20150710 apache reverse proxy for openam - plembo/onemoretech GitHub Wiki
title: Apache reverse proxy for OpenAM link: https://onemoretech.wordpress.com/2015/07/10/apache-reverse-proxy-for-openam/ author: phil2nc description: post_id: 9904 created: 2015/07/10 23:35:48 created_gmt: 2015/07/11 03:35:48 comment_status: closed post_name: apache-reverse-proxy-for-openam status: publish post_type: post
It is fairly typical in most enterprises to front-end an OpenAM deployment with a reverse proxy. This article gives an example using Apache's HTTP server on a Red Hat host.
In setting up a proxy it's customary to hide the specific endpoint port the application is running on. For an identity app like OpenAM forcing all operations over HTTPS is also important. In this example OpenAM is running on an Apache Tomcat server named appserver1.example.com using port 8080. The endpoint uri is http://appserver1.example.com:8080/openam. The uri that we want to present to users is https://sso.example.com/openam.
In the OpenAM console navigate to Configuration... Servers and Sites.
Scroll down to Sites and add a new site with the name "sso" and the uri https://sso.example.com/openam. Save and then go to Servers.
Click on each server listed and use the drop-down menu under Site to select "sso" as the parent site. Save the configuration.
Next edit /etc/httpd/conf/httpd.conf to add a virtual host like this:
<VirtualHost *:80>
ServerAdmin [email protected]
DocumentRoot /var/www/html/login
ServerName sso.example.com
ErrorLog logs/sso.example.com-error_log
CustomLog logs/sso.example.com-access_log combined
# This forces all operations to use HTTPS
RewriteEngine On RewriteCond %{HTTPS} off
RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
# Reverse Proxy for HTTP (if the above rewrite works this
# should never be reached -- it is included as a fallback).
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /openam http://localhost:8080/openam
ProxyPassReverse /openam http://localhost:8080/openam
</VirtualHost>
Then create a corresponding virtual host in /etc/httpd/conf.d/ssl.conf (note, Apache can now serve, and all modern browsers can handle, HTTPS virtual hosts):
<VirtualHost *:443>
DocumentRoot /var/www/html/sso
ServerName sso.example.com
ServerAdmin [email protected]
ErrorLog logs/sso.example.com-ssl_error_log
TransferLog logs/sso.example.com-ssl_access_log
SSLEngine on SSLProtocol all -SSLv3 -SSLv2
SSLCipherSuite HIGH:MEDIUM:!aNULL:!MD5:!EXPORT
SSLCertificateFile /etc/pki/tls/certs/example.com.crt
SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
SSLCertificateChainFile /etc/pki/tls/certs/exampleCA.crt
CustomLog logs/ssl_request_log \ "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
# This is the reverse proxy directive
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /openam http://localhost:8080/openam
ProxyPassReverse /openam http://localhost:8080/openam
</VirtualHost>
I added an index.html under /var/www/html/sso to force anyone accessing the base url, https://sso.example.com/, to https://sso.example.com/openam:
<!DOCTYPE html>
<html>
<head>
<meta http-equiv="refresh" content="0; url=https://sso.example.com/openam">
</head>
<body>
</body>
</html>
Copyright 2004-2019 Phil Lembo