Blogs about Deep Learning, Machine Learning, AI, NLP, Security, Oracle Traffic Director,Oracle iPlanet WebServer

  • August 19, 2011

HTTPS Oracle iPlanet Web Server 7.0 Reverse Proxy Server and HTTP Origin Server

 HTTPS Oracle iPlanet Web
Server 7.0 Reverse Proxy Server and HTTP Origin Server

Origin Server <--- HTTP ---> Reverse Proxy Server <---
HTTPS ---> client/Browser

There are various SSL and non SSL configurations we can have for
Reverse Proxy and Origin Servers

  1. Origin
    Server <--- HTTP ---> Reverse Proxy Server <--- HTTP --->
  2. Origin Server <-- HTTP ---> Reverse Proxy Server <--
    HTTPS --> client/Browser i.e. Reverse proxy as SSL termination End
  3. Origin
    Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP -->
  4. Origin
    Server <-- HTTPS ---> Reverse Proxy Server <-- HTTPS -->

In this blog I will try out SCENARIO 2 -
reverse proxy server as SSL termination end point.

For this I have setup two Oracle iPlanet Web Server 7.0 update 11
instances. One acting as a reverse proxy (instance name rps on port 8080) and the other
origin server(instance name origs on port 4444).

1. Enable SSL on Reverse Proxy Server

1.1 Install Server Certificate in Reverse Proxy Server instance

created self signed server certificate in reverse proxy server. Use
Admin Server CLI to create a self-signed certificate (recommened)

$./bin/wadm --user=admin
Please enter admin-user-password>
Connected to localhost:8989
Oracle iPlanet Web Server 7.0.11 B03/11/2011 08:38

wadm> list-configs
wadm>create-selfsigned-cert --config=rps

--server-name=www.rps.com --nickname=Server-Cert-RP

wadm>deploy-config rps

Or you can use certutil followed by pull-config .

$cd <reverse-proxy-install-dir>/https-rps/config
$../../bin/certutil -N -d . (if DBs do not exist already)
$../../bin/certutil -S -d . -n Server-Cert-RP 
-s "CN=www.rps.com" -x -t "CT,CT,CT"

Verify it with certutil that the certificate got installed :

$../../bin/certutil -L -d <reverse-proxy-install-dir>/https-rps/config
Certificate Nickname                       Trust Attributes
Server-Cert-RP u,u,u

1.2 Enable SSL in http-listener. Set the server certificate
nickname (if its different from "Server-Cert"). 

Use "set-ssl-prop" Admin Server CLI to enable SSL for
this listener, set the server certificate nickname and then run deploy
config CLI.

wadm> list-http-listeners --config=rps
wadm> set-ssl-prop --config=rps --http-listener=http-listener-1

server-cert-nickname=Server-Cert-RP enabled=true

wadm>deploy-config rps

server.xml should get modified to look like



1.3 Run create-reverse-proxy CLI from Administration server

wadm> list-virtual-servers --config=rps
wadm>create-reverse-proxy --config=rps --vs=rps --uri-prefix=/
wadm>deploy-config rps

rps.obj.conf gets modified as shown below :

<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="http://www.origs.com:4444"

In rps.obj.conf I have configured reverse proxy in such a way that all
requests are redirected to origin server.

In real world situation you can if you want redirect only certain
requests depending on your requirements.

1.4 OPTIONAL : Change access log format in Reverse Proxy

Modify access log format in Reverse Proxy Server
to contain
%Ses->client.cipher% and %Ses->client.ssl-id%
wadm> get-access-log-prop --config=rps
format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%]
 %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%
wadm> enable-access-log --file="../logs/access" --config="rps"
--format="%Ses->client.ip% -
%Req->vars.auth-user% \[%SYSDATE%\]
\\"%Req->reqpb.clf-request%\\" %Req->srvhdrs.clf-status%

%Ses->client.cipher% %Ses->client.ssl-id%

wadm>deploy-config rps

Or manually add in server.xml the log format
%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%]
%Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%
%Ses->client.cipher% %Ses->client.ssl-id%


Note the contents in between <format></format> should
be in one line

I have put it in 2 lines so that its easy to see.

1.5  (OPTIONAL) Create a file test.html file in origin server :

$cat ../docs/test.html
This is test.html

1.6 Send a request through browser to Reverse Proxy Server on URI /test.html.

Start the origin server and reverse proxy server instances. Send a request via the browser to reverse proxy server on https://www.rps.com:8080/test.html. Origin should send the content to reverse proxy serverw hcih should send it to the browser.

We can check the entries in both the access logs of reverse proxy
server and origin server to see what's happening.

Note that browser may give a warning that this reverse proxy server is
not issued by a valid CA. That's ok because its a self signed
certificate. If you install a certificate from trusted CAs this message
will not come up.

When you check access log entries of reverse porxy server :
$cat access

format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%]
"%Req->reqpb.clf-request%" %Req->srvhdrs.clf-status%
%Req->srvhdrs.content-length% %Ses->client.cipher% %Ses->client.ssl-id%

xxx.xxx.xxx.xx1 - - [19/Aug/2011:14:02:51 +0530] "GET /test.html HTTP/1.1" 200 18 AES-256 Ux0aq03pRHCNZaDxLX1mrBKzmM7ac4YUAspbTX5s8pw=

Its printing the ciphers used and the SSL session id.

When you check access log entries of origin
server :

$cat .access

format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-request%" %Req->srvhdrs.clf-status%

- - [19/Aug/2011:13:48:20 +0530] "GET /test.html HTTP/1.1" 200 18


Join the discussion

Comments ( 2 )
  • guest Saturday, February 23, 2013

    We have a same configuration where original server is HTTP and reverse proxy server is listening to HTTPS port only. There is a problem we are facing in case of 302 redirect when original server is redirecting it is redirecting to HTTP url and since reverse proxy server is not listening to HTTP port we are getting a time-out.

    Looking for some help to resolve this issue.

  • Sriram Natarajan Wednesday, July 31, 2013

    the answer is it depends

    a) the back-end origin servers like WLS can support the scenario that where iWS7 is handling SSL and appropriately redirect with https in it. This will require iWS7 to be used with WLS Plug-In proxy as well as enabling WLS Plug-In enabled wihtin WLS Admin Server -> General settings

    b) alternatively, you can include a Output content filter so that all outgoing content can be parsed and appropriately rewritten to include 'https' . for more information, please work with oracle support through a SR.


Please enter your name.Please provide a valid email address.Please enter a comment.CAPTCHA challenge response provided was incorrect. Please try again.