Using Web proxies  Chapter 13: Security Configuration Tasks

Chapter 12: Deploying Applications Around Proxies and Firewalls

Using reverse proxies

Reverse proxies typically act as a gateway for incoming connections to an organization’s network servers, preventing direct connections from clients outside the firewall to servers inside the firewall. The reverse proxy can enhance security, by restricting protocols and logging connection activity. Reverse proxies may also act as caches to respond to common requests. In some cases, multiple reverse proxies may be deployed to cache results from one server, as a form of load balancing. Figure 12-2 shows how clients connect through a reverse proxy.

Figure 12-2: Connecting through a reverse proxy

Clients connect to EAServer through a reverse proxy as follows:

  1. The client connects to the reverse proxy, and sends each IIOP packet tunnelled inside an HTTP or HTTPS packet. The destination server address is encoded in the HTTP packet header as:

    GET /host/port/HIOP/1.0/...
    

    Where host is the target EAServer host name, and port is the target EAServer port number.

  2. The reverse proxy uses its URL mapping configuration (shown as a database in the figure) to determine the destination server address.

  3. The reverse proxy opens a connection to the destination server, or reuses an existing connection, and forwards the request to the server, then forwards the response to the client.


Reverse-proxy configuration

For use with EAServer, you must configure your reverse proxy server’s URL mapping table to recognize the EAServer addresses embedded in the HTTP requests sent by the client runtime. For each EAServer that clients can connect to through the server, configure a mapping for the following URL prefix:

GET /host/port/HIOP/1.0/

Where host is the target EAServer listener host name, and port is the target EAServer listener port number. For each EAServer that you deploy behind the reverse proxy, add a mapping for each IIOP, IIOPS, and Message Service listener address. If you deploy an EAServer cluster behind a reverse proxy, add mappings for each server in the cluster.


Properties that affect reverse proxy use

To connect through a reverse-proxy server, you can set the properties in Table 12-2. You must set these properties in addition to any properties that you would set to connect directly to EAServer.

Table 12-2: Properties that affect reverse proxy use

C++/ActiveX/ PowerBuilder property

CORBA property

EJB property

To indicate

ORBProxyHost or environment variable JAG_PROXYHOST

com.sybase.CORBA. ProxyHost

com.sybase.ejb. ProxyHost

Specifies the machine name or the IP address of the reverse-proxy server.

ORBProxyPort or environment variable JAG_PROXYPORT

com.sybase.CORBA. ProxyPort

com.sybase.ejb. ProxyPort

Specifies the port number of the reverse-proxy server, typically 80 for HTTP-tunnelled connections or 443 for SSL (HTTPS-tunnelled) connections.

ORBHttp or environment variable JAG_HTTP

com.sybase.CORBA. http

com.sybase.ejb. http

Set this property to true if the reverse-proxy server requires HTTP-tunneled connections. If you do not set this property, connections still go through, but only after the client ORB first tries to open an IIOP connection. Setting the property eliminates the overhead that is incurred by trying plain IIOP each time a connection is made.

ORBforceSSL or environment variable JAG_FORCESSL

com.sybase.CORBA. forceSSL

com.sybase.ejb. forceSSL

Set this property to true if the connection to the reverse proxy must use SSL (HTTPS) tunnelling, but the connection from the proxy to the EAServer does not use SSL tunnelling.

ORBqop or environment variable JAG_QOP

com.sybase.CORBA. qop

com.sybase.ejb. qop

In applications that connect to a proxy using SSL (HTTPS) tunnelling, set the Quality Of Protection (QOP) to a security characteristic that matches the one supported by the reverse-proxy server. See “Configuring security profiles” for more information. If the connection to the proxy server requires SSL, but the connection from the proxy does not, do not set the QOP; instead, set the forceSSL property to true.

Do not set QOP in Java applets that use SSL. Instead, code the applet to connect to a listener that supports the required security level. See “Using SSL in Java applets” for more information.

N/A.

com.sybase.CORBA. autoProxy

com.sybase.ejb. autoProxy

In Java applets, set this property to true to enable connections to a reverse-proxy server. You must also configure your applet to download through the reverse-proxy server itself. The default is false. This property is ignored if the client is not a Java applet, or has not initialized the Java ORB with the ORB.init method that takes an Applet parameter.

When automatic proxy is enabled, the ORB uses the applet’s download address as the reverse-proxy server address. If the port number is 443, SSL (HTTPS tunnelling) is used; otherwise, HTTP tunnelling is used.





Copyright © 2005. Sybase Inc. All rights reserved. Chapter 13: Security Configuration Tasks