Configure Apache HTTP Server as a reverse proxy
This section contains an example configuration of Apache as a reverse proxy between AM and Web Agent. You can use any reverse proxy that supports the WebSocket protocol.
For information about how to configure Apache for load balancing, and other requirements for your environment, refer to the Apache documentation.
-
Locate the
httpd.conf
file in your deployed reverse proxy instance. -
Add the modules required for a proxy configuration, as follows:
# Modules required for proxy LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
The
mod_proxy_wstunnel.so
module is required to support the WebSocket protocol used for communication between AM and the agents. -
Add the proxy configuration inside the
VirtualHost
context. Consider the following directives:<VirtualHost 192.168.1.1> ... # Proxy Config RequestHeader set X-Forwarded-Proto "https" (1) ProxyPass "/openam/notifications" "ws://am.example.com:8080/am/notifications" Upgrade=websocket (2) ProxyPass "/openam" "http://am.example.com:8080/am" (3) ProxyPassReverseCookieDomain "openam.internal.example.com" "proxy.example.com" (4) ProxyPassReverse "/openam" "http://am.example.com:8080/am" (5) ... </VirtualHost>
(1) RequestHeader: Set to
https
orhttp
, depending on the proxy configuration. If the proxy is configured for https, as in the above example, set tohttps
. Otherwise, sethttp
. In a later step, you configure AM to recognize the forwarded header and use it in thegoto
parameter for redirecting back to the agent after authentication.(2) ProxyPass: Set to allow WebSocket traffic between AM and the agent. If HTTPS is configured between the proxy and AM, set to use the
wss
protocol instead ofws
.(3) ProxyPass: Set to allow HTTP traffic between AM and the agent.
(4) ProxyPassReverseCookieDomain: Set to rewrite the domain string in `Set-Cookie`headers in the format internal domain (AM’s domain) public domain (proxy’s domain).
(5) ProxyPassReverse: Set to the same value configured for the
ProxyPass
directive.For more information about configuring Apache as a reverse proxy, refer to the Apache documentation.
-
Restart the reverse proxy instance.
-
Configure AM to recover the forwarded header you configured in the reverse proxy. Also, review other configurations that may be required in an environment that uses reverse proxies. For more information, refer to Regarding communication between AM and agents