Java Policy Agents 2023.3

Configure an Apache HTTP Server as a reverse proxy

This section provides an example of how to configure Apache as a reverse proxy between AM and the agent. You can use any reverse proxy that supports the WebSocket protocol.

Refer to the Apache documentation to configure Apache for load balancing and any other requirement for your environment.

Simplified image of a reverse proxy configuration between AM and the agent.
Figure 1. Reverse Proxy Configured Between the Agent and AM

Note that the communication protocol changes from HTTPS to HTTP.

Configure Apache as a Reverse Proxy Example
  1. In your deployed reverse proxy instance, locate the httpd.conf file.

  2. Add the following modules required for a proxy configuration:

    # Modules required for proxy
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

    The mod_proxy_wstunnel.so module is required to support the WebSocket protocol used for notification between AM and the agents.

  3. Add the proxy configuration inside the VirtualHost context, and set the following directives:

    <VirtualHost 192.168.1.1>
    ...
    # Proxy Config
    RequestHeader set X-Forwarded-Proto "https" (1)
    ProxyPass "/am/notifications" "ws://am.example.com:8080/am/notifications"
    Upgrade=websocket (2)
    ProxyPass "/am" "http://am.example.com:8080/am" (3)
    ProxyPassReverseCookieDomain "am.internal.example.com" "proxy.example.com" (4)
    ProxyPassReverse "/am" "http://am.example.com:8080/am" (5)
    ...
    </VirtualHost>
    1 RequestHeader: If the proxy is configured for https, set to https. Otherwise, set to http. A later step configures AM to recognize the forwarded header and use it in the goto parameter, to redirect back to the Java Agent after authentication.
    2 ProxyPass: Allow WebSocket traffic between AM and the Java Agent. If HTTPS is configured between the proxy and AM, use wss instead of ws.
    3 ProxyPass: Allow HTTP traffic between AM and the agent.
    4 ProxyPassReverseCookieDomain: Rewrite the domain string of Set-Cookie headers in this format: internal domain (AM’s domain) public domain (proxy’s domain).
    5 ProxyPassReverse: Set to the same value configured for the ProxyPass directive.
  4. Restart the reverse proxy instance.

  5. Configure AM to recover the forwarded header configured in the reverse proxy. Also, review other configurations that may be required in an environment that uses reverse proxies. For more information, see Communication Between AM and Agents

Copyright © 2010-2023 ForgeRock, all rights reserved.