Fronting Application Servers with Apache HTTPd (Reverse-Proxying)

When you develop a web application in Tomcat, JBoss, Spring, Play Framework, or any other AS, it is always a good idea to protect the actual application server (or servers) with a fronting server that will simply act as a HTTP/S proxy. This not only provides an extra layer of security but in addition it might also allow for other things such as load-balancing.

In here I’ll show how you can achieve this using the Apache HTTPd server (for version 2 or higher).

Apache HTTPd 2 configuration

  • Edit httpd.conf file in APACHE_HOME/conf/httpd.conf
  • Remove comment or add required modules:
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
    LoadModule proxy_connect_module modules/mod_proxy_connect.so
    LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    • mod_proxy: The core module deals with proxy infrastructure and configuration and managing a proxy request.
    • mod_proxy_ajp: This handles the AJP protocol for Tomcat and similar backend servers.
    • mod_proxy_balancer implements clustering and load-balancing over multiple backends.
    • mod_proxy_connect: This handles the CONNECT method for secure (SSL) tunneling.
    • mod_proxy_ftp: This handles fetching documents with FTP.
    • mod_proxy_http: This handles fetching documents with HTTP and HTTPS.
  • Add Proxy and Reverse Proxy Configuration:
    ProxyReceiveBufferSize 16384
    
    ProxyRequests On
    ProxyVia On
    ProxyPreserveHost On
    
    <Proxy *>
    	Order deny,allow
    	Allow from all
    </Proxy>
    
    ProxyPass /uploadmethods/form http://localhost:8080/uploadmethods/form
    ProxyPassReverse /uploadmethods/form http://localhost:8080/uploadmethods/form

    The above configuration will forward all traffic that hits http://host:80//uploadmethods/form to a back-end server found at http://localhost:8080/uploadmethods/form

     

  • Similarly, for HTTPS edit APACHE_HOME/conf/extra/httpd-ssl.conf and add:
    SSLProxyEngine On
    
    ProxyPass /uploasmethods/sslform https://ornlvm.s.vrco:8443/uploasmethods/sslform
    ProxyPassReverse /uploasmethods/sslform https://ornlvm.s.vrco:8443/uploasmethods/sslform

If under Tomcat/J2EE platform, ensure correct transportation:

<web-app ... >
    ...
    <security-constraint>
	<web-resource-collection>
		<web-resource-name>Public Access</web-resource-name>
		<url-pattern>/uploasmethods/form/*</url-pattern>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>NONE</transport-guarantee>
	</user-data-constraint>
    </security-constraint>
    ...
    <security-constraint>
	<web-resource-collection>
		<web-resource-name>Confidential Access</web-resource-name>
		<url-pattern>/uploasmethods/sslform/*</url-pattern>
	</web-resource-collection>
	<user-data-constraint>
		<transport-guarantee>CONFIDENTIAL</transport-guarantee>
	</user-data-constraint>
    </security-constraint>
    ...
</web-app>
Advertisements

About CrazyPenguin

Software Engineer
This entry was posted in J2EE, JBoss and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s