Web Policy Agents 2023.3

Configure Apache HTTP Server as a reverse proxy

This section contains an example configuration of Apache as a reverse proxy between AM and Web Agent. You can use any reverse proxy that supports the WebSocket protocol.

Simplified diagram showing a reverse proxy configuration between AM and the agent.
Figure 1. Reverse proxy configured between the agent and AM

For information about how to configure Apache for load balancing, and other requirements for your environment, refer to the Apache documentation.

  1. Locate the httpd.conf file in your deployed reverse proxy instance.

  2. Add the modules required for a proxy configuration, as follows:

    # Modules required for proxy
    LoadModule proxy_module modules/mod_proxy.so
    LoadModule proxy_http_module modules/mod_proxy_http.so
    LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

    The mod_proxy_wstunnel.so module is required to support the WebSocket protocol used for communication between AM and the agents.

  3. Add the proxy configuration inside the VirtualHost context. Consider the following directives:

    <VirtualHost 192.168.1.1>
    ...
    # Proxy Config
    RequestHeader set X-Forwarded-Proto "https" (1)
    ProxyPass "/openam/notifications" "ws://am.example.com:8080/am/notifications" Upgrade=websocket (2)
    ProxyPass "/openam" "http://am.example.com:8080/am" (3)
    ProxyPassReverseCookieDomain "openam.internal.example.com" "proxy.example.com" (4)
    ProxyPassReverse "/openam" "http://am.example.com:8080/am" (5)
    ...
    </VirtualHost>

    (1) RequestHeader: Set to https or http, depending on the proxy configuration. If the proxy is configured for https, as in the above example, set to https. Otherwise, set http. In a later step, you configure AM to recognize the forwarded header and use it in the goto parameter for redirecting back to the agent after authentication.

    (2) ProxyPass: Set to allow WebSocket traffic between AM and the agent. If HTTPS is configured between the proxy and AM, set to use the wss protocol instead of ws.

    (3) ProxyPass: Set to allow HTTP traffic between AM and the agent.

    (4) ProxyPassReverseCookieDomain: Set to rewrite the domain string in `Set-Cookie`headers in the format internal domain (AM’s domain) public domain (proxy’s domain).

    (5) ProxyPassReverse: Set to the same value configured for the ProxyPass directive.

    For more information about configuring Apache as a reverse proxy, refer to the Apache documentation.

  4. Restart the reverse proxy instance.

  5. Configure AM to recover the forwarded header you configured in the reverse proxy. Also, review other configurations that may be required in an environment that uses reverse proxies. For more information, refer to Regarding communication between AM and agents

Copyright © 2010-2023 ForgeRock, all rights reserved.