Configuring a Linux Apache Proxy Server for Use with iSupplier James J. Morrow NorCal OAUG Training Day Santa Clara Convention Center January 17, 2007

Configuring a Linux Apache Proxy Configuring a Linux Apache Proxy Server for Use with Server for Use with iiSupplierSupplier

James J. MorrowJames J. MorrowNorCal OAUG Training DayNorCal OAUG Training Day

Santa Clara Convention Center Santa Clara Convention Center January 17, 2007January 17, 2007

22© 2007 Solution Beacon, LLC. All Rights Reserved.

IntroductionIntroduction

The following will be coveredThe following will be covered References and DefinitionReferences and Definition Purpose of a Proxy ServerPurpose of a Proxy Server Reverse Proxy OptionsReverse Proxy Options The Selected Reverse Proxy OptionThe Selected Reverse Proxy Option Metalink Note Author’s ChoiceMetalink Note Author’s Choice mod_rewrite/url firewall purposemod_rewrite/url firewall purpose Building the Reverse Proxy ServerBuilding the Reverse Proxy Server Configuring the URL FirewallConfiguring the URL Firewall Creating the External WebtierCreating the External Webtier Adjusting Configuration FilesAdjusting Configuration Files Environment DiagramEnvironment Diagram Updating the External Webtier Context FileUpdating the External Webtier Context File Updating All Webtier Context FileUpdating All Webtier Context File


References and DefinitionReferences and Definition

Presentation ReferencePresentation ReferenceMetalink Note:287176.1 (DMZ Configuration with Metalink Note:287176.1 (DMZ Configuration with

Oracle E-Business Suite 11i) Oracle E-Business Suite 11i) Is the note still relevant?Is the note still relevant?Several implementationsSeveral implementations

Reverse Proxy Server Definition Reverse Proxy Server Definition A reverse proxy server is an intermediate server A reverse proxy server is an intermediate server

that sits between a client and the actual web that sits between a client and the actual web server and makes requests to the web server on server and makes requests to the web server on behalf of the client. The client is unaware of the behalf of the client. The client is unaware of the presence of the reverse proxy presence of the reverse proxy


Purpose of a Proxy ServerPurpose of a Proxy Server

Why use a proxy server?Why use a proxy server? Adds a level of isolation between the client and Adds a level of isolation between the client and

the actual server the actual server Allows using standard web port numbers (80 and Allows using standard web port numbers (80 and

443) on the external interface while running the 443) on the external interface while running the actual web server on higher numbered ports thus actual web server on higher numbered ports thus avoiding having to start the actual web application avoiding having to start the actual web application server processes as root. server processes as root.

Allows certain rules (or filters) to limit the http Allows certain rules (or filters) to limit the http requests that are presented to the actual web requests that are presented to the actual web server server

Optionally allows for caching of contentsOptionally allows for caching of contents


4 Reverse Proxy Options4 Reverse Proxy Options

Which reverse proxy option?Which reverse proxy option? Use Oracle 9i Application Server 1.0.2.2 as Use Oracle 9i Application Server 1.0.2.2 as

shipped with Oracle Oracle E-Business Suite shipped with Oracle Oracle E-Business Suite Use Oracle Application Server Webcache Use Oracle Application Server Webcache Use apache httpd from http://httpd.apache.org Use apache httpd from http://httpd.apache.org Use any of a number of commercially available Use any of a number of commercially available

reverse proxies, which often provide some level reverse proxies, which often provide some level of added security as well. of added security as well.


The Selected Reverse Proxy OptionThe Selected Reverse Proxy Option

Option 3 – Apache httpdOption 3 – Apache httpd After looking at the pros/cons presented in note After looking at the pros/cons presented in note

287176.1 option 3 was chosen due to its 287176.1 option 3 was chosen due to its advantages and lack of a serious disadvantageadvantages and lack of a serious disadvantage prospros

Reputable provider of open source software Reputable provider of open source software Available on many platforms Available on many platforms Can be configured and built to only include the required Can be configured and built to only include the required

modules modules Widely used Web server Widely used Web server Can directly use the URL Firewall as mod_rewrite module Can directly use the URL Firewall as mod_rewrite module

can be configured with this servercan be configured with this server Certified with Oracle E-Business Suite in DMZ configuration Certified with Oracle E-Business Suite in DMZ configuration Well Known, Well documented Well Known, Well documented


Metalink Note Author’s ChoiceMetalink Note Author’s Choice

The author of the metalink note chose The author of the metalink note chose option 3 also because…option 3 also because… can be built in a minimum configuration can be built in a minimum configuration supports HTTP/1.1 for better performance supports HTTP/1.1 for better performance Is well known, and the configuration steps Is well known, and the configuration steps

described for the apache based reverse proxy described for the apache based reverse proxy will be useful when configuring any other will be useful when configuring any other reverse proxyreverse proxy


mod_rewrite/url firewall purposemod_rewrite/url firewall purpose

mod_rewrite and url firewall were mentioned a few mod_rewrite and url firewall were mentioned a few slides priorslides priormod_rewrite is used for rewriting a URL at the server level, mod_rewrite is used for rewriting a URL at the server level,

giving the user output for that final page. So, for example, giving the user output for that final page. So, for example, a user may ask for http://www.somesite.com/widgets/blue/, a user may ask for http://www.somesite.com/widgets/blue/, but will really be given but will really be given http://www.somesite.com/widgets.php?colour=blue by the http://www.somesite.com/widgets.php?colour=blue by the server server

A URL Firewall ensures only URLs required for the A URL Firewall ensures only URLs required for the externally exposed functionality can be accessed from the externally exposed functionality can be accessed from the internetinternet

Optimally a URL Firewall would be deployed on the reverse Optimally a URL Firewall would be deployed on the reverse proxy serverproxy server


Building the Reverse Proxy ServerBuilding the Reverse Proxy Server

Download apache (2.0.59) from Download apache (2.0.59) from http://http://httpd.apache.orghttpd.apache.org// un tar the downloaded TAR balls: tar xzf <gz filename>un tar the downloaded TAR balls: tar xzf <gz filename> Check the tar ball: md5sum –c httpd-2.0.59.tar.gz.md5Check the tar ball: md5sum –c httpd-2.0.59.tar.gz.md5 Configure ApacheConfigure Apache

Put the command mentioned below in a file named runc.shPut the command mentioned below in a file named runc.sh I modified the configure command example in the note so the I modified the configure command example in the note so the

parms were on 1 continuous lineparms were on 1 continuous line ./configure -prefix /dmz \ <see note for 19 required parms>./configure -prefix /dmz \ <see note for 19 required parms> The configure command will produce several pages of output to The configure command will produce several pages of output to

the screenthe screen



adjust the source of mod_proxy.c to ensure that adjust the source of mod_proxy.c to ensure that mod_proxy does not proxy a request to the external mod_proxy does not proxy a request to the external web tier before the URL firewall based on web tier before the URL firewall based on mod_rewrite has a chance to reject it mod_rewrite has a chance to reject it ap_hook_translate_name(proxy_trans, ap_hook_translate_name(proxy_trans, aszSucc aszSucc , ,

NULL, APR_HOOK_FIRST); NULL, APR_HOOK_FIRST); aszSucc is a NULL-terminated array of strings aszSucc is a NULL-terminated array of strings

that name modules whose hooks should that name modules whose hooks should succeed this one succeed this one

cd $HOME/src/httpd-2.0.59 and execute: make cd $HOME/src/httpd-2.0.59 and execute: make the results of ./httpd -l will differ from the metalink the results of ./httpd -l will differ from the metalink

notenote



this is the list received for version 2.0.59this is the list received for version 2.0.59 core.c mod_access.c mod_auth.c core.c mod_access.c mod_auth.c

mod_log_config.c mod_headers.c mod_setenvif.c mod_log_config.c mod_headers.c mod_setenvif.c mod_proxy.c proxy_connect.c proxy_ftp.c mod_proxy.c proxy_connect.c proxy_ftp.c proxy_http.c mod_ssl.c prefork.c http_core.c proxy_http.c mod_ssl.c prefork.c http_core.c mod_mime.c mod_dir.c mod_rewrite.c mod_so.cmod_mime.c mod_dir.c mod_rewrite.c mod_so.c

These 2 additonal modules are delivered with These 2 additonal modules are delivered with 2.0.59: proxy_connect.c proxy_ftp.c and are not 2.0.59: proxy_connect.c proxy_ftp.c and are not shown in the list in appendix D of the metalink shown in the list in appendix D of the metalink documentdocument



install apache to /dmz install apache to /dmz $ umask 022 $ umask 022 $ make install $ make install install mod_security, note that mod_security.c install mod_security, note that mod_security.c

doesn’t exist. So, used mod_security2.c: doesn’t exist. So, used mod_security2.c: /dmz/bin/apxs –cia mod_security2.c/dmz/bin/apxs –cia mod_security2.c

since this is being done as non root, unix since this is being done as non root, unix sysadmin must do port translation in the firewall sysadmin must do port translation in the firewall and you must use a port other than 80 (modify and you must use a port other than 80 (modify httpd.conf and apachectl)httpd.conf and apachectl)



Sysadmin port translation setup example Sysadmin port translation setup example User Access VerificationUser Access Verification

Password: Password: Type help or '?' for a list of available commands.Type help or '?' for a list of available commands.pixfirewall> enablepixfirewall> enablePassword: **********Password: **********pixfirewall# config tpixfirewall# config tpixfirewall(config)# clear xlate interface outside pixfirewall(config)# clear xlate interface outside global 123.45.67.89 netmask 255.255.255.255global 123.45.67.89 netmask 255.255.255.255



Sysadmin port translation setup example… Sysadmin port translation setup example… pixfirewall(config)# static (inside,outside) pixfirewall(config)# static (inside,outside)

tcp 123.45.67.89 80 192.168.100.1 4480 netmask tcp 123.45.67.89 80 192.168.100.1 4480 netmask 255.255.255.255 0 0255.255.255.255 0 0pixfirewall(config)# access-list outside_access_in line pixfirewall(config)# access-list outside_access_in line 6 permit tcp any host 123.45.67.89 eq 806 permit tcp any host 123.45.67.89 eq 80pixfirewall(config)# access-group outside_access_in pixfirewall(config)# access-group outside_access_in in interface outsidein interface outsidepixfirewall(config)# exitpixfirewall(config)# exitpixfirewall# exitpixfirewall# exitLogoffLogoffConnection closed by foreign host.Connection closed by foreign host.



start the server using apachectl (w/o ssl)start the server using apachectl (w/o ssl) /dmz/bin/apachectl start /dmz/bin/apachectl start

Verify it is running on port 4480Verify it is running on port 4480 netstat -lntp | sort -t: +1nnetstat -lntp | sort -t: +1n

Active Internet connections (only servers)Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nameProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name

tcp 0 0 :::4480 :::* LISTEN 22797/httpdtcp 0 0 :::4480 :::* LISTEN 22797/httpd

Login via: Login via: http://<hostname:port>/index.html.enhttp://<hostname:port>/index.html.en



stop apache: /dmz/bin/apachectl stopstop apache: /dmz/bin/apachectl stop setup a self signed certificate for testing setup a self signed certificate for testing

purposes – these may have changed with the purposes – these may have changed with the new versionnew version $ cd /dmz/conf $ cd /dmz/conf $ umask 022 $ umask 022 $ mkdir ssl.key $ mkdir ssl.key $ mkdir ssl.crt $ mkdir ssl.crt $ mkdir ssl.crl $ mkdir ssl.crl



setup a self signed certificate for testing setup a self signed certificate for testing purposes… purposes… $ openssl req -new -x509 -days 30 -keyout $ openssl req -new -x509 -days 30 -keyout

ssl.key/server.key -out ssl.crt/server.crt -subj ssl.key/server.key -out ssl.crt/server.crt -subj '/CN=Test-Only Certificate' '/CN=Test-Only Certificate' Generating a 1024 bit RSA private keyGenerating a 1024 bit RSA private key

............++++++............++++++

...........++++++...........++++++

writing new private key to 'ssl.key/server.key'writing new private key to 'ssl.key/server.key'

Enter PEM pass phrase:Enter PEM pass phrase:

Verifying - Enter PEM pass phrase:Verifying - Enter PEM pass phrase:

----------

$ chmod 600 ssl.key/server.key # private key$ chmod 600 ssl.key/server.key # private key



start apache with ssl: /dmz/bin/apachectl start apache with ssl: /dmz/bin/apachectl startstart

Verify it is running on port 4438Verify it is running on port 4438 verify: netstat -lntp | sort -t: +1nverify: netstat -lntp | sort -t: +1n

Active Internet connections (only servers)Active Internet connections (only servers)

Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program nameProto Recv-Q Send-Q Local Address Foreign Address State PID/Program name



also verify via browser specifying http and also verify via browser specifying http and https in your url https in your url





configure the runtime settings in the configure the runtime settings in the configuration files configuration files Configure Apache httpd (on port 4480) Configure Apache httpd (on port 4480) Configure mod_ssl and certificate (on port 4438) Configure mod_ssl and certificate (on port 4438) Configure mod_proxy (pass entire URL space to Configure mod_proxy (pass entire URL space to

external webtier) external webtier) Configure mod_security Configure mod_security


Configuring the URL FirewallConfiguring the URL Firewall

cp $IAS_ORACLE_HOME/Apache/Apache/conf/url_fw.conf /dmz/confcp $IAS_ORACLE_HOME/Apache/Apache/conf/url_fw.conf /dmz/confedit /dmz/conf/url_fw.conf:edit /dmz/conf/url_fw.conf:

double check to ensure the STATIC, COMMON and LOCAL blocks are double check to ensure the STATIC, COMMON and LOCAL blocks are uncommented, did not Configure Initial Pageuncommented, did not Configure Initial Page

UNCOMMENT POS (since this is for iSupplier):UNCOMMENT POS (since this is for iSupplier):

#================================================#================================================================================

#Include URLs for product POS (iSupplier Portal)#Include URLs for product POS (iSupplier Portal)#================================================#================================================

================================

RewriteRule ^/OA_HTML/jsp/pos/suppreg/SupplierRegister\.jsp$ - [L]RewriteRule ^/OA_HTML/jsp/pos/suppreg/SupplierRegister\.jsp$ - [L]RewriteRule ^/OA_HTML/jsp/pos/registration/RegistrationReply\.jsp$ - RewriteRule ^/OA_HTML/jsp/pos/registration/RegistrationReply\.jsp$ -

[L][L]RewriteRule ^/OA_HTML/AppsChangePassword\.jsp$ - [L]RewriteRule ^/OA_HTML/AppsChangePassword\.jsp$ - [L]


Configuring the URL FirewallConfiguring the URL Firewall

edit /dmz/conf/url_fw.conf…edit /dmz/conf/url_fw.conf…

uncomment HELP:uncomment HELP:

#======================================#==========================================================================================

# Include PLS Help -# Include PLS Help -RewriteRule ^/OA_HTML/jsp/fnd/fndhelp\.jsp$ - [L]RewriteRule ^/OA_HTML/jsp/fnd/fndhelp\.jsp$ - [L]RewriteRule ^/pls/[^/]*/fnd_help.search$ - [L]RewriteRule ^/pls/[^/]*/fnd_help.search$ - [L]RewriteRule ^/pls/[^/]*/fnd_help.Advanced_Search_Page$ - [L]RewriteRule ^/pls/[^/]*/fnd_help.Advanced_Search_Page$ - [L]RewriteRule ^/pls/[^/]*/fndgfm/fnd_help.get/(.*) - [L]RewriteRule ^/pls/[^/]*/fndgfm/fnd_help.get/(.*) - [L]


Creating the External WebtierCreating the External Webtier

Create external webtierCreate external webtier Clone internal middle tier to external web-tier boxClone internal middle tier to external web-tier box Enable only web portion by adjusting tier tags in Enable only web portion by adjusting tier tags in

context file ($APPL_TOP/admin/<context file> context file ($APPL_TOP/admin/<context file> Named extweb.mycompany.netNamed extweb.mycompany.net

““Connect the dots” (rp proxy server, ext tier)Connect the dots” (rp proxy server, ext tier) Per DMZ doc, update hierarchy typePer DMZ doc, update hierarchy type Update node trust levelUpdate node trust level Update list of responsibilitiesUpdate list of responsibilities Update home page node to frame workUpdate home page node to frame work


Adjusting Configuration FilesAdjusting Configuration Files

The metalink note provides downloads of 2 files The metalink note provides downloads of 2 files with appropriate configuration settings. They with appropriate configuration settings. They have to be modified to reflect your paths: You have to be modified to reflect your paths: You will have to modify the file to reflect your host will have to modify the file to reflect your host and domain names and the location for /dmz. and domain names and the location for /dmz. Once you have modified the above two Once you have modified the above two configuration files and copied them to configuration files and copied them to /dmz/conf/ it is time to test the proxy /dmz/conf/ it is time to test the proxy


Adjusting Configuration FilesAdjusting Configuration Files

The assumptions made while creating these The assumptions made while creating these config files are:config files are: the reverse proxy will be accessed via the the reverse proxy will be accessed via the

hostname reversep.mycompany.net hostname reversep.mycompany.net the E-Business Suite external webtier is called the E-Business Suite external webtier is called

extweb.mycompany.net extweb.mycompany.net the server admin is the server admin is

[email protected] [email protected] the apache proxy was configured and installed the apache proxy was configured and installed

to /dmzto /dmz


Environment DiagramEnvironment Diagram

Placement of RP ServerPlacement of RP Server

https

4438

http

4480

http

8015

Sqlnet

1523client

Reverse proxy + url

firewall + mod securit

y

11i external web tier

database

reversep.mycompany.net

extweb.mycompany.net


Updating the External Webtier Updating the External Webtier Context FileContext File

Update the Oracle E-Business Suite Context File (non-Update the Oracle E-Business Suite Context File (non-ssl example)ssl example) Use OAM or modify the File name: Use OAM or modify the File name:

$APPL_TOP/admin/<sid>_<hostname>.xml (make sure you $APPL_TOP/admin/<sid>_<hostname>.xml (make sure you back it up before modifying)back it up before modifying)

<webentryhost <webentryhost oa_var="s_webentryhost">reversep</webentryhost>oa_var="s_webentryhost">reversep</webentryhost>

<webentrydomain <webentrydomain oa_var="s_webentrydomain">mycompany.net</webentrydomainoa_var="s_webentrydomain">mycompany.net</webentrydomain>>

<activewebport oa_var="s_active_webport" <activewebport oa_var="s_active_webport" oa_type="PORT">4480</activewebport>oa_type="PORT">4480</activewebport>

<webentryurlprotocol <webentryurlprotocol oa_var="s_webentryurlprotocol">http</webentryurlprotocol>oa_var="s_webentryurlprotocol">http</webentryurlprotocol>

<login_page <login_page oa_var="s_login_page">http://reversep.mycompany.net:4480/oa_oa_var="s_login_page">http://reversep.mycompany.net:4480/oa_servlets/AppsLogin</login_page>servlets/AppsLogin</login_page>


Updating All Webtier Context FilesUpdating All Webtier Context Files

Update the Oracle E-Business Suite Context Update the Oracle E-Business Suite Context FileFileRun autoconfig on each applications middle tierRun autoconfig on each applications middle tier

Additional SYSADMIN tasksAdditional SYSADMIN tasksset profile: POS: External URLset profile: POS: External URL

http://reversp.mycompany.net:4480http://reversp.mycompany.net:4480Set profile: POS: Internal URLSet profile: POS: Internal URL

http://appserver.mycompany.net:4015http://appserver.mycompany.net:4015Exec: $POS_TOP/patch/115/sql/pos_upg_usr.sqlExec: $POS_TOP/patch/115/sql/pos_upg_usr.sql

See metalink note 308271.1 for additional See metalink note 308271.1 for additional options. Note that no additional patches are if options. Note that no additional patches are if you are at release 11.5.10 or 11.5.10.2you are at release 11.5.10 or 11.5.10.2


ConclusionConclusion

In summary, recall that a reverse proxy In summary, recall that a reverse proxy server is an intermediate server that sits server is an intermediate server that sits between a client and the actual web server between a client and the actual web server and makes requests to the web server on and makes requests to the web server on behalf of the client. The client is unaware of behalf of the client. The client is unaware of the presence of the reverse proxythe presence of the reverse proxy

The above provides additional security to The above provides additional security to that portion of 11that portion of 11ii E-Business Suite that is E-Business Suite that is internet facinginternet facing


Thank you!Thank you!

James J. [email protected]

www.solutionbeacon.com

Real Solutions for the Real World.

Questions and AnswersQuestions and Answers

Watch for our new book:

Installing, Upgrading and Maintaining Oracle

E-Business Suite Applications 11.5.10.2

It’s coming THIS YEAR!

Sign Up For the Solution Beacon Newsletter at

www.solutionbeacon.com

so you’ll be notified when it’s available!

Documents

Configuring a Linux Apache Proxy Server for Use with iSupplier James J. Morrow NorCal OAUG Training Day Santa Clara Convention Center January 17, 2007