Reverse proxy is a type of a proxy which can hide back end servers from the client applications.
According to the above figure, Original servers are not exposed to the internet. Only reverse proxy is exposed to the internet.Client knows only the reverse proxy IP address. So he thinks that he is sending a request to the reverse proxy.He doesn't know anything about the original server. You can avoid some attacks using this architecture.
Today I'm going to configure Apache HTTPD server(reverse proxy) and WSO2 identity server 5.0.
Please download WSO2 identity server 5.0 from here
You can install apache httpd server using below commands
sudo apt-get update
sudo apt-get install apache2
Restart the newly install apache server
sudo service apache2 restart
Apache is a modular server. This implies that only the most basic functionality is included in the core server.So You have to enable few other required features. Please use below command
sudo a2enmod proxy_http sudo a2enmod ssl sudo a2enmod proxy_balancer
Generate a RSA private key using below command. This key is involved in signing process.
sudo openssl genrsa -out ca.key 1024
Generate a Certificate Signing Request (CSR)
sudo openssl req -new -key ca.key -out ca.csr
Generate a self-signed key
sudo openssl x509 -req -days 365 -in ca.csr -signkey ca.key -out ca.crt
Create a new keystore with a private and public key pair
keytool -genkey -keyalg RSA -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -validity 360 -keysize 2048
Export the certificate
keytool -export -alias wso2carbon -keystore wso2carbon.jks -storepass wso2carbon -file wso2carbon.pem
Import public certificate into client-truststore.jks.
keytool -import -alias wso2carbon -file wso2carbon.pem -keystore client-truststore.jks -storepass wso2carbon
Create a virtual host using below command and use below sample proxy configurations.
sudovi /etc/apache2/sites-available/wso2.is.com.conf
Sample mapping for HTTP request to Identity server
<ifModule mod_proxy.c> <VirtualHost *:443> ServerAdmin techops@wso2.com ServerName localhost ServerAlias localhost ProxyRequests Off SSLEngine On SSLProxyEngine On SSLCertificateFile /home/madura/certs/ca.crt SSLCertificateKeyFile /home/madura/certs/ca.key <Proxy> Order deny,allow Allow from all </Proxy> ProxyPass /carbon "https://localhost:9443/carbon" ProxyPassReverse /carbon "https://localhost:9443/carbon" ProxyPass /commonauth "https://localhost:9443/commonauth" ProxyPassReverse /commonauth "https://localhost:9443/commonauth" ProxyPass /authenticationendpoint "https://localhost:9443/authenticationendpoint" ProxyPassReverse /authenticationendpoint "https://localhost:9443/authenticationendpoint" ProxyPass /samlsso "https://localhost:9443/samlsso" ProxyPassReverse /samlsso "https://localhost:9443/samlsso" </VirtualHost> </ifModule>
As a final step you have to enable virtual host configurations and restart the server as below
sudo a2ensite wso2.is.com.conf
sudo service apache2 restart
Its time to test this. you have to follow this url https://localhost/carbon
When you navigate to other pages, you should not see any port inside the url.
There are some other configurations to complete this setup(Define a host name in a product, Modify catalina-server.xml and configure proxy port and name ). Please refer Asela's blog[1] for more information.
[1] http://xacmlinfo.org/2014/11/16/how-to-developing-identity-server-behind-proxy-or-load-balancer/
Thanks for reading this post.
Comments
Post a Comment