Wow! Please! Do it again!: How To: Setup a Forward Proxy using IBM HTTP Server

Thursday, February 13, 2014

How To: Setup a Forward Proxy using IBM HTTP Server

First of all, this is a setup for a forward proxy, not a reverse proxy. Too many people have believed that God only created reverse proxies. For example, "Let's create a reverse proxy to allow our applications to connect to the Internet", or "Our application is sitting in the secure zone and needs to access this API available on the internet. All I need is a reverse proxy". Enough is enough!

Version(s):
1. IBM HTTP Server 8.5.0.2 (IHS)
2. AIX 7.1 (not that it matters)

Example scenario:
  • 2-tier firewall architecture
  • the web server (with IHS installed) behind the Tier-1 firewall.
  • the application server (e.g. WAS, Tomcat) behind the Tier-2 firewall
  • need to connect to https://some.bloody.api.com from the application via HTTPS

Step(s):
1. Make sure all firewall ports are open. Get your favourite firewall-opener (usually a person) to open the ports from your application server to the web server, let's say port 8080. Also, from the web server to the target site.
2. Time to modify the IHS config, the one and only httpd.conf
  • Search the keyword "Listen" and add the following line. Your proxy will start listening at this port.
     Listen 8080  
    

  • Uncomment the following lines, if they aren't already
     LoadModule proxy_module modules/mod_proxy.so  
     LoadModule proxy_connect_module modules/mod_proxy_connect.so  
     LoadModule proxy_http_module modules/mod_proxy_http.so  

  • Modify the "Proxy Server directives" section, to look like the following. APPSERVER1 and APPSERVER2 are the "clients" of this proxy. If the target port is not the standard HTTP (80) or HTTPS (443); for example https://some.bloody.api.com:6767/services, then add 6767 to the AllowCONNECT list of ports.
 #  
 # Proxy Server directives. Uncomment the following lines to  
 # enable the proxy server:  
 #  
 <IfModule mod_proxy.c>  
 #Enable the forward proxy server. Note: Do not use the ProxyRequests directive if  
 #all you require is reverse proxy.  
 #  
 ProxyRequests On  
 #  
 <Proxy *>  
   Order deny,allow  
   Allow from 127.0.0.1 APPSERVER1 APPSERVER2   
   Deny from all       
 </Proxy>  
 #  
 # Enable/disable the handling of HTTP/1.1 "Via:" headers.  
 # ("Full" adds the server version; "Block" removes all outgoing Via: headers)  
 # Set to one of: Off | On | Full | Block  
 #  
 ProxyVia On  
 AllowCONNECT 8080 80 443 6767  
 </IfModule>  
 # End of proxy directives.