Apache Configuration for
J2EE Web Applications
About this document
This document explains and describes how to set up the Apache Web server for use with the SAP J2EE Engine. This example is based on a Red Hat Linux installation and is transferable to all other operating systems.
It will give you instructions how to configure the Apache with Proxy Mode
The backend used in the tests was a SAP J2EE Server running Enterprise Portal 6.0.
Recommended Landscape
In general the Apache Webserver should be located in the DMZ. The SAP J2EE Server itself is located in the Intranet (2.1) or in the DMZ-2 (2.2), which can be protected by an additional firewall. Further scaling-option like introducing a separate persistence-server can be done independently from the Apache Webserver.
Requirements
Software
First of all you need the software, which implements the Reverse Proxy functionality. In the scenario described in this documentation we have chosen the Apache Web-Server, which is first of all a Web-Server, but also offers the REVERSE-PROXY functionality.
In the scenario we want to set up, the Apache Web-Server has no other duty than forwarding the request from the client to the SAP J2EE Server and of course forwarding the response from the SAP J2EE Server to the client. The main advantage is, that the client doesn’t know anything about the translations and forwarding–mechanisms at all and the actual SAP J2EE Server is not exposed to the client directly.
The Apache-Web-Server is available on several platforms:
- • Windows 2000
- • Unix / Linux
- • Free BSD
- • and more (see http://httpd.apache.org for more information)
We assume, that if the Reverse Proxy is installed under Unix/Linux a higher security -level can be reached, because an attack would first be blocked by an Unix/Linux-environment and only those, who passed this hurdle can then try to attack the Windows 2000/IIS-based Internet Sales-Installation. At least the Knowledge of two operating Systems are necessary then.
Hardware
The Reverse Proxy should be installed on a separate physical machine. The one and only issue of the box is to run the Apache-Web-Server including the Reverse Proxy functionality. The Apache Web-server can also be used as a Web-server for your Catalog images.
Normally the requirements for this are not too high, but especially when SSL has to be enabled, the server needs more processor-power. Every single request has to be encrypted from the R everse Proxy, then the encrypted request has to be processed by the Reverse Proxy. After that, the new request has to be decrypted again and forwarded to the SAP J2EE Server. We can’t specify that more explicitly, for example by presenting concrete figures in this paper.
Recommended Apache Versions
In order to ensure proper stability using the described configurations we recommend the following Apache versions.
Apache 1.3 Use at least version 1.3.19. We recommend using version 1.3.27
Apache 2.0 Use at least version 2.0.40. We recommend using version 2.0.48
Apache Configuration using Reverse Proxy
What is a reverse proxy?
A reverse proxy (also called Proxy Gateway) is used to separate your local web from the outside world (Internet).
Placing a reverse proxy in the DMZ protects the SAP J2EE Server from malicious attacks as it provides an additional barrier in front of the SAP J2EE Server. As the proxy gateway does not contain any sensitive information, it has less exposure risk than the actual Web server.
Another advantage of this landscape is that no ports have to be opened beyond the inner firewall. All Java-based Application components are in the secured network and a proxy gateway can add a n-other security layer to the SAP J2EE Server.
Picture 1: Reverse Proxy Scenario
Reverse-Proxy settings
Perform these steps to configure the Reverse Proxy:
Stop the Apache Web-server
Open the configuration file “httpd.conf” from the Apache directory with an editor and apply the following changes:
Search for #LoadModule proxy_module modules/mod_proxy.so and remove the comment sign (#) at the beginning of the line.
Search for #AddModule mod_proxy.c and remove the comment sign (#) at the beginning of the line.
Note: if you don’t see these modules then you have to load these modules
Enabling Apache Proxy Modules
Those directly concerned with proxying include:
- mod_proxy: The core module deals with proxy infrastructure and configuration and managing a proxy request.
- mod_proxy_http: This handles fetching documents with HTTP and HTTPS.
- mod_proxy_ftp: This handles fetching documents with FTP.
- mod_proxy_connect: This handles the CONNECT method for secure (SSL) tunneling.
- mod_headers: This modifies HTTP request and response headers.
Building Apache for Proxying
The above are all included in the core Apache distribution. They can easily be enabled in the Apache build process. For example:
$ ./configure --enable-so --enable-mods-shared="proxy \
proxy_http proxy_ftp proxy_connect headers"
$ make
# make install
Of course, you may want other build options too, and you could just as well build the modules as static. If you are adding proxying to an existing installation, you should use apxs instead:
# apxs -c -i [module-name].c
noting that mod_proxy itself is in two source files
(mod_proxy.c and proxy_util.c).
Edit the httpd.conf. The VirtualHost section should be configured as follows:
For a non-SSL connection add the following lines to the end of the configuration file:
<VirtualHost 10.10.10.10:80>
ProxyPreserveHost On
ProxyPass /irj/ http://<your hostname>:50000/irj/
ProxyPassReverse /irj/ http://<your hostname>:50000/irj/
ErrorLog logs/<your hostname>.80.error.log
CustomLog logs/<your hostname>.80.custom.log common
</VirtualHost>
Restart Apache server Using apachectl start
|
