Installing and Configuring Apache Reverse Proxy

Edit the httpd.conf file to load the modules that are required to prepare the Reverse Proxy for SAP Mobile Platform use.

In SAP Mobile Platform, communication can be either:
  • Unencrypted to port 8080
  • One-way authenticated and encrypted to port 8081
  • Two-way authenticated to port 8082
Note: If clients are authenticating to the reverse proxy with X.509 certificates, only the port 8082 path can be used to propagate the client certificates on the SSL_CLIENT_CERT header in a trusted fashion.
Apache is installed as one or more modules, in addition to mod_proxy: mod_proxy_http, mod_proxy_ftp, mod_proxy_ajp, mod_proxy_balancer, and mod_proxy_connect. Thus, to use one or more of the particular proxy functions, load mod_proxy and the appropriate module into the server. For the reverse proxy, load these modules:
  • headers_module
  • ssl_module
  • proxy_module
  • proxy_connect_module
  • proxy_http_module
For information about running a reverse proxy in Apache, see http://www.apachetutor.org/admin/reverseproxies. For information about SSL and proxy modules, see http://httpd.apache.org/docs/2.2/mod/mod_ssl.html  and http://httpd.apache.org/docs/2.2/mod/mod_proxy.html.
  1. Download Apache 2.2 from a reliable source, and install the proxy according to package instructions.
  2. In a text editor, open Apache2.2\conf\httpd.conf.
  3. Uncomment these lines to load headers, and required SSL and proxy modules:     
    LoadModule headers_module modules/mod_headers.so    
LoadModule ssl_module modules/mod_ssl.so    
LoadModule proxy_module modules/mod_proxy.so    
LoadModule proxy_connect_module modules/mod_proxy_connect.so    
LoadModule proxy_http_module modules/mod_proxy_http.so 
    The three proxy_* modules are required by three proxy modes: HTTP, one-way HTTPS, and two-way HTTPS.   The ssl_module is required by both HTTPS proxy modes.   The headers_module is required by two-way HTTPS proxy mode.
  4. Add these lines to enable port 8080 as an HTTP proxy:
     ##############################    
Listen 8080   
      <VirtualHost *:8080> 
        ServerName proxy-server      
              ErrorLog "C:/Apache2.2/logs/error.log"
              TransferLog "C:/Apache2.2/logs/access.log" 
             <Location />
              ProxyPass http://sup-server:8080/
              ProxyPassReverse http://sup-server:8080/   
             </Location>
      </VirtualHost>     
##############################
  5. Add these lines to enable port 8081 as a one-way HTTPS proxy:
    ##############################
    Listen 8081   
      <VirtualHost *:8081>
         ServerName proxy-server      
                ErrorLog "C:/Apache2.2/logs/error.log"
                TransferLog  "C:/Apache2.2/logs/access.log"
              # activate HTTPS on the reverse proxy 
                SSLEngine on
                SSLCertificateFile  "C:/Apache2.2/conf/proxy-server.crt"
                SSLCertificateKeyFile  "C:/Apache2.2/conf/proxy-server.key"
                SSLCertificateChainFile  "C:/Apache2.2/conf/proxy-server-ca.crt"
                SSLProxyEngine On
                SSLProxyCACertificateFile C:/Apache2.2/conf/sup-server-ca.crt
         <Location />
            ProxyPass https://sup-server:8081/           
             ProxyPassReverse  https://sup-server:8081/       
         </Location>
      </VirtualHost>
  6. Add these lines to enable port 8082 as a two-way HTTPS proxy:
    ##############################
    Listen 8082   
      <VirtualHost *:8082>
         ServerName proxy-server      
                ErrorLog "C:/Apache2.2/logs/error.log"
                TransferLog  "C:/Apache2.2/logs/access.log"
              # activate HTTPS on the reverse proxy
                SSLEngine on
                SSLCertificateFile "C:/Apache2.2/conf/proxy-server.crt"
                SSLCertificateKeyFile "C:/Apache2.2/conf/proxy-server.key"
                SSLCertificateChainFile "C:/Apache2.2/conf/proxy-server-ca.crt"         # activate the client certificate  authentication
                SSLCACertificateFile "C:/Apache2.2/conf/trusted-client-ca.crt"
                SSLVerifyClient require
                SSLVerifyDepth  10
                SSLProxyEngine On
                SSLProxyCACertificateFile C:/Apache2.2/conf/sup-server-ca.crt
                SSLProxyMachineCertificateFile C:/Apache2.2/conf/proxy-client.pem
            # initialize the special headers to a blank  value to avoid http header forgeries
               RequestHeader set  SSL_CLIENT_CERT ""        
              <Location />            
            # add  SSL_CLIENT_CERT header to forward real client certificate
               RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
               ProxyPass  https://sup-server:8082/           
               ProxyPassReverse  https://sup-server:8082/       
              </Location>
         </VirtualHost>     
##############################
  7. Save the file.
  8. Validate the configuration by opening a browser and testing these URLs:
    • https://proxy-server:8080/debug/app1
    • https://proxy-server:8081/debug/app1
    • https://proxy-server:8082/debug/app1
Parent topic: Using Apache Reverse Proxy for HTTP Clients
Next topic: Decrypting Certificates for HTTPS Connections