Administrator

Installing and Configuring Apache Reverse Proxy

Edit the httpd.conf file to load the modules that are required to prepare the Reverse Proxy for SAP Mobile Platform use.

Context

In SAP Mobile Platform, communication can be either:
  • Unencrypted to port 8080
  • One-way authenticated and encrypted to port 8081
  • Two-way authenticated to port 8082
Apache is installed as one or more modules, in addition to mod_proxy: mod_proxy_http, mod_proxy_ftp, mod_proxy_ajp, mod_proxy_balancer, and mod_proxy_connect. Thus, to use one or more of the particular proxy functions, load mod_proxy and the appropriate module into the server. For the reverse proxy, load these modules:
  • headers_module
  • ssl_module
  • proxy_module
  • proxy_connect_module
  • proxy_http_module
For information about running a reverse proxy in Apache, see http://www.apachetutor.org/admin/reverseproxiesInformation published on non-SAP site. For information about SSL and proxy modules, see http://httpd.apache.org/docs/2.2/mod/mod_ssl.htmlInformation published on non-SAP site  and http://httpd.apache.org/docs/2.2/mod/mod_proxy.htmlInformation published on non-SAP site.

Procedure

  1. Download Apache 2.2 from a reliable source, and install the proxy according to package instructions.
  2. In a text editor, open Apache2.2\conf\httpd.conf.
  3. Uncomment these lines to load headers, and required SSL and proxy modules:     
    LoadModule headers_module modules/mod_headers.so    
    LoadModule ssl_module modules/mod_ssl.so    
    LoadModule proxy_module modules/mod_proxy.so    
    LoadModule proxy_connect_module modules/mod_proxy_connect.so    
    LoadModule proxy_http_module modules/mod_proxy_http.so 
    The three proxy_* modules are required by three proxy modes: HTTP, one-way HTTPS, and two-way HTTPS.   The ssl_module is required by both HTTPS proxy modes.   The headers_module is required by two-way HTTPS proxy mode.
  4. Add these lines to enable port 8080 as an HTTP proxy:
     ##############################    
    Listen 8080   
          <VirtualHost *:8080> 
            ServerName proxy-server      
                  ErrorLog "C:/Apache2.2/logs/error.log"
                  TransferLog "C:/Apache2.2/logs/access.log" 
                 <Location />
                  ProxyPass http://<sup-server>:8080/
                  ProxyPassReverse http://<sup-server>:8080/   
                 </Location>
          </VirtualHost>     
    ##############################
  5. Add these lines to enable port 8081 as a one-way HTTPS proxy:
    ##############################
        Listen 8081   
          <VirtualHost *:8081>
             ServerName proxy-server      
                    ErrorLog "C:/Apache2.2/logs/error.log"
                    TransferLog  "C:/Apache2.2/logs/access.log"
                  # activate HTTPS on the reverse proxy 
                    SSLEngine on
                    SSLCertificateFile  "C:/Apache2.2/conf/proxy-server.crt"
                    SSLCertificateKeyFile  "C:/Apache2.2/conf/proxy-server.key"
                    SSLCertificateChainFile  "C:/Apache2.2/conf/proxy-server-ca.crt"
                    SSLProxyEngine On
                    SSLProxyCACertificateFile C:/Apache2.2/conf/sup-server-ca.crt
             <Location />
                ProxyPass https://<sup-server>:8081/           
                 ProxyPassReverse  https://<sup-server>:8081/       
             </Location>
          </VirtualHost> 
  6. Add these lines to enable port 8082 as a two-way HTTPS proxy:
    ##############################
        Listen 8082   
          <VirtualHost *:8082>
             ServerName proxy-server      
                    ErrorLog "C:/Apache2.2/logs/error.log"
                    TransferLog  "C:/Apache2.2/logs/access.log"
                  # activate HTTPS on the reverse proxy
                    SSLEngine on
                    SSLCertificateFile "C:/Apache2.2/conf/proxy-server.crt"
                    SSLCertificateKeyFile "C:/Apache2.2/conf/proxy-server.key"
                    SSLCertificateChainFile "C:/Apache2.2/conf/proxy-server-ca.crt"         # activate the client certificate  authentication
                    SSLCACertificateFile "C:/Apache2.2/conf/trusted-client-ca.crt"
                    SSLVerifyClient require
                    SSLVerifyDepth  10
                    SSLProxyEngine On
                    SSLProxyCACertificateFile C:/Apache2.2/conf/sup-server-ca.crt
                    SSLProxyMachineCertificateFile C:/Apache2.2/conf/proxy-client.pem
                # initialize the special headers to a blank  value to avoid http header forgeries
                   RequestHeader set  SSL_CLIENT_CERT ""        
                  <Location />            
                # add  SSL_CLIENT_CERT header to forward real client certificate
                   RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
                   ProxyPass  https://<sup-server>:8082/           
                   ProxyPassReverse  https://<sup-server>:8082/       
                  </Location>
             </VirtualHost>     
    ##############################  
  7. Save the file.
  8. Validate the configuration by opening a browser and testing these URLs:
    • https://proxy-server:8080/debug/app1
    • https://proxy-server:8081/debug/app1
    • https://proxy-server:8082/debug/app1