2.2 Managing Reverse Proxies and Authentication

A reverse proxy acts as the front end to your Web servers on your Internet or intranet and off-loads frequent requests, thereby freeing up bandwidth. The proxy also increases security because the IP addresses of your Web servers are hidden from the Internet.

To create a reverse proxy, you must create at least one proxy service with a protected resource. You must supply a name for each of these components. Reverse proxy names and proxy service names must be unique to the Access Gateway because they are configured for global services such as IP addresses and TCP ports. For example, if you have a reverse proxy named products and another reverse proxy named library, only one of these reverse proxies can have a proxy service named corporate.

Protected resource names need to be unique to the proxy service, but they don’t need to be unique to the Access Gateway because they are always accessed through their proxy service. For example, if you have a proxy service named account and a proxy service named sales, they both can have a protected resource named public.

The first reverse proxy and proxy service you create are automatically assigned to be the authenticating proxy.

  1. In the Administration Console, click Devices > Access Gateways > Edit

    The Edit link is either for a single Access Gateway or for a cluster of Access Gateways.

  2. Click Reverse Proxy / Authentication.

  3. Configure the authentication settings:

    Identity Server Cluster: Specifies the Identity Server you want the Access Gateway to trust for authentication. Select the configuration you have assigned to the Identity Server.

    Whenever an Identity Server is assigned to a new trust relationship, the Identity Server needs to be updated. This process is explained following the step that saves this configuration setting (see Step 5 and Step 6).

  4. (Conditional) If you have already created at least one reverse proxy, you can view the Embedded Service Provider options and configure some of them:

    Reverse Proxy: Specifies which proxy service is used for authentication. If you have configured only one proxy service, only one appears in the list and it is selected. If you change the reverse proxy that is used for authentication, certificates must be updated to match this new configuration. For more information on this process, see Section 6.3.2, Changing the Authentication Proxy Service.

    Metadata URL: Displays the location of the metadata.

    Health-Check URL: Displays the location of the health check.

    Logout URL: Displays the URL that you need to use for logging users out of protected resources. This value is empty until you have created at least one reverse proxy and it has been assigned to be used for authentication. If you create two or more reverse proxies, you can select which one is used for authentication, and the logout URL changes to match the assigned reverse proxy.

    If any of your protected resources have a logout page or button, you need to redirect the user’s logout request to the page specified by this URL. The Access Gateway can then clear the user’s session and log the user out of any other resources that have been enabled for single sign-on. If you do not redirect the user’s logout request, the user is logged out of one resource, but the user’s session remains active until inactivity closes the session. If the user accesses the resource again before the session is closed, single sign-on reauthenticates the user to the resource, and it appears that the logout did nothing.

    Auto-Import Identity Server Configuration Trusted Root: Allows you to import the public key from the Identity Server cluster into the trust store of the Embedded Service Provider. This sets up a trusted SSL relationship between the Embedded Service Provider and the Identity Server. This option is not available until you have selected an Identity Server Cluster and have configured the use of SSL on the Embedded Service Provider of the reverse proxy that is performing authentication (see the Enable SSL with Embedded Service Provider option on the Reverse Proxy page).

    If the Identity Server cluster is using a certificate created by the Novell Access Manager certificate authority (CA), the public key is automatically added to this trust store, so you do not need to use this option. If the Identity Server cluster is using a certificate created by an external CA, you need to use this option to import the public key into the trust store.

  5. (Optional) Configure the proxy settings:

    Behind Third Party SSL Terminator: Enable this option if you have installed an SSL terminator between the users and the Access Gateway. This allows the terminator to handle the SSL traffic between the browsers and the terminator. The terminator and the Access Gateway can use HTTP for their communication. For some configuration tips, see Using an SSL Terminator in the Novell Access Manager 3.1 SP5 Setup Guide.

    Enable Via Header: Enables the sending of the Via header to the Web server. The Via header contains the DNS name of the Access Gateway and a device ID. It has the following format:

    Via: 1.0 www.mylag.com (Access Gateway 3.1.1-72-D06FBFA8CF21AF45)

    Deselect this option when your Web server does not need this information or does not know what to do with it.

  6. (Optional) Configure the cookie settings:

    For more information and other options for securing Access Manager cookies, see Section 1.5, Enabling Secure Cookies.

    Enable Secure Cookies: Configures the Access Gateway to set the secure keyword for the proxy authentication cookie. This provides some additional security for the cookie stored in the browser and allows the browser to destroy the cookie when the SSL session closes.

    If you have enabled the Behind Third Party SSL Terminator option, enabling this option sets the secure keyword on HTTP requests.

    WARNING:Do not enable the Enable Secure Cookies option if you have both HTTP and HTTPS reverse proxies. The HTTP services become unavailable because authentication requests to the non-secure services fail.

    Force HTTP-Only Cookie: Forces the Access Gateway to set the HttpOnly keyword, which prevent scripts from accessing the cookie. This helps protect browsers from cross-site scripting vulnerabilities that allow malicious sites to grab cookies from a vulnerable site. The goal of such attacks might be to perform session fixation or to impersonate the valid user.

    IMPORTANT:The HttpOnly keyword can prevent applets from loading and can interfere with JavaScript. Do not enable this option if you are using the traditional SSL VPN server (which is configured as a protected resource of the Access Gateway) or if you have the Access Gateway protecting applications that download applets or use JavaScript.

  7. To create a proxy service, continue with Section 2.2.1, Creating a Proxy Service.

2.2.1 Creating a Proxy Service

  1. In the Administration Console, click Devices > Access Gateways > Edit > Reverse Proxy / Authentication.

  2. In the Reverse Proxy List, click New, specify a display name for the reverse proxy, then click OK.

    Configuring a reverse proxy
  3. Enable a listening address. Fill in the following fields:

    Cluster Member: (Available only if the Access Gateway is a member of a cluster.) Select the server you want to configure from the list of servers. The Listening Address(es) and TCP Listen Options modifications apply to the selected server. Modifications made to any other options on the page apply to all servers in the cluster.

    Listening Address(es): Displays a list of available IP addresses. If the server has only one IP address, only one is displayed and it is automatically selected. If the server has multiple addresses, you can select one or more IP addresses to enable. You must enable at least one address by selecting its check box.

    If the Access Gateway is in a cluster, you must select a listening address for each cluster member.

    TCP Listen Options: Provides options for configuring how requests are handled between the reverse proxy and the client browsers. You cannot set up the listening options until you create and configure a proxy service. For information about these options, see Section 2.7.1, Configuring TCP Listen Options for Clients.

  4. Configure the listening ports:

    Non-Secure Port: Specifies the port on which to listen for HTTP requests; the default port for HTTP is 80. Depending upon your configuration, this port might also handle other tasks. These tasks are listed to the right of the text box.

    Secure Port: Specifies the port on which to listen for HTTPS requests; the default port for HTTPS is 443.

    For information about the SSL options, see Section 1.0, Configuring the Access Gateway for SSL and Other Security Features.

  5. In the Proxy Service List section, click New.

    The first proxy service of a reverse proxy is considered the master (or parent) proxy. Subsequent proxy services can use domain-based, path-based, or virtual multi-homing, relative to the published DNS name of the master proxy service. If you are creating a second proxy service for a reverse proxy, see Section 6.2, Using Multi-Homing to Access Multiple Resources.

  6. Fill in the fields:

    Proxy Service Name: Specify a display name for the proxy service, which the Administration Console uses for its interfaces.

    Published DNS Name: Specify the DNS name you want the public to use to access your site. This DNS name must resolve to the IP address you set up as the listening address.

    Web Server IP Address: Specify the IP address of the Web server you want this proxy service to manage. You can specify additional Web server IP addresses by clicking the Web Server Addresses link when you have finished creating the proxy service.

    Host Header: Specify whether the HTTP header should contain the name of the back-end Web server (Web Server Host Name option) or whether the HTTP header should contain the published DNS name (the Forward Received Host Name option).

    Web Server Host Name: Specify the DNS name of the Web server that the Access Gateway should forward to the Web server. If you have set up a DNS name for the Web server and it requires its DNS name in the HTTP header, specify that name in this field. If the Web server has absolute links referencing its DNS name, include this name in this field. If you selected Forward Received Host Name, this option is not available.

    NOTE:For iChain administrators, the Web Server Host Name is the alternate hostname when configuring a Web Server Accelerator.

  7. Click OK.

  8. Continue with Section 2.2.2, Configuring a Proxy Service or select one of the following tasks:

2.2.2 Configuring a Proxy Service

A reverse proxy can have multiple proxy services, and each proxy service can protect multiple resources. You can modify the following features of the proxy service:

  • Web servers

  • HTML rewriting

  • Logging

  • Protected resources

  • Caching

  1. To configure a proxy service, click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service].

    Configuring a proxy service
  2. Fill in the following fields:

    Published DNS Name: Displays the value that users are currently using to access this proxy service. This DNS name must resolve to the IP address you set up as a listening address on the Access Gateway. You should modify this field only if you have modified the DNS name you want users to use to access this resource.

    This name determines the possible values of the Cookie Domain.

    Description: (Optional). Provides a field where you can describe the purpose of this proxy service or specify any other pertinent information.

    Cookie Domain: Specifies the domain for which the cookie is valid.

    If one proxy service has a DNS name of www.support.novell.com and the second proxy service has a DNS name of www.developernet.novell.com, the cookie domains are support.novell.com for the first proxy service and developernet.novell.com for the second proxy service. You can configure them to share the same cookie domain by selecting novell.com for each proxy service. Single sign-on between the proxy services is simplified when the proxy services share the same cookie domain.

    HTTP Options: Allows you to set up custom caching options for this proxy service. See the following:

    Advanced Options: (Access Gateway Service) Specifies how the proxy service handles specific conditions, such as Web server error pages. If similar options are configured globally, the proxy service configuration overwrites the global setting. For configuration information on the proxy service options, see Section 2.2.3, Configuring Advanced Options for a Domain-Based Proxy Service.

  3. Click OK to save your changes to browser cache.

  4. Click Devices > Access Gateways.

  5. To apply your changes, click Update > OK.

    Until this step, nothing has been permanently saved or applied. The Update status pushes the configuration to the server and writes the configuration to the configuration data store. When the update has completed successfully, the server returns the status of Current.

    To save the changes to the configuration store without applying them, do not click Update. Instead, click Edit. On the Configuration page, click OK. The OK button on this pages saves the cached changes to the configuration store. The changes are not applied until you click Update on the Access Gateways page.

  6. Update the Identity Server to accept the new trusted relationship. Click Identity Servers > Update.

  7. Continue with one of the following.

2.2.3 Configuring Advanced Options for a Domain-Based Proxy Service

The following advanced options are available only for a domain-based proxy service of an Access Gateway Service. For a path-based proxy service, see Section 6.2.6, Configuring Advanced Options for Path-Based Multi-Homing.

  1. In the Administration Console, click Access Gateways > Edit > [Name of Reverse Proxy] > [Name of Proxy Service] > Advanced Options.

  2. To activate these options, remove the # symbol, configure the value, save your changes, then update the Access Gateway Service.

    #FlushUserCache=on: Specifies whether cached credential data of the user is updated when the session expires or the user changes an expiring password.

    • When this option is on, which is the default setting, the credentials and the Identity Injection data are refreshed.

    • When this option is turned off, the cached user data can become stale.

      For example, if your password management service is a protected resource of the Access Gateway and this option is turned off, every time a user changes an expiring password, the user’s data is not flushed and the Access Gateway continues to use stale data for that user.

    #SSLProxyVerifyDepth=3: Specifies how many certificates are in a Web server certificate chain. When you activate the verification of the Web server certificate with the Any in Reverse Proxy Trust Store and the public certificate is part of a chain, you need to specify the number of certificates that are in the certificate chain. For more information on configuring Web servers for SSL, see Section 1.4, Configuring SSL between the Proxy Service and the Web Servers.

    • The default search level that is when the attribute SSLProxyVerifyDepth is commented to1, if the number of certificates in the Web server certificate chain is greater than 1, then the SSLProxyVerifyDepth option should be enabled and should be assigned to the respective value (equal to the numberof certificates in the chain).

    #ProxyErrorOverride: Allows you to specify which errors you want returned to the browser unchanged by the Gateway Service. The default behavior of the Gateway Service is to replace Web server errors with Gateway Service errors.

    However, some applications put more information, such as keys and JavaScript in the message. If this information is critical, specify an override and allow the error message to be returned to the browser without any modifications.

    For example, NetStorage requires an override for the 401 error because it includes a key in the 401 error. The portal page for the Novell Open Enterprise Server requires an override for error 403 because it includes JavaScript.

    You can use the following syntax to set this option:



    ProxyErrorOverride on -401 -403

    Allows all errors to be changed to Gateway Service errors except errors 401 and 403, which are sent unchanged.

    This syntax allows you to list the few errors you want to forward without change while allowing all the others to be changed to Gateway Service errors.

    NOTE:This option is applicable only for Multiple Access Gateway and not for the Linux Access Gateway Appliance.

    ProxyErrorOverride off +401 +403

    Disables the changing of Web server errors to Gateway Service errors except for errors 401 and 403, which are changed to Gateway Service errors.

    Use this option when you have only a few errors that you want changed to Gateway Service errors.

    NOTE:This option is applicable only for Multiple Access Gateway and not for the Linux Access Gateway Appliance.

    NOTE:Enable the error codes 401 and 403 for override if you are using Identity Manager 4.0 with Role Mapping Administrator.

    CacheIgnoreHeaders: Prevents the Access Gateway from writing any Authorization headers to disk. This option is enabled by default, because writing Authorization headers to disk is a potential security risk. You can allow Authorization headers to be written to disk by placing a pound (#) symbol in front of the option or by setting it to None. For more information about this Apache option, see “CacheIgnoreHeaders Directive”.

    NAGErrorOnDNSMismatch: If SSL is not enabled in reverse proxy, an error message stating Host Name Does Not Match is displayed.

    NAGErrorOnIPMismatch: You will see this error when the incoming user's ip address is changed during the course of the user's session. This is to avoid session hijacking.

    NAGFilteroutUrlForAudit: You can add this option to proxy path service that filters out specific URLs from auditing (URL Accessed). For example, NAGFilteroutUrlForAudit ".*.jpg", and NAGFilteroutUrlForAudit ".*.gif".

  3. To disable an option, add the # symbol in front of the option, save your changes, then update the Access Gateway Service.