Enable SSL in your reverse proxy server, and configure the messaging and replication ports for two-way HTTPS proxying. This procedure describes the configuration of an Apache2 reverse proxy server.
LoadModule headers_module modules/mod_headers.so LoadModule ssl_module modules/mod_ssl.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_connect_module modules/mod_proxy_connect.so LoadModule proxy_http_module modules/mod_proxy_http.so
The three proxy_* modules are required by the three proxy modes: HTTP, one-way HTTPS and two-way HTTPS.
The ssl_module is required by both HTTPS proxy modes.
The headers_module is required by the two-way HTTPS proxy mode.
Add content similar to the following into httpd.conf to enable the messaging port as a two-way HTTPS proxy:
Listen 8082 <VirtualHost *:8082> ServerName 10.128.103.133 ErrorLog "C:/Apache2.2/logs/error.log" TransferLog "C: /Apache2.2/logs/access.log" # activate HTTPS on the reverse proxy SSLEngine on # apache server public certificate SSLCertificateFile "C:/ Apache2.2/conf/liatris_cr-sha1.crt" # apache server private certificate SSLCertificateKeyFile "C:/ Apache2.2/conf/liatris_cr-decry-sha1.key" # apache server certificate root/chain file SSLCertificateChainFile "C:/ Apache2.2/conf/clientroot.crt" # trusted client certificate SSLCACertificateFile "C:/ Apache2.2/conf/clientroot.crt" SSLVerifyClient require SSLVerifyDepth 10 SSLProxyEngine On # trusted back server certificate SSLProxyCACertificateFile "C:/ Apache2.2/conf/sample2.crt" # apache server id/certificate for connecting back server SSLProxyMachineCertificateFile "C:/ Apache2.2/conf/rsoe.pem" # initialize the special headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_CERT "" <Location /> # add SSL_CLIENT_CERT header to forward real client certificate RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" ProxyPass https://orchid.dhcp.pek3.sap.corp:8002/ ProxyPassReverse https://orchid.dhcp.pek3.sap.corp:8002/ </Location> </VirtualHost>
Add content similar to the following into httpd.conf to enable the replication port as a two-way HTTPS proxy:
Listen 2482 <VirtualHost *:2482> ServerName proxy-server ErrorLog "C:/Apache2.2/logs/error.log" TransferLog "C:/Apache2.2/logs/access.log" # activate HTTPS on the reverse proxy SSLEngine on SSLCertificateFile "C:/Apache2.2/conf/proxy-server.crt" SSLCertificateKeyFile "C:/Apache2.2/conf/proxy-server.key" SSLCertificateChainFile "C:/Apache2.2/conf/proxy-server-ca.crt" # activate the client certificate authentication SSLCACertificateFile "C:/Apache2.2/conf/trusted-client-ca.crt" SSLVerifyClient require SSLVerifyDepth 10 SSLProxyEngine On SSLProxyCACertificateFile C:/Apache2.2/conf/SMP-server-ca.crt SSLProxyMachineCertificateFile C:/Apache2.2/conf/proxy-client.pem # initialize the special headers to a blank value to avoid http header forgeries RequestHeader set SSL_CLIENT_CERT "" <Location /> # add SSL_CLIENT_CERT header to forward real client certificate RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s" ProxyPass https://SMP-server:2482/ ProxyPassReverse https://SMP-server:2482/ </Location> </VirtualHost>