Replace httpproxy with httpsproxy in the export argument to enable proxy over SSL/TLS. This information will be provided by the Network Team who have provided the proxy server related details. Lastly I hope the steps from the article to setup proxy using httpproxy and httpsproxy environment variable in Linux was helpful. Apache Redirect to HTTPS. Although installing an SSL certificate on a website provides the possibility of accessing it with the secure protocol, the protocol is not used by default. To make sure that the website is accessed using the protocol by default, you will need to set up an automatic redirect.
Introduction
In this document we are using Apache 2.4.17 x64 from Apache Haus. Please note that CA does not officially endorse Apache Haus or this specific version of Apache httpd for windows over any other httpd distribution/version, it is just the one I am using for this document.
There will be three servers involved in this scenario:
1. is the load balancing server. This is the server where we are installing Apache httpd.
2. is the primary Enterprise Management server
3. is the load balancing Enterprise Management server
The assumption has been made that both and are installed and working and serving SSL from port 18443. It is very important that this is the case. There is no point in implementing a reverse proxy to servers that do not work themselves, it just adds an additional layer to debug.
The aim is to have Apache httpd serving SSL on only port 8443 on acting as a reverse proxy to and . No other ports will be served by Apache httpd.
I have also added a rewrite to that users who go to https://:8443/ will automatically be redirected to https://:8443/iam/ac.
***** YOU MUST MAKE SURE THAT NOTHING IS RUNNING ON PORT 8443 on BEFORE CONTINUING *****
Use the following command to determine if anything is running on port 8443:
If it returns nothing then nothing is running on port 8443 and you are set to go.
Section 1 - Download and Install Apache 2.4.17 x64:
1. On go to the following url:
Download:
A) Apache 2.4.x VC11 -> Apache 2.4.17 x64
B) Microsoft Visual C++ 2012 Redistributable
I will refer to the folder you have downloaded these files to as from here on.
2. Unzip httpd-2.4.17-x64-vc11.zip to httpd-2.4.17-x64-vc11.
3. Open httpd-2.4.17-x64-vc11readme_first.html and review the installation instructions. I have included installation instructions below, but they may need to be adapted for your system or due to and changes made by Apache Haus if you are using a different version of Apache httpd 2.4.
4. Copy the httpd-2.4.17-x64-vc11Apache24 folder to c:, so you have a c:Apache24 folder.
Section 2 - Generate the SSL keys and certificate
1. On open a command prompt and navigate to c:Apache24bin:
2. On the command prompt, run the following command:
Follow the prompts as requested (***** remember any pass phrases etc that you use! *****) When finished this will have created two files:
Apache Http To Https Proxy Server
3. On the command prompt, run the following command:
Follow the prompts as requested. This will create the following file:
4. On the command prompt, run the following command:
This will create the following file:
5. The following files should now exist:
Section 3 - Configure Apache httpd
1. on edit C:Apache24confhttpd.conf.
To comment out a line in httpd.conf place a # symbol at the beginning of the line.
To uncomment a line in httpd.conf remove the # symbol at the beginning of the line.
Comment out:
Find the following lines and uncomment them. These lines are not contigious so will need to be found and uncommented one by one:
Find:
And change it to something appropriate e.g. replacing with the FQDN of your this server:
Add at the end of the file add the following lines, replacing and with the hostname or FQDNs of the ENTM and load balancing ENTM respectively, and with the FQDN of this server:
2. Edit extrahttpd-ahssl.conf:
Comment out:
Comment out all of the following lines:
Section 4 - Starting And Testing Apache httpd, And Making It A Service
Apache 2.4 Proxypass Http To Https
It is possible and easy to setup Apache httpd to run as a windows service, but we will test it first by running in a command prompt to see if there are any errors. Note that debugging errors for Apache httpd is beyond the scope of this document - any errors I came across I fixed in the configuration above - and CA Technical Support. However, Google is your friend. Apache httpd is the most widely used web server on the internet so if you encounter a problem, someone probably already has and has a solution, at least that was my experience when writing this document.
4. Copy the httpd-2.4.17-x64-vc11Apache24 folder to c:, so you have a c:Apache24 folder.
Section 2 - Generate the SSL keys and certificate
1. On open a command prompt and navigate to c:Apache24bin:
2. On the command prompt, run the following command:
Follow the prompts as requested (***** remember any pass phrases etc that you use! *****) When finished this will have created two files:
Apache Http To Https Proxy Server
3. On the command prompt, run the following command:
Follow the prompts as requested. This will create the following file:
4. On the command prompt, run the following command:
This will create the following file:
5. The following files should now exist:
Section 3 - Configure Apache httpd
1. on edit C:Apache24confhttpd.conf.
To comment out a line in httpd.conf place a # symbol at the beginning of the line.
To uncomment a line in httpd.conf remove the # symbol at the beginning of the line.
Comment out:
Find the following lines and uncomment them. These lines are not contigious so will need to be found and uncommented one by one:
Find:
And change it to something appropriate e.g. replacing with the FQDN of your this server:
Add at the end of the file add the following lines, replacing and with the hostname or FQDNs of the ENTM and load balancing ENTM respectively, and with the FQDN of this server:
2. Edit extrahttpd-ahssl.conf:
Comment out:
Comment out all of the following lines:
Section 4 - Starting And Testing Apache httpd, And Making It A Service
Apache 2.4 Proxypass Http To Https
It is possible and easy to setup Apache httpd to run as a windows service, but we will test it first by running in a command prompt to see if there are any errors. Note that debugging errors for Apache httpd is beyond the scope of this document - any errors I came across I fixed in the configuration above - and CA Technical Support. However, Google is your friend. Apache httpd is the most widely used web server on the internet so if you encounter a problem, someone probably already has and has a solution, at least that was my experience when writing this document.
1. On open a command prompt and navigate to c:Apache24bin:
2. Start httpd:
After entering the command wait a few seconds. httpd should stay running and not return to a command prompt. If it does and/or any errors are displayed they will need to be investigated and resolved before continuing. To stop it just press CTRL + c in the command prompt. After a second or two it will stop.
3. Make sure httpd is running as per step 2, and log in and test by pointing a browser to (where is the hostname or FDQN of the server we have installed Apache httpd to):
You may be prompted with some SSL warnings due to using a self signed certificate as per Section 2 - Generate the SSL keys and certificate. Once past these you should be presented with the ControlMinder/PIM login. Test a few things.
4. Assuming everything appears to be working, run a few different browser sessions (that is different session, not just different tabs or windows of the same browser session) on different client machines.
Open c:Apache24logsproxy-access.log and you should see entries like the below:
123.123.123.123 is the IP Address of the client where the browser is running.
Apache2 Reverse Proxy Https
https://:18443 will be either the hostname/FQDN of the ENTM or LBENTM. There should be a good mix of and to show that the load balancing is working - if you have used different browser sessions, opening new tabs and/or windows of existing browser sessions does not work to test this.
https://:8443 is the hostname/FQDN of the server we installed Apache httpd on.
5. Once you are satisfied that Apache httpd is running as a reverse proxy correctly, we can set it up as a service. Open a command prompt and navigate to c:Apache24bin
6. Execute the following command:
This will return something like:
There should be no errors as we have already fixed them before progressing from step 2.
7. In Windows Services, there should now be an Apache2.4 service. This is stopped and started like any other service. By default this is set to start automatically when the server is started, you may or may not want to change this.
You have now finished installing the reverse proxy/load balancer.
Environment Variables
In addition to the configuration directives that control the behaviour of mod_proxy, there are a number of environment variables that control the HTTP protocol provider. Environment variables below that don't specify specific values are enabled when set to any value.
- proxy-sendextracrlf
- Causes proxy to send an extra CR-LF newline on the end of a request. This is a workaround for a bug in some browsers.
- force-proxy-request-1.0
- Forces the proxy to send requests to the backend as HTTP/1.0 and disables HTTP/1.1 features.
- proxy-nokeepalive
- Forces the proxy to close the backend connection after each request.
- proxy-chain-auth
- If the proxy requires authentication, it will read and consume the proxy authentication credentials sent by the client. With proxy-chain-auth it will also forward the credentials to the next proxy in the chain. This may be necessary if you have a chain of proxies that share authentication information. Security Warning: Do not set this unless you know you need it, as it forwards sensitive information!
- proxy-sendcl
- HTTP/1.0 required all HTTP requests that include a body (e.g. POST requests) to include a Content-Length header. This environment variable forces the Apache proxy to send this header to the backend server, regardless of what the Client sent to the proxy. It ensures compatibility when proxying for an HTTP/1.0 or unknown backend. However, it may require the entire request to be buffered by the proxy, so it becomes very inefficient for large requests.
- proxy-sendchunks or proxy-sendchunked
- This is the opposite of proxy-sendcl. It allows request bodies to be sent to the backend using chunked transfer encoding. This allows the request to be efficiently streamed, but requires that the backend server supports HTTP/1.1.
- proxy-interim-response
- This variable takes values
RFC(the default) orSuppress. Earlier httpd versions would suppress HTTP interim (1xx) responses sent from the backend. This is technically a violation of the HTTP protocol. In practice, if a backend sends an interim response, it may itself be extending the protocol in a manner we know nothing about, or just broken. So this is now configurable: setproxy-interim-response RFCto be fully protocol compliant, orproxy-interim-response Suppressto suppress interim responses. - proxy-initial-not-pooled
- If this variable is set, no pooled connection will be reused if the client request is the initial request on the frontend connection. This avoids the 'proxy: error reading status line from remote server' error message caused by the race condition that the backend server closed the pooled connection after the connection check by the proxy and before data sent by the proxy reached the backend. It has to be kept in mind that setting this variable downgrades performance, especially with HTTP/1.0 clients.
