranet App is refreshing.) You must choose
> one, and
> # all of them will refresh to that page. I don't see another
option.
> #
> # Set the RewriteRule to the page that you want
> RewriteCond %{REQUEST_URI} ^/index.xsp$
> RewriteRule / /switchboard/index.xsp [R=301,L]
>
> #Background images in tables, and style sheet URLS, can't be
proxied
> # correctly. We need to rewrite those URLs...
> #
> # xAP Switchboard background fix
> RewriteCond %{HTTP_REFERER} switchboard
> RewriteCond %{REQUEST_URI} ^/images/(.*)
> RewriteRule ^/images/(.*) /switchboard/images/$1 [R=301,L]
>
> #xAP News background fix
> RewriteCond %{HTTP_REFERER} news
> RewriteCond %{REQUEST_URI} ^/images/(.*)
> RewriteRule ^/images/(.*) /news/images/$1 [R=301,L]
>
> #Turn Off "Forward" proxying... we want to reverse
proxy, not be
a
> bounce
> # off site for hackers and spammers...
> ProxyRequests off
>
> #Proxy to the TiVo
> # This is easy, because TivoWeb provides a setting which tacks a
> directory to
> # the front of each URL automatically... Change the IP as
necessary...
> ProxyPass /tivo _
> *MailScanner warning: numerical links are often malicious:*
> _http://192.168.64.251__
> <Location /tivo/>
> ProxyPassReverse /
> </Location>
>
> #Proxy to Switchboard
> ProxyPass /switchboard _*MailScanner warning: numerical links
> are often malicious:* _http://192.168.64.2:52340__
> #Remap all URLs from the IP:PORT of switchboard to /switchboard
> # This takes care of ABSOLUTE URLs.
> ProxyHTMLURLMap _*MailScanner warning: numerical links are often
> malicious:* _http://192.168.64.2:52340__
/switchboard
> <Location /switchboard>
> # ProxyPassReverse takes care of meta-tags. Switchboard doesn't
> have them,
> # but it is bad form to not include them...
> ProxyPassReverse /
> # Turn on the URLMap Filters, to re-write URLs
> SetOutputFilter proxy-html
> # Links to deletelog.gif start with 'web/' instead of '/web/'
> # This rule catches and re-writes them
> ProxyHTMLURLMap web /switchboard/web
> # This rule is to catch everything else
> ProxyHTMLURLMap / /switchboard/
> # and This Rule is to stop us from recursively re-writing the
> links multiple times
> ProxyHTMLURLMap /switchboard /switchboard
> #Disable compressed HTML
> RequestHeader unset Accept-Encoding
> </Location>
>
> #Proxy to news
> ProxyPass /news _*MailScanner warning: numerical links are often
> malicious:* _http://192.168.64.2:54000__
> #Remap all URLs from the IP:PORT of switchboard to /news
> # This takes care of ABSOLUTE URLs.
> ProxyHTMLURLMap _*MailScanner warning: numerical links are often
> malicious:* _http://192.168.64.2:54000__ /news
> <Location /news>
> # ProxyPassReverse takes care of meta-tags. Switchboard doesn't
> have them,
> # but it is bad form to not include them...
> ProxyPassReverse /
> # Turn on the URLMap Filters, to re-write URLs
> SetOutputFilter proxy-html
> # Not sure if anything else doesn't have the leading slash.
> # This rule catches and re-writes them
> ProxyHTMLURLMap web /news/web
> # This rule is to catch everything else
> ProxyHTMLURLMap / /news/
> # and This Rule is to stop us from recursively re-writing the
> links multiple times
> ProxyHTMLURLMap /news /news
> #Disable compressed HTML
> RequestHeader unset Accept-Encoding
> </Location>
>
> * </VirtualHost>_ _Once again, run "httpd -S" to
verify that
> you've got it right._
> * _Assuming so, run httpd with no switches, to start the server_
> * _Navigate to _
> * _http://secure.sitename.com/tivo__
for the tivo_ _Navigate to _
> * _http://secure.sitename.com/switchboard__
for switchboard_
> _Navigate to _
> * _http://secure.sitename.com/news__
for the news_ _To install
> httd as a service, run "httpd -k install" and it will
create a
> Windows Service to run under._
> _
> _
>
> _I hope this helps... sorry for the long winded description, but I
know
> I'll be glad it's here in 5 years when my existing server goes t!ts up
> and I have to start over..._
>
> _Glenn Sullivan, MCSE+I MCDBA_ _
> David Clark Company Inc.
> -----Original Message-----
> From: xap_automation@xxxxxxx
> [__mailto:xap_automation@xxxxxxx__]
On Behalf Of James_ _
> Sent: Wednesday, April 12, 2006 3:34 PM
> To: xap_automation@xxxxxxx
> Subject: Re: [xap_automation] xAP Intranet Behind a Reverse Proxy... _
>
> _Hi,_
>
> _Have to say i've never tried this with an inrtanet app. I do remember
> once trying an apache reverse proxy and i'm sure i just used the usual
> mod_proxy but i do remember having to set ProxyPass and
> ProxyPassReverse for it to work right._
>
> _Currently the web ports are preset and not changable but i'll add a
> config option for it. I might well also allow it to just use random
> port if it can't bind as all the intranet apps will re-link to
> whatever the port ( although if setting up a reverse proxy that won't
> be useful at all)_
>
> _I'll be very interested to know how you get on_
>
> _James_
>
> _Sullivan, Glenn wrote:_ _
> > I figured out what I believe will be a solution... Apache has a
module
> > called MOD_PROXY_HTML which can rewrite a page's hyperlinks so
that
> > they resolve correctly.
> >
> > I'm downloading the source now... I'll report how I get on.
> >
> > How does an Intranet App pick it's web port? I may have to write
a
> > xAP module for apache to change them dynamically...
> >
> >
> > Glenn Sullivan, MCSE+I MCDBA
> > David Clark Company Inc.
> > -----Original Message-----
> > From: xap_automation@xxxxxxx
> > [__mailto:xap_automation@xxxxxxx__]
On Behalf Of Sullivan,
> Glenn_ _
> > Sent: Monday, April 10, 2006 9:09 AM
> > To: xap_automation@xxxxxxx
> > Subject: [xap_automation] xAP Intranet Behind a Reverse Proxy...
> >
> > Is there any facility for setting the BASEREF of xAP Intranet
pages?
> >
> > I have recently set up an Apache Server to reverse proxy all of
my
> > internal services out to the real world. I have tried to proxy
> > through the Switchboard page, but all of the URL's are absolute,
and
> > not relative.
> >
> > I get the HTML of the page, but all of the links and images are
> > broken...
> >
> > If not, I can set up another virtual site, and link to it. I was
just
> > trying to make it as simple as possible, like TivoWeb is...
> >
> > TIA,
> >
> > Glenn Sullivan, MCSE+I MCDBA
> > David Clark Company Inc.
> >
> >
> >
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
> >
> >
> >
> >
> > Yahoo! Groups Links
> >
> >
> >
> >
> >
> >
> >
> > _
>
> _
>
> _
>
> _ _ _
> Yahoo! Groups Links _
>
>
>
> _
>
> _
> _ _
> _
> _ _
>
------------------------------------------------------------------------
> _ YAHOO! GROUPS LINKS _
> _
> _
>
> * _ Visit your group "xap_automation
> <http://groups.yahoo.com/group/xap_automation>"
on the web.
> * To unsubscribe from this group, send an email to:
> xap_automation-unsubscribe@xxxxxxx
>
<mailto:xap_automation-unsubscribe@xxxxxxx?subject=Unsubscribe>
> * Your use of Yahoo! Groups is subject to the Yahoo! Terms of
> Service <http://docs.yahoo.com/info/terms/>.
> _
>
> _
> _
> _ _
>
------------------------------------------------------------------------
> _
> _
xAP_Automation Main Index |
xAP_Automation Thread Index |
xAP_Automation Home |
Archives Home
|