Friday Aug 19, 2011

HTTPS Oracle iPlanet Web Server 7.0 Reverse Proxy Server and HTTP Origin Server

 HTTPS Oracle iPlanet Web Server 7.0 Reverse Proxy Server and HTTP Origin Server

Origin Server <--- HTTP ---> Reverse Proxy Server <--- HTTPS ---> client/Browser

There are various SSL and non SSL configurations we can have for Reverse Proxy and Origin Servers

  1. Origin Server <--- HTTP ---> Reverse Proxy Server <--- HTTP ---> client/Browser
  2. Origin Server <-- HTTP ---> Reverse Proxy Server <-- HTTPS --> client/Browser i.e. Reverse proxy as SSL termination End point
  3. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTP --> client/Browser
  4. Origin Server <-- HTTPS ---> Reverse Proxy Server <-- HTTPS --> client/Browser

In this blog I will try out SCENARIO 2 - reverse proxy server as SSL termination end point.

For this I have setup two Oracle iPlanet Web Server 7.0 update 11 instances. One acting as a reverse proxy (instance name rps on port 8080) and the other origin server(instance name origs on port 4444).


1. Enable SSL on Reverse Proxy Server

1.1 Install Server Certificate in Reverse Proxy Server instance

I created self signed server certificate in reverse proxy server. Use Admin Server CLI to create a self-signed certificate (recommened)

$./bin/wadm --user=admin Please enter admin-user-password> Connected to localhost:8989 Oracle iPlanet Web Server 7.0.11 B03/11/2011 08:38 wadm>

wadm> list-configs rps wadm>create-selfsigned-cert --config=rps

--server-name=www.rps.com --nickname=Server-Cert-RP

wadm>deploy-config rps

Or you can use certutil followed by pull-config .

$cd <reverse-proxy-install-dir>/https-rps/config
$../../bin/certutil -N -d . (if DBs do not exist already)
$../../bin/certutil -S -d . -n Server-Cert-RP 
          -s "CN=www.rps.com" -x -t "CT,CT,CT"

Verify it with certutil that the certificate got installed :

$../../bin/certutil -L -d <reverse-proxy-install-dir>/https-rps/config
Certificate Nickname                       Trust Attributes
                                           SSL,S/MIME,JAR/XPI
Server-Cert-RP                             u,u,u

1.2 Enable SSL in http-listener. Set the server certificate nickname (if its different from "Server-Cert"). 

Use "set-ssl-prop" Admin Server CLI to enable SSL for this listener, set the server certificate nickname and then run deploy config CLI.

wadm> list-http-listeners --config=rps http-listener-1 wadm> set-ssl-prop --config=rps --http-listener=http-listener-1

server-cert-nickname=Server-Cert-RP enabled=true

wadm>deploy-config rps

server.xml should get modified to look like

<http-listener>
    <name>http-listener-1</name>
    <port>8080</port>
    <server-name>www.rps.com</server-name>
    <default-virtual-server-name>rps</default-virtual-server-name>
   <ssl>
   <server-cert-nickname>Server-Cert-RP</server-cert-nickname>
   </ssl>
</http-listener>

1.3 Run create-reverse-proxy CLI from Administration server

wadm> list-virtual-servers --config=rps
rps

wadm>create-reverse-proxy --config=rps --vs=rps --uri-prefix=/ 
    --server=http://www.origs.com:4444

wadm>deploy-config rps

rps.obj.conf gets modified as shown below :

<Object name="default">
AuthTrans fn="match-browser" browser="*MSIE*" ssl-unclean-shutdown="true"
NameTrans fn="map" from="/" name="reverse-proxy-/" to="http:/"
...
</Object>
<Object ppath="http:*">
Service fn="proxy-retrieve" method="*"
</Object>
<Object name="reverse-proxy-/">
Route fn="set-origin-server" server="http://www.origs.com:4444"
</Object>

In rps.obj.conf I have configured reverse proxy in such a way that all requests are redirected to origin server.

In real world situation you can if you want redirect only certain requests depending on your requirements.

1.4 OPTIONAL : Change access log format in Reverse Proxy Server

Modify access log format in Reverse Proxy Server to contain %Ses->client.cipher% and %Ses->client.ssl-id%
wadm> get-access-log-prop --config=rps
enabled=true
file=../logs/access
format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%]
       "%Req->reqpb.clf-request%"
       %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%
mode=text

wadm> enable-access-log --file="../logs/access" --config="rps"
        --format="%Ses->client.ip% -
        %Req->vars.auth-user% \[%SYSDATE%\]
       \\"%Req->reqpb.clf-request%\\" %Req->srvhdrs.clf-status%
        %Req->srvhdrs.content-length% 
        %Ses->client.cipher% %Ses->client.ssl-id%

wadm>deploy-config rps

Or manually add in server.xml the log format
<access-log>
    <file>../logs/access</file>
    <format>
    %Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] 
    "%Req->reqpb.clf-request%"
    %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% 
    %Ses->client.cipher% %Ses->client.ssl-id%
   </format>
 </access-log>

Note the contents in between <format></format> should be in one line

I have put it in 2 lines so that its easy to see.

1.5  (OPTIONAL) Create a file test.html file in origin server :

$cat ../docs/test.html
This is test.html

1.6 Send a request through browser to Reverse Proxy Server on URI /test.html.

Start the origin server and reverse proxy server instances. Send a request via the browser to reverse proxy server on https://www.rps.com:8080/test.html. Origin should send the content to reverse proxy serverw hcih should send it to the browser.

We can check the entries in both the access logs of reverse proxy server and origin server to see what's happening.

Note that browser may give a warning that this reverse proxy server is not issued by a valid CA. That's ok because its a self signed certificate. If you install a certificate from trusted CAs this message will not come up.

When you check access log entries of reverse porxy server :
$cat access
format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-request%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length% %Ses->client.cipher% %Ses->client.ssl-id%
xxx.xxx.xxx.xx1 - - [19/Aug/2011:14:02:51 +0530] "GET /test.html HTTP/1.1" 200 18 AES-256 Ux0aq03pRHCNZaDxLX1mrBKzmM7ac4YUAspbTX5s8pw=

Its printing the ciphers used and the SSL session id.

When you check access log entries of origin server :

$cat .access
format=%Ses->client.ip% - %Req->vars.auth-user% [%SYSDATE%] "%Req->reqpb.clf-request%" %Req->srvhdrs.clf-status% %Req->srvhdrs.content-length%
xxx.xxx.xxx.xx2  - - [19/Aug/2011:13:48:20 +0530] "GET /test.html HTTP/1.1" 200 18


References

About

Meena Vyas

Search

Archives
« April 2014
SunMonTueWedThuFriSat
  
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
   
       
Today