Overview
Accessing products based in the PhenixID Platform externally, e.g. internet, you probably do not like to make all URI´s available. There are several web application that can be activated. For example, Configuration (/config), MFA Admin (/mfaadmin), Self Service (/selfservice).
Using a reverse proxy infront of the PhenixID Platform application you can decide what URI´s to make available to end users and also make sure there are no direct access to the server. All client communication goes through the Reverse Proxy.
This document is our, PhenixID, best practice to using Reverse Proxy.
For our products PhenixID Identity Manager and PhenixID Password Self Service we recommend using AJP instead.
Link using AJP and Apache HTTP Server, PSD1077
Link using AJP and Microsoft Web Server, PSD1079
Technical Overview
On the Apache HTTP Server you enable some module, for example the Proxy and SSL module.
The SSL module terminates the SSL session and then the Proxy module forwards all traffic to the PhenixID service.
The PhenixID service holds all program logic except for the SSL negotiation.
It is recommended that the Apache HTTP Server and the PhenixID services are installed on separate servers for security reasons.
Appropriate firewall openings made (for example below):
Internet -> Apache HTTP Server, TCP port 443 (HTTPS)
Apache HTTP Server -> PhenixID service, TCP port 8080 (HTTP)
Linux or Windows
This document consist of to main section.
- Configure on Linux
- Configure on Windows
1. Configure on Linux
Apache modules
The (most common) modules used in Apache reverse proxy is:
proxy
proxy_http
So these modules should be copied or linked into the folder /mods-enabled.
If other modules are required, please add them as well.
Apache configuration
The configuration for the URL:s that should be proxied is done in the configuration file used for http/https, normally located (or linked) in the folder /sites-enabled.
We will add our configuration into the section “VirtualHost”, like this example:
ProxyPreserveHost On
ProxyPass “/ppss” “http://192.168.0.19:8080/ppss”
ProxyPassReverse “/ppss” “http://192.168.0.19:8080/ppss”
So in the example above we have added the configuration into the SSL configuration file (default-ssl.conf), meaning that we will terminate SSL on the Apache server.
And then use HTTP for the internal communication to backend.
The configuration will react on incoming request to /ppss and redirect to backend server with ip 192.168.0.19 on port 8080.
The Apache service needs to be restarted after the changes.
*************** END of section “Configure on Linux” ***************
2. Configure on Windows
Server version used for this instruction was Windows Server 2016.
Download and install Apache HTTP server on Windows
******************** Important! ********************
There are several sites where you can download an installer for Apache HTTP server, www.apachelounge.com is one of them and well known. After you have downloaded and before you attempt to install, you should make sure that the installer is is intact and has not been tampered with. Use the PGP Signature and/or the SHA Checksums to verify the integrity. PhenixID is not accountable for the content or availability of these websites or sources where you can download Apache software. PhenixID gives no guarantee, nor does it accept any responsibility for the content, data, advices, announcements, software, products or other material on these websites or sources.
*****************************************************
- Download the latest stable version of Apache HTTP server for Windows.
For this document we used version 2.4.25- Go to https://www.apachelounge.com/download/
- Download Apache HTTP server for Windows
- Download Microsoft prerequisite for above Apache HTTP server version
- Download “Microsoft Visual C++ 2015 Redistributable Update 3”
- https://www.microsoft.com/en-us/download/confirmation.aspx?id=53840
- Install Apache HTTP server and Microsoft prereq on Windows
- Install “Microsoft Visual C++ 2015 Redistributable Update 3”
- Run vc_redist.x64.exe
- Run through and complete installation wizard
- Unzip httpd-2.4.25-win64-VC14.zip
- Open the folder and copy the folder /Apache24 to c:/ (or other preferred drive)
- C:\Apache24
- Install “Microsoft Visual C++ 2015 Redistributable Update 3”
- Install Apache HTTP Server as a service
- Open Command Prompt
- Type “cd Apache24/bin” and press Enter
- Type “httpd.exe -k install” and press Enter
- Verify that Apache HTTP Server was installed succesfully
- Open Services (services.msc)
- Look for service named Apache2.4
- Start service
Disable HTTPS for URI´s on PhenixID server
- On your PhenixID server installation, open boot.json (in Server/config folder)
- Find and configure as below (note: two different places in boot.json)
“name”: “com.phenixidentity~phenix-prism”,
“enabled”: “true”,
“config”: {
“_auth_redirect_url”: “/config/authenticate/config”,
“base_url”: “/config”,
“ssl”: “false”,
“port”: “8080”, “name”: “com.phenixidentity~auth-http”,
“enabled”: “true”,
“config”: {
“ssl”: “false”,
“port”: “8080”
} - Save boot.json and restart PhenixID service
Load appropriate modules in httpd.conf
- Open httpd.conf
- C:\Apache24\conf
- Enable following modules by removing the #
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so - Save file httpd.conf
- Restart Apache HTTP server and verify
Include httpd-ssl.conf in httpd.conf
- Open file httpd.conf
- Locate following lines and make sure include line is NOT disable.
Correct configuration should look like follows:
# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf - Save file httpd.conf
- Restart Apache HTTP server and verify
Enable proxy in httpd-ssl.conf
- Open file httpd.conf
- Go to bottom of file and add:
# Enable Proxy
ProxyPreserveHost On
# Incoming. Example host and port, http://PAS_SERVER:8080/
# Only enable below what you like to be accessed from outside
ProxyPass “/config” “http://PAS_SERVER:8080/config”
ProxyPassReverse “/config” “http://PAS_SERVER:8080/config”
ProxyPass “/mfaadmin” “http://PAS_SERVER:8080/mfaadmin”
ProxyPassReverse “/mfaadmin” “http://PAS_SERVER:8080/mfaadmin”
ProxyPass “/selfservice” “http://PAS_SERVER:8080/selfservice”
ProxyPassReverse “/selfservice” “http://PAS_SERVER:8080/selfservice”
ProxyPass “/authenticate” “http://PAS_SERVER:8080/authenticate”
ProxyPassReverse “/authenticate” “http://PAS_SERVER:8080/authenticate”
# The two below are for PhenixID One Touch activation
ProxyPass “/pki” “http://PAS_SERVER:8080/pki”
ProxyPassReverse “/pki” “http://PAS_SERVER:8080/pki”
ProxyPass “/push” “http://PAS_SERVER:8080/push”
ProxyPassReverse “/push” “http://PAS_SERVER:8080/push”
ProxyPass “/saml” “http://PAS_SERVER:8080/saml”
ProxyPassReverse “/saml” “http://PAS_SERVER:8080/saml” - Save file httpd.conf
- Restart Apache HTTP server and verify
Disable port 80 on Apache HTTP server
For security reasons you might like to disable http or port 80 or maybe you disable this access is configured in your firewall.
To disable port 80 on Apache HTTP server:
- Open file httpd.conf
- Find “Listen 80”
- Remove line or add a # in start of line
# Listen 80 - Save file httpd.conf
- Restart Apache HTTP server and verify
Add SSL certificate to your installation
Please visit PSD1078
Verify configuration
Open a browser and go to your FQDN and verify your configuration
e.g. https://server_name.phenixid.local/config/
DISCLAIMER
Information provided in this document is for your information only. PhenixID makes no explicit or implied claims to the validity of this information. Any trademarks referenced in this document are the property of their respective owners.The origin of this information may be internal or external to PhenixID. PhenixID makes all reasonable efforts to verify this information.
PhenixID - support.phenixid.se