Apache Http Server Reverse Proxy

Posted on  by admin
  1. Apache Proxy Server
  2. Apache Http Server Reverse Proxy Example
  3. Apache Http Server Reverse Proxy Lookup
  4. Apache Http Server Windows

This section contains examples of how the Apache Web Server (version 2.2.20) can be used as a proxy in front of SignServer. The guide is only informative, please consult the current Apache documentation for the modules used.

Apache HTTP Server as Reverse Proxy Apache HTTP Server as Reverse Proxy This section contains examples of how the Apache Web Server (version 2.2.20) can be used as a proxy in front of SignServer. The guide is only informative, please consult the current Apache documentation for the modules used. Configure Apache Web Server for Websockets using Reverse Proxy This article provides basic steps to configure Apache Web Server to work with Websockets. We recently created a Spring based web application that uses web sockets for live streaming of data from the Tomcat 8.x server. This is essential when Apache is used as a reverse proxy to avoid by-passing the reverse proxy because of HTTP redirects on the backend servers which stay behind the reverse proxy. Path is the name of a local virtual path. Url is a partial URL for the remote server - the same way they are used for the ProxyPass directive. After these changes are made to the virtual hosts file, run the apache configuration test to ensure syntax is correct. 4 - Restart the Apache web server. Restart the Apache web server to put the changes into place. For information on how to set up a reverse proxy on AWS (Amazon Web Services), see this article.


The proxy can for example be used to:

Apache Proxy Server

  • Use standard ports (80, 443) instead of unprivileged ports used by the application server.
  • Make workers accessible through more nice looking URLs. For example, 'http://tsa.example.com' instead of 'http://example.com:8080/signserver/tsa?workerName=TimeStampSigner1'.
  • Usie any of the access control and authentication mechanism available in Apache.
  • Redirect HTTP traffic to HTTPS.
  • Only accept requests to specified locations.

Since the requests should go through the proxy, it is recommended to configure the application server to only listen to localhost, and/or use a firewall blocking the application server ports from external requests. To configure JBoss to only listen to localhost, set the following properties in signserver_deploy.properties:

Install the Apache web server and enable required modules (the following commands are for Ubuntu but should be similar in other distributions as well):

Example: Rewrite URLs for TSA (using mod_proxy and mod_rewrite)

The following sample configuration allows rendering nice URLs for time-stamping so that you can point your TSA clients to http://tsa.example.com/ instead of http://tsa.example.com:8080/signserver/process?workerName=TimeStampSigner1.

This configuration combines mod_proxy with mod_rewrite to enable setting the workerName or workerId, allowing different TSAs available on different URLs.

Example: Rewrite URLs and redirect to HTTPS (using AJP)

The following example configures three virtual hosts.

The first signserver.example.com:80 redirects all requests to use HTTPS and thus the virtual host signserver.example.com:443.

Netscape enterprise server

The second virtual host is configured to proxy requests to the /signserver path on the application server using the AJP protocol. It is also configured to use HTTPS with a server certificate.

The last virtual hosts auth.signserver.example.com using an additional IP address is configured to require client certificate authentication.

Some application servers (for example, JBoss 4) might have problems writing the correct port number in the endpoint URL in the web services WSDL file when using a proxy (that is, writing 8443 instead of 443).

Example: Granting access to specific workers only

This example shows how to limit access to specified resources only.

If you are going to grant different users access to different workers, always remember to first deny access from the root location since there are other ways to access a worker than the '/worker/*' or '/sodworker/*' pattern. For instance, /process, /tsa, /pdf and /sod etc, as well as using the web services interfaces /signserverws, /SignServerWSService, /validationws, /ValidationWSService, and /ClientWSService, all can be used to invoke any worker.


Apache Http Server Reverse Proxy Example

If you instead relay on SignServer to do the authentication/authorization, it is recommended to only grant access to the locations you intend to use. In that case you will probably want to also give access to the web services interfaces, /worker and /process etc.

Also remember that if you are proxying from multiple virtual hosts (for example, if you have one with and one without client authentication as in the example above), you might want to add the access restrictions to all of them.

Additional Configuration

Custom Private HTTPS port

For example, if a reverse proxy is used to change the ports used by SignServer, the links in the Administration Web interface might not be correct (for example, if the standard port 443 is used instead of 8443). In that case, configure the following in conf/signserver_deploy.properties:

Apache httpd reverse proxy

Apache Http Server Reverse Proxy Lookup

Custom Context Root

With a reverse proxy, it is also possible to use a different beginning of the URL for accessing SignServer than the default '/signserver'. If for example the reverse proxy instead serves SignServer under '/myservice/signserver' this might have to be configured in conf/signserver_deploy.properties so that the URLs in the Administration Web interface, as well as the Web Services endpoints, work as expected:

Apache Http Server Windows