Skip to Main Content
Forums

Security Software

Announcement

For appeals, questions and feedback about Oracle Forums, please email oracle-forums-moderators_us@oracle.com. Technical questions should be asked in the appropriate category. Thank you!

WebGate Question with OHS Reverse Proxy

KCCSDec 2 2009 — edited Mar 3 2010
I am having problems getting Policy Domains properly configured when using an OHS server as a reverse proxy to DMZ based web applications. In the use cases outlined below, I would prefer to use the Separate URL method, if I could get the WebGate to protect the full site.

Use Case:

Oracle HTTP server (proxy..mycompany.com) is configured as a reverse proxy to DMZ based web applications App1.dmz.net and App2dmz.net. A WebGate is installed and configured on the proxy server. Policies have been defined to protect the applications.

There are two ways to configure the reverse proxy. The first is to use a Separate URL for each application like App1.mycompany.com and App2.mycompany.com. The other method uses a Consolidated URL: proxy.mycompany.com/App1 and proxy.mycompany.com/App2.

Separate URL Method:

When I addressing the proxy via the Separate URL method the applications work well and the httpd.conf configuration for the virtual host is:

<VirtualHost 10.1.96.244:80>
ServerName App1.mycompany.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
ProxyPass / http://172.16.10.21:8080/
ProxyPassReverse / http://172.16.10.21:8080/
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>

However with this Separate URL method, I cannot get the WebGate to trigger authentication for the root (/) access to the web applications, even when a Policy Domain is specifically configured for it. Policies will trigger for other URLs within the application, but not for the root.

App1 has been defined as a Host Identifier in the Access System as App1.mycompany.com, and the Policy domain has / on App1 configured. The Access Tester claims the URL is protected by the Rule and Policy.

Consolidated URL Method:

When the core site (proxy.mycompany.com) is configured to use the Consolidated URL method, the following lines are added to the httpd.conf file for the default site:

ProxyPass /App1 http://172.16.10.21:8080
ProxyPassReverse /app1 http://172.16.21:8080

This method will trigger the authentication as defined in the Policy Domains. However, there are url rewrite issues to deal with because /App1 needs to be appended to all the URLs the application uses. This is a less preferred proxy method for our current project.

Questions:

Is there any other configuration required for a virtual host to get the WebGate active on it?

Can the mod_proxy_html module be added to a Windows based OHS server to provide HTML rewrite in the Separate URL Method?

Is there something I am missing, and this really is easy (hopefully)?

Kerry

Edited by: KCCS on Dec 2, 2009 8:31 AM
Comments
Locked Post
New comments cannot be posted to this locked post.
Post Details
Locked on Mar 31 2010
Added on Dec 2 2009
#identity-management, #identity-manager, #oam
7 comments
2,334 views