I've on WebApp in JBoss server on Port 9944, I need one security layer above this layer,
which accepts the request then internally forward(not redirect) the request to that JBoss server without any change in URL at client side, So its like I need Proxy kind of layer
above my WebApp layer.
I need this kind of thing for security kind of reason.
So any request comes from browser, it will first hit on that Proxy layer then it will
internally forward the request to my Jboss WebApp instance without any change in browser
Address Bar.
Any idea how I can proceed?
If the proxy is in the same web application then you can use RequestDispatcher.forward() in the Servlet API.
If the proxy is in a separate web application then you'll need to open a HTTP connection to the primary application and make the request. There are a bunch of different ways to do this, including Apache HTTPClient, Spring RestTemplate, Jersey Client, etc.
HTTP-Proxy-Servlet does what you need.
Please see Forward a servlet request to another server for details.
Related
I developed a Nginx 3rd party dynamic module and did required configuration in nginx.conf. Able to run that module and see it doing processing. This module reads request request header, cookies etc., does some business logic execution and modify response header then send back response to client.
Problem -: "How to use nginx module when proxying connections to application servers"
I'm be using Nginx as proxy server and Tomcat or Node as application server and my application hosted on app server. I'm able to route the request through both web & app server and get response back but module isn't getting invoked. Not sure how to link/configure it so that my able to intercept request and modify response header as per need.
Flow -: Browser <-> Web Server (module sits here) <-> Application Server
Has anybody explored this part? If yes then please help.
Password rest mail currently sending private ip. I want below
$REMOTE_ADDRESS$ variable of liferay set public ip in password reset notification.
Internally liferay use request.getRemoteAddr(). How should i configure liferay so request.getRemoteAddr() give correct ip address.
I'm assuming, that you're using mod_proxy_http to forward requests from your Apache httpd to tomcat (or whatever appserver you use). This means, that there's a separate HTTP request, originating from your webserver. I'm assuming that this is the address that you see, no matter what request you handle.
One way to tackle this, is to use AJP as the forwarding protocol, instead of HTTP. You can do this by utilizing mod_proxy_ajp or mod_jk. This means that you can't encrypt the traffic between your web- and application server, however, it handles the remote host and other issues by default.
There might be other options, e.g. experimenting with adding the header X-Forwarded-For. I personally prefer AJP over HTTP as the forwarding protocol, that's why I never bothered to try the alternatives.
Basically, this does not involve Liferay at all: The remote host gets lost on the connection from Apache httpd to your appserver. Liferay just retrieves what the appserver tells it about the request.
I have a windows server 2012 VPS running a web app behind Cloudflare. The app needs to initiate outbound connections based on user actions (eg upload image from URL). The problem is that this 'leaks' my server's IP address and increases risk of DDOS attacks.
So I would like to prevent my server's IP from being discovered by setting up a forward proxy. So far my research has shown that this is no simple task, and would involve setting up another VPS to act as a proxy.
Does this extra forward proxy VPS have to be running windows ? Are their any paid services that could act as a forward proxy for my server (like cloudflare's reverse proxy system)?
Also, it seems that the suggested IIS forward proxy plugin, Application Request Routing, does not work for HTTPS.
Is there a solution for both types of outgoing (HTTPS + HTTP) requests?
I'm really lost here, so any help or suggestions would be appreciated.
You are correct in needing a "Forward Proxy". A good analogy for this is the proxy settings your browser has for outbound requests. In your case, the web application behaves like a desktop browser and can be configured to make the resource request through a proxy.
Often you can control this for individual requests at the application layer. An example of doing so with C#: C# Connecting Through Proxy
As far as the actual proxy server: No, it does not need to run Windows or IIS. Yes, you can use a proxy service. The vast majority of proxy services are targeted towards consumers and are used for personal privacy or to get around network restrictions. As such, I have no direct recommendations.
Cloudflare actually has recommendations regarding this: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/.
Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server.
This may be a more comfortable risk mitigator, as it wouldn't depend on a third party proxy service. A request for upload could be handled as a web service call to a dedicated "file downloader" server. Keep in mind that if you have a queued process for another server to do the work, and that server is hosted in the same infrastructure, both might be impacted by a DDoS, depending on the type of DDoS.
Your question implies that you may be comfortable using a non-windows server. Many softwares exist that can operate as a proxy(most web servers), but suffer from the same problem as ARR - lack of support for the HTTP "CONNECT" verb, which is used by modern browsers to start an HTTPS connection before issuing a "GET". SQUID is very popular, open source, and supports everything to connect to.. anything. It's not trivial to set up. Apache also has support for this in "mod_proxy_connect", but I have no experience in that and the online documentation isn't very robust. It's Apache, though, so it may be worth the extra investigation.
My errors are becoming more and more ridiculous every minute. I now have the ultimate problem with my reverse proxy.
An IIS8 reverse proxy should send all requests coming for
(.*)\.nsf(.*)
(.*)\.ibmxspres(.*)
to the IBM Domino http server - which it does, at least for basic requests that every third-grader deems valid.
But now, guess what happens when I open the following "URL" (a) on the IBM Domino HTTP directly and (b) via IIS8 Reverse proxy:
http://www.mydomain.com/xsp/.ibmxspres/.mini/css/2Ojcore.css&2Ojdojo.css&2OldefaultTheme.css&2OldojoTheme.css&#Da&#Ib&#Th&#Ti&2TgxspSF.css&Wdojoroot/dojo/resources/dojo.css&Wdojoroot/dojox/grid/enhanced/resources/claro/EnhancedGrid.css&Wdojoroot/dojox/grid/enhanced/resources/tundra/EnhancedGrid.css&Wdojoroot/dojox/grid/enhanced/resources/EnhancedGrid_rtl.css&Wdojoroot/dojox/grid/resources/tundraGrid.css&Wdojoroot/dojox/grid/resources/claroGrid.css&Wdojoroot/dojox/grid/resources/Grid.css.css
Is this an URL that every HTTP server should be able to handle?
If yes, why isn't IIS routing them through, although they match the rule?
If no, why is IBM using such non-standard HTTP requests, and can I change this behaviour somewhere?
Applications deployed on Websphere application server can be accessed by the user through the HTTP URL and the context root for that particular application. then when and why people use a Apache / IBM HTTP server in between user and Websphere application server?
If HTTP server is used in between user and Websphere application server how the URL redirection happens?
The benefits to using IBM HTTP Server are primarily performance and security. This developerWorks answer is the best I've seen in response to the same question.
Summary:
IBM HTTP Server (IHS) Plugin manages access to WAS defined contexts
IHS Plugin can manage loadbalancing over WAS servers
IHS manages A LOT better HTTP traffic
IHS can handle static content withdrawing load from WAS
IHS can handle RewriteRules, VirtualHosts, Authentication and much more!