This chapter describes how to install and configure the WLS Web Server Proxy Plug-In for Apache HTTP Server. It contains the following sections:
- Apache Traffic Serverâ„¢ software is a fast, scalable and extensible HTTP/1.1 and HTTP/2 compliant caching proxy server. Formerly a commercial product, Yahoo! Donated it to the Apache Foundation, and currently used by several major CDNs and content owners.
- Forward Proxies and Reverse Proxies/Gateways. Apache can be configured in both a forward and reverse proxy (also known as gateway) mode. An ordinary forward proxy is an intermediate server that sits between the client and the origin server.In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target and the proxy then requests.
Apache Proxy Example
In this article. By Shayne Boyer. Using this guide, learn how to set up Apache as a reverse proxy server on CentOS 7 to redirect HTTP traffic to an ASP.NET Core web app running on Kestrel server. The modproxy extension and related modules create the server's reverse proxy. Server running CentOS 7 with a standard user account with sudo privilege.
Note:
For proxying requests from Oracle HTTP Server to Oracle WebLogic Server, use the mod_wl_ohs plug-in, which is similar to the plug-in for Apache HTTP Server, but need not be downloaded and installed separately. For information about configuring mod_wl_ohs, see Chapter 2, 'Configuring the WebLogic Proxy Plug-In for Oracle HTTP Server.'.3.1 Support Note
The WLS Web Server Proxy Plug-In for Apache HTTP Server is supported on Apache web servers and is able to front-end WebSocket applications. Support is described in the Certification matrix, at:
Note that this URL points to the Certification Central Page, so you need to copy the correct module based on your web server version. To obtain certifications for the WLS Plug-in, choose the spreadsheet document in the list associated with your FMW/WLS version (for example, 12.1.2.0) and then open the 'webservers' tab.
3.2 Install the WLS Web Server Proxy Plug-In for Apache HTTP Server
After you download the WLS Web Server Proxy Plug-In for Apache HTTP Server, as described in Section 1.2, 'Availability of WLS Web Server Proxy Plug-In 12.1.2,', you can install it as an Apache HTTP Server module in your Apache HTTP Server installation.
3.2.1 Installation Prerequisites
Before you install the WLS Web Server Proxy Plug-In for Apache HTTP Server, do the following:
Download the WLS Web Server Proxy Plug-In for Apache HTTP Server, as described in Section 1.2, 'Availability of WLS Web Server Proxy Plug-In 12.1.2.'
Plug-in zip extract location (PLUGIN_HOME; for example /home/myhome/weblogic-plugins-12.1.2/)
Extract the plug-ins zip distribution to PLUGIN_HOME; for example, /home/myhome/weblogic-plugins-12.1.2/. This distribution contains these files:
Table 3-1 Files Included in the Apache Web Server Plug-in Zip
(path)/filename Description README.txt
The README file for the plug-in.
bin/orapki.bat
orapki tool for configuring Oracle wallets
jlib/*.jar
orapki helper Java libraries
lib/mod_wl.so
WebLogic proxy module
lib/*.so(.dll)
Helper libraries
Install JDK 6 if you want to use SSL. The JDK 6 installation is required to use the orapki utility, which manages public key infrastructure (PKI) elements, such as wallets and certificate revocation lists, for use with SSL.
Ensure that you have a supported Apache HTTP Server installation.
For more information, see:
http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html.Ensure that a supported version of Oracle WebLogic Server is configured and running on a target system. Note that this server does not need to be running on the system on which you extracted the plug-in zip distribution. For the supported Oracle WebLogic Server versions, see:
http://www.oracle.com/technology/software/products/ias/files/fusion_certification.html.
3.2.2 Installing the Apache HTTP Server Plug-In
The WLS Web Server Proxy Plug-In for Apache HTTP Server is distributed as a shared object (.so) file. You can obtain the plug-in here:
To install the Apache HTTP Server plug-in:
Make sure that the weblogic-plugins-12.1.2/lib folder is included in LD_LIBRARY_PATH on Unix systems (and PATH on Windows systems). If you do not do this, you see linkage errors when starting Apache HTTP Server.
In the location where you unzipped the downloaded plug-in file, locate lib/mod_wl.so; for example, /home/myhome/weblogic-plugins-12.1.2/lib/mod_wl.so.
Verify that the mod_so.c module is enabled.
If you installed Apache HTTP Server using the script supplied by Apache, mod_so.c is already enabled. Verify that mod_so.c is enabled by executing the following command:
UNIX/Linux
(APACHE_HOME is the directory that contains the Apache HTTP Server installation.)
This command lists all enabled modules. If mod_so.c is not listed, you must rebuild your Apache HTTP Server, making sure that the following configure option is specified:
Make a copy of the APACHE_HOME/bin/httpd.conf file for backup.
Open the httpd.conf file.
Install the Apache HTTP Server plug-in module for Apache 2.2.x by adding the following line.
Verify the syntax of the
httpd.conffile by running the following command:UNIX/Linux
If the httpd.conf file contains any errors, the output of this command shows the errors; otherwise, the command returns the following:
3.3 Configure the Apache HTTP Server Plug-In
This section describes how to edit the httpd.conf file to proxy requests by path or by MIME type, to enable HTTP tunneling, and to use other Oracle WebLogic Server plug-in parameters.
3.3.1 Editing the httpd.conf File
Edit the httpd.conf file in your Apache HTTP Server installation to configure the Apache HTTP Server plug-in.
Open the httpd.conf file, if it is not already open.
To proxy requests by MIME type, add an IfModule block that defines one of the following:
For a non-clustered WebLogic Server: the WebLogicHost and WebLogicPort parameters.
For a cluster of WebLogic Servers: the WebLogicCluster parameter.
Example:
To proxy requests by MIME type, add a MatchExpression line to the
<IfModule>block. Note that if both MIME type and proxying by path are enabled, proxying by path takes precedence over proxying by MIME type.For example, the following
<IfModule>block for a non-clustered WebLogic Server specifies that all files with MIME type .jsp are proxied:You can also use multiple MatchExpressions, for example:
If you are proxying requests by MIME type to a cluster of WebLogic Servers, use the
WebLogicClusterparameter instead of theWebLogicHostandWebLogicPortparameters. For example:To proxy requests by path, use the
<Location>block and theWLSRequeststatement.WLSRequestspecifies the handler for the WLS Web Server Proxy Plug-In for Apache HTTP Server module. For example the followingLocationblock proxies all requests containing /weblogic in the URL:The PathTrim parameter specifies a string trimmed from the beginning of the URL before the request is passed to the WebLogic Server instance (see Section 7.1, 'General Parameters for Web Server Plug-Ins').
The PathTrim parameter must be configured inside the
<Location>tag. These known issues arise when you configure the WLS Web Server Proxy Plug-In for Apache HTTP Server to use SSLThe following configuration is incorrect:
The following configuration is the correct setup:
The current implementation of the WLS Web Server Proxy Plug-In for Apache HTTP Server does not support the use of multiple certificate files with Apache SSL.
Optionally, enable HTTP tunneling for t3 or IIOP.
To enable HTTP tunneling if you are using the t3 protocol and weblogic.jar, add the following
<Location>block to the httpd.conf file:To enable HTTP tunneling if you are using the IIOP, the only protocol used by the WebLogic Server thin client, wlclient.jar, add the following
Locationblock to the httpd.conf file:
Define any additional parameters for the WLS Web Server Proxy Plug-In for Apache HTTP Server.
The WLS Web Server Proxy Plug-In for Apache HTTP Server recognizes the parameters listed in Section 7.1, 'General Parameters for Web Server Plug-Ins'. To modify the behavior of your WLS Web Server Proxy Plug-In for Apache HTTP Server, define these parameters either:
In a
<Location>block, for parameters that apply to proxying by path, orAt global or virtual host scope, for parameters that apply to proxying by MIME type.
Verify the syntax of the httpd.conf file by running the following command:
UNIX/Linux
If the httpd.conf file contains any errors, the output of this command shows the errors; otherwise, the command returns the following:
Start the Apache HTTP Server.
UNIX/Linux
Send a request to
http://apache-host:apache-port/mywebapp/my.jspfrom the browser. Validate the response.
3.3.1.1 Placing WebLogic Properties Inside Location or VirtualHost Blocks
If you choose to not use the <IfModule>, you can instead directly place the WebLogic properties inside Location or <VirtualHost> blocks. Consider the following examples of the <Location> and <VirtualHost> blocks:
3.3.1.2 Example: Configuring the Apache Plug-In
The following example demonstrates basic instructions for quickly setting up the Apache plug-in to proxy requests to a backend WebLogic Server:
Make a copy of ${APACHE_HOME}/conf/httpd.conf file.
Edit the file to add the following code:
Include ${PLUGIN_HOME}/lib in the LD_LIBRARY_PATH by entering the following command:
Note:
You can also update the PATH by copying the 'lib' contents to APACHE_HOMElib or by editing the APACHE_HOME/bin/apachectl to update the LD_LIBRARY_PATH.At the prompt, start the Apache HTTP Server by entering:
Send a request to
http://apache-host:apache-port/mywebapp/my.jspfrom the browser and validate the response
3.3.2 Including a weblogic.conf File in the httpd.conf File
If you want to keep several separate configuration files, you can define parameters in a separate configuration file called weblogic.conf file, by using the Apache HTTP Server Include directive in an <IfModule> block in the httpd.conf file:
The syntax of weblogic.conf files is the same as that for the httpd.conf file.
This section describes how to create weblogic.conf files, and includes sample weblogic.conf files.
3.3.2.1 Creating weblogic.conf Files
Be aware of the following when constructing a weblogic.conf file.
Enter each parameter on a new line. Do not put '
=' between a parameter and its value. For example:If a request matches both a MIME type specified in a
MatchExpressionin an<IfModule>block and a path specified in aLocationblock, the behavior specified by the<Location>block takes precedence.If you use an Apache HTTP Server
<VirtualHost>block, you must include all configuration parameters (MatchExpression, for example) for the virtual host within the<VirtualHost>block (see Apache Virtual Host documentation athttp://httpd.apache.org/docs/vhosts/).Sample httpd.conf file:
All the requests that match /jurl/* will have the POST data files in c:jurl and will reverse proxy the request to agarwalp01 and port 7001. All the requests that match /web/* will have the POST data files in c:web and will reverse proxy the request to myhost and port 8001. All the requests that match /foo/* will have the POST data files written to c:foo and will reverse proxy the request to myhost02 and port 8090.
You should use the
MatchExpressionstatement instead of the<Files>block.
3.3.2.2 Sample weblogic.conf Configuration Files
The following examples of weblogic.conf files may be used as templates that you can modify to suit your environment and server. Lines beginning with # are comments.
In Example 3-2, the MatchExpression parameter syntax for expressing the filename pattern, the WebLogic Server host to which HTTP requests should be forwarded, and various other parameters is as follows:
The first MatchExpression parameter below specifies the filename pattern *.jsp, and then names the single WebLogicHost. The paramName=value combinations following the pipe symbol specify the port at which WebLogic Server is listening for connection requests, and also activate the Debug option. The second MatchExpression specifies the filename pattern *.html and identifies the WebLogic Cluster hosts and their ports. The paramName=value combination following the pipe symbol specifies the error page for the cluster.
Example 3-2 Example Using Multiple WebLogic Clusters
Example 3-3 shows an example without WebLogic clusters.
Example 3-4 shows an example of configuring multiple name-based virtual hosts.
Example 3-4 Example Configuring Multiple Name-Based Virtual Hosts
You must define a unique value for ServerName or some plug-in parameters will not work as expected.
3.3.2.3 Template for the Apache HTTP Server httpd.conf File
This section contains a sample httpd.conf file for Apache 2.2. You can use this sample as a template and modify it to suit your environment and server. Lines beginning with # are comments.
Note that Apache HTTP Server is not case sensitive.
3.4 Deprecated Directives for Apache HTTP Server
The WebLogic Server plug-in logs are now part of the Apache HTTP Server error log and are prefixed with weblogic: to easily identify them. Hence the directives WLLogFile and Debug are deprecated. If the configuration still uses any of these directives, the following note will appear during startup::
To enable plug-in logs, set LogLevel to debug. The logs will be included in the file pointed to by ErrorLog.
- Configure secure access to the OMi reverse proxy
This section contains the procedures describing how to configure a reverse proxy using an Apache web server.
This section includes:
Reference - support for OMi application users.
Reference - support for OMi data collectors.
Configure Apache to work as a reverse proxy
Configure Apache to work as a reverse proxy.
Apache must be manually configured to function as a reverse proxy.
For example:
Open the Apache
httpd.conffile in the following directory:<OMi_Home>/newconfig/WebServer/conf/httpd.confMake sure the following modules are enabled:
Add the following lines:
Add support for application users and data collectors as seen in the following example. For more details, see Reference - support for OMi application users and Reference - support for OMi data collectors.
In the following, the placeholder DATA refers to the Virtual Host for Data Collectors and USERS refers to the Virtual Host for Application Users.
Data Collectors:
Application Users:
Note If you are using IDM-SSO, you may need to add the following lines (replace
siteminderagentin the syntax below with the name of your IDM-SSO vendor):Verify reverse proxy points to OMi:
Restart Apache.
Go to
http://<RP>/omiand verify that you see the OMi log-in page. At this point, if you enter your credentials you would see an empty page because OMi is not yet configured to work with a reverse proxy.
Configure Apache reverse proxy to work with TLS
If not already done automatically by your Apache installation, you may need to manually configure Apache to work with TLS as described below.
Convert the root CA certificate obtained earlier to base 64 format.
Example for Windows:
openssl > x509 -in c:ca_64.cer -out c:ca.pemSplit certificate and private key.
If the server certificate is in PFX format, split the certificate to generate both the certificate and private key in PEM format:
Configure Apache to use the certificates.
For example:
Open the Apache
httpd.conffile. OMi places the file in the following directory:<OMi_Home>/newconfig/WebServer/conf/httpd.confUncomment these lines (remove #):
Open the Apache
httpd-ssl.conffile. OMi places the file in the following directory:<OMi_Home>/newconfig/WebServer/conf/extra/httpd-ssl.confUpdate
SSLCertificateFilewith the path to<mycert.pem>.Update
SSLCertificateKeyFilewith the path to<mykey.pem>.Insert the following lines in the virtual host section in
httpd-ssl.confwith the path to the certificate authority key in PEM format:
Close port 80.
Open the Apache
httpd.conffile and comment outlisten 80by adding#as a prefix.Verify that Apache runs using TLS:
Restart Apache.
Go to
HTTPS://<Reverse Proxy FQDN>.Do not use localhost, use the full server name that matches the name on the certificate. You should see the message 'it works!'
Go to
HTTP://<Reverse Proxy FQDN>.It should not work.
Configure the secure reverse proxy to require client authentication - optional
Apache Http Server Project
Configuring a secure reverse proxy to require client authentication involves the following manual procedures:
Make the following changes in the following file:
<OMi_Home>/newconfig/WebServer/conf/extra/httpd-ssl.confUncomment (remove the #) the following lines:
Search for
SSLCACertificateFile, uncomment it, and update the path to the client CA root certificate for the authority that issued your client certificate.SSLCACertificateFile 'C:CA.pem'Locate the following line:
#SSLOptions +FakeBasicAuth +ExportCertData +StrictRequireAdd the following line right below it:
SSLOptions +ExportCertDataAdd the following line before
</VirtualHost>:RequestHeader set CLIENT_CERT_HEADER '%{SSL_CLIENT_CERT}s'
Edit the
<OMi_Home>/newconfig/WebServer/conf/httpd.conffile:Uncomment (remove the #) from the following lines:
Restart Apache.
Go to
https://<Reverse Proxy FQDN>/omiVerify that you see a prompt for a client certificate.
Configure BBC port 383 connection on reverse proxy
For the OM server, Operations Agents, and other integrations to be able to forward events to the OMi server in the reverse proxy environment, port 383 used by the BBC protocol must be configured on the reverse proxy.
The following general steps use Apache as an example:
Make sure you have established the trust relationship between all the OM server and the OMi servers as described in the
If you add an additional trust relationship to OMi after performing the following procedure, you must issue the certificate for the ReverseProxy node and run this procedure again.
Use the utility below to issue a certificate for the ReverseProxy node. This can be done from the OMi data processing server, but not from the OMi gateway server.
Example:
ovcm -issue -file <certificate_file> -name <FQDN of Reverse Proxy> [-pass <passphrase>]Use
opensslto convert it for use by Apache reverse proxy, as in the following:SSLCertificateFile:
openssl pkcs12 -in <certificate_file> -out oprcl.crtSSLCertificateKeyFile:
openssl rsa -in oprcl.crt -out oprcl.pemSSLProxyMachineCertificateFile:
openssl pkcs12 -in <certificate_file> -out oprcl.p12 -nodes -clcertsSSLCACertificateFile:
ovcert -exporttrusted -file trusts.cerCopy the files to the following directories:
SSLCertificateFile:
<Apache_Install_Dir>/Apache2.4/conf/oprcl.crtSSLCertificateKeyFile:
<Apache_Install_Dir>/Apache2.4/conf/oprcl.pemSSLProxyMachineCertificateFile:
<Apache_Install_Dir>/Apache2.4/conf/oprcl.p12AnyConnect Mobile Platforms and Feature Guide -Quick Start Guide: AnyConnect Mobile Platforms and Feature Guide. How to setup vpn in ChromeOS in Chromebook fast end easy. Secure SSL VPN connection for ChromeOS will protect you and give an oppotunity to browse anywhere. Anyconnect chromebook. Step 4) Click the Add to Chrome button to install the Cisco AnyConnect client on your Chromebook.
SSLCACertificateFile:
<Apache_Install_Dir>/Apache2.4/conf/trusts.cerModify the
<OMi_Home>/newconfig/WebServer/conf/extra/httpd-ssl.conffile:Add the following line before the line
Listen 443:Listen 383Add a virtual host section for port 383 before the
SSL Virtual Host Contextsection.
Reference - support for OMi application users
The following table can be used as a reference for application users to connect via the reverse proxy.
| Requests for … on the Reverse Proxy Server | Proxy Request to be Served by: |
|---|---|
| /bsm/* | http://[Virtual Host for Application Users]/bsm/* https://[Virtual Host for Application Users]/bsm/* |
| /hpbsm/* | http://[Virtual Host for Application Users]/hpbsm/* https://[Virtual Host for Application Users]/hpbsm/* |
| /filters/* | http://[Virtual Host for Application Users]/filters/* https://[Virtual Host for Application Users]/filters/* |
| /mam/* | http://[Virtual Host for Application Users]/mam/* https://[Virtual Host for Application Users]/mam/* |
| /mam_images/* | http://[Virtual Host for Application Users]/mam_images/* https://[Virtual Host for Application Users]/mam_images/* |
| /mcrs/* | http://[Virtual Host for Application Users]/mcrs/* https://[Virtual Host for Application Users]/mcrs/* |
| /mercuryam/* | http://[Virtual Host for Application Users]/mercuryam/* https://[Virtual Host for Application Users]/mercuryam/* |
| /odb/* | http://[Virtual Host for Application Users]/odb/* https://[Virtual Host for Application users]/odb/* |
| /omi/* | http://[Virtual Host for Application Users]/omi/* https://[Virtual Host for Application users]/omi/* |
| /opr-admin-server/ messagebroker/amfpolling/* | http://[Virtual Host for Application Users]/opr-admin-server/ Note: Append the word secure to each resource URL when using https. |
| /opr-admin-server/ messagebroker/amf/* | http://[Virtual Host for Application Users]/opr-admin-server/ Note: Append the word secure to each resource URL when using https. |
| /opr-console/ messagebroker/amf/* | http://[Virtual Host for Application Users]/opr-console/ Note: Append the word secure to each resource URL when using https. |
| /opr-admin-server/* | http://[Virtual Host for Application Users]/opr-admin-server/* https://[Virtual Host for Application Users]/opr-admin-server/* |
| /opr-config-server/* | http://[Virtual Host for Application Users]/opr-config-server/* https://[Virtual Host for Application Users]/opr-config-server/* |
| /opr-console/* | http://[Virtual Host for Application Users]/opr-console/* https://[Virtual Host for Application Users]/opr-console/* |
| /opr-gateway/* | http://[Virtual Host for Application Users]/opr-gateway/* https://[Virtual Host for Application Users]/opr-gateway/* |
| /opr-web/* | http://[Virtual Host for Application Users]/opr-web/* https://[Virtual Host for Application Users]/opr-web/* |
| /OVPM/* | http://[Virtual Host for Application Users]/OVPM/* https://[Virtual Host for Application Users]/OVPM/* |
| /topaz/* | http://[Virtual Host for Application Users]/topaz/* https://[Virtual Host for Application Users]/topaz/* |
| /TopazSettings/* | http://[Virtual Host for Application Users]/TopazSettings/* https://[Virtual Host for Application Users]/TopazSettings/* |
| /ucmdb-api/* | http://[Virtual Host for Application Users]/ucmdb-api/* https://[Virtual Host for Application users]/ucmdb-api/* |
| /ucmdb-ui/* | http://[Virtual Host for Application Users]/ucmdb-ui/* Note: If you are using a Reverse Proxy and you have an integration with UCMDB, make sure your reverse proxy timeout setting is at least 1000 seconds. For example, in your reverse proxy http.conf file, modify the line that starts with ProxyPass as follows: ProxyPass /ucmdb-ui http://<my OMi GW server>/ucmdb-ui connectiontimeout=1000 timeout=1000 |
| /uim/* | http://[Virtual Host for Application Users]/uim/* https://[Virtual Host for Application Users]/uim/* |
| /webinfra/* | http://[Virtual Host for Application Users]/webinfra/* https://[Virtual Host for Application Users]/webinfra/* |
Reference - support for OMi data collectors
Apache Http Proxy Server
The following table can be used as a reference for data collectors to connect via the reverse proxy.
| Requests for.. on the Reverse Proxy Server | Proxy Request to be Served by: |
|---|---|
| /topaz/topaz_api/* | http://[Virtual Host for Data Collectors]/topaz/topaz_api/* https://[Virtual Host for Data Collectors]/topaz/topaz_api/* |
| /topaz/sitescope/* | http://[Virtual Host for Data Collectors]/topaz/sitescope/* https://[Virtual Host for Data Collectors]/topaz/sitescope/* |
| /cm/* | http://[Virtual Host for Data Collectors]/cm/* https://[Virtual Host for Data Collectors]/cm/* |
| /mam-collectors/* | http://[Virtual Host for Data Collectors]/mam-collectors/* https://[Virtual Host for Data Collectors]/mam-collectors/* |
| /axis2/* | http://[Virtual Host for Data Collectors]/axis2/* Note: Required if SOAP adapter is used with embedded Run-time Service Model (RTSM) for replication into secure OMi via reverse proxy. |
Note
Apache Http Server Download
- Make sure your reverse proxy supports priority handling logic, which enables a specific expression to be handled before a more generic one, if required. For example, the /topaz/topaz_api/* expression must be handled before the /topaz/* expression.
- For some reverse proxies, a reverse pass is also required. The reverse pass changes the HTTP or HTTPS headers returned from the server to relative headers. For an example of a reverse pass, see Configure Apache to work as a reverse proxy.