Tomcat v Reverse Proxy pros and cons

Contains tips for configurators working with Aware IM
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Use Sub Domains instead of Login.html - Proxy Pro

Post by hpl123 »

PointsWell wrote: Wed Feb 17, 2021 11:35 pm Currently I am working with client subdomains to connect to their personalised login pages, which makes for a cleaner url

Code: Select all

client.yourwebservice.com 
instead of

Code: Select all

yourwebserice.com:8080/AwareIM/LoginClientName.html
The proxy route converts client.yourwebservice.com to the full URL internally, though you could use a directory instead of a subdomain.

Personally I feel like the subdomain is more personalised, but it is a "feels" and an opinion.
How is this setup? Do you have specific rewrite rules then, 1 for each client? My reverse proxy setup for example connects "https://yourwebservice.com/app/" to "localhost:8080" so if I want to login I would use "https://yourwebservice.com/app/logonAdmin.html" and the reverse proxy cannot in it´s core configuration it seems be configured to a specific file so additional rewrite rules (or something) needs to ne configured for that to work.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: SSL and Certificate Renewal - Proxy Pro

Post by hpl123 »

PointsWell wrote: Wed Feb 17, 2021 3:15 am Lets Encrypt and certbot are easily set up and allow for automatic certificate renewal without having to take the server down for updates
Letsencrypt is great and fully integrated with IIS reverse proxy via the ACME tool, how is this configured in NGINX?
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Hiding or blocking Tomcat?

Post by hpl123 »

If a reverse proxy is configured, Tomcat can be hidden or blocked from the web, how is this done?
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Use Sub Domains instead of Login.html - Proxy Pro

Post by PointsWell »

hpl123 wrote: Wed Feb 24, 2021 12:35 pm
PointsWell wrote: Wed Feb 17, 2021 11:35 pm Currently I am working with client subdomains to connect to their personalised login pages, which makes for a cleaner url

Code: Select all

client.yourwebservice.com 
instead of

Code: Select all

yourwebserice.com:8080/AwareIM/LoginClientName.html
The proxy route converts client.yourwebservice.com to the full URL internally, though you could use a directory instead of a subdomain.

Personally I feel like the subdomain is more personalised, but it is a "feels" and an opinion.
How is this setup? Do you have specific rewrite rules then, 1 for each client? My reverse proxy setup for example connects "https://yourwebservice.com/app/" to "localhost:8080" so if I want to login I would use "https://yourwebservice.com/app/logonAdmin.html" and the reverse proxy cannot in it´s core configuration it seems be configured to a specific file so additional rewrite rules (or something) needs to ne configured for that to work.
This was all with the assistance of Intra on here.

You create an NGINX directive for each sub domain. You obviously have to add a route to this for your internet domain. The start of the directive contains your server name i.e. the sub.yourdomain.com and then you create locations.

The default location within the directive goes to the logon page that you want to use for that specific client. I use one that has the Domain prepopulated. So the default path is to proxy pass to the internal IP address/AwareIM/logonPage.html

The result is that customerName.yourdomain.com redirects to 123.45.67.89:8080/AwareIM/logonCustomerName.html

The end user only sees the customerName.yourdomain.com in the URL at login. It does however then start to show the full URL after login but there are ways to limit that. I haven't worked out how to mask it all yet (this translates to I haven't bothered intra enough to help me figure it out)

In the directive you include another directive to the generic error pages, I am guessing you could probably create custom error pages for each customer if you were so inclined.

Cerbot manages the SSL keys and will add all the required lines into the directive.
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Hiding or blocking Tomcat?

Post by PointsWell »

hpl123 wrote: Wed Feb 24, 2021 12:40 pm If a reverse proxy is configured, Tomcat can be hidden or blocked from the web, how is this done?
The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: SSL and Certificate Renewal - Proxy Pro

Post by PointsWell »

hpl123 wrote: Wed Feb 24, 2021 12:38 pm
PointsWell wrote: Wed Feb 17, 2021 3:15 am Lets Encrypt and certbot are easily set up and allow for automatic certificate renewal without having to take the server down for updates
Letsencrypt is great and fully integrated with IIS reverse proxy via the ACME tool, how is this configured in NGINX?
certbot integrates SSL into NGINX
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Reverse proxy issues with resources?

Post by PointsWell »

hpl123 wrote: Wed Feb 24, 2021 12:27 pm If you configure a reverse proxy, the URL may need rewriting in some cases as the public URL is different from the private URL. Have anyone experienced problems with this when using a reverse proxy with Aware?
The URL is rewritten from the public URL to an internal private IP address.

You would run two servers
One with NGINX (or whatever) and that would be exposed to the internet.
Second one with Aware that is shielded from the internet and running on a private IP address. There is no URL for this server as it is not publicly accessible.
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Extra Server Required - Proxy Con

Post by PointsWell »

hpl123 wrote: Wed Feb 24, 2021 12:29 pm
PointsWell wrote: Wed Feb 17, 2021 3:36 am To run a reverse proxy you have to set up another server, so one more to manage.

The server doesn't have to be particularly hefty though as it is just managing connections and traffic.
One thing I am wondering about is how much a revere proxy actually toll a system. I am using IIS as a reverse proxy and I know others are using NGINX and it is ONLY used for that so I would think it does´nt take much but I don´t know.
I am not in production at the moment, so am not putting much load on my proxy server. I am able to run it on a micro AWS device with minimal resources.

Mark is also using this setup and can probably give you more details on his server setup in production.
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Use Sub Domains instead of Login.html - Proxy Pro

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 12:08 am
hpl123 wrote: Wed Feb 24, 2021 12:35 pm
PointsWell wrote: Wed Feb 17, 2021 11:35 pm Currently I am working with client subdomains to connect to their personalised login pages, which makes for a cleaner url

Code: Select all

client.yourwebservice.com 
instead of

Code: Select all

yourwebserice.com:8080/AwareIM/LoginClientName.html
The proxy route converts client.yourwebservice.com to the full URL internally, though you could use a directory instead of a subdomain.

Personally I feel like the subdomain is more personalised, but it is a "feels" and an opinion.
How is this setup? Do you have specific rewrite rules then, 1 for each client? My reverse proxy setup for example connects "https://yourwebservice.com/app/" to "localhost:8080" so if I want to login I would use "https://yourwebservice.com/app/logonAdmin.html" and the reverse proxy cannot in it´s core configuration it seems be configured to a specific file so additional rewrite rules (or something) needs to ne configured for that to work.
This was all with the assistance of Intra on here.

You create an NGINX directive for each sub domain. You obviously have to add a route to this for your internet domain. The start of the directive contains your server name i.e. the sub.yourdomain.com and then you create locations.

The default location within the directive goes to the logon page that you want to use for that specific client. I use one that has the Domain prepopulated. So the default path is to proxy pass to the internal IP address/AwareIM/logonPage.html

The result is that customerName.yourdomain.com redirects to 123.45.67.89:8080/AwareIM/logonCustomerName.html

The end user only sees the customerName.yourdomain.com in the URL at login. It does however then start to show the full URL after login but there are ways to limit that. I haven't worked out how to mask it all yet (this translates to I haven't bothered intra enough to help me figure it out)

In the directive you include another directive to the generic error pages, I am guessing you could probably create custom error pages for each customer if you were so inclined.

Cerbot manages the SSL keys and will add all the required lines into the directive.
Probably works on the same way in IIS and I haven´t gotten to doing this yet and this is a more complex things. Setting up a reverse proxy at least in IIS is easy, if you then want custom stuff like custom URL´s, error pages etc. you have to dig into complex rewrite rules and things and it´s easy to mess things up if you don´t know what you are doing.

I also get the problem with IIS showing entire URL and also Aware showing strange and irrelevant URL things that have no function for the user (just confusing) and have tried to mask it but in my trials, I messed some part of the functionality up i.e it broke the reverse proxy or parts of it. Still working on this.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Hiding or blocking Tomcat?

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 12:15 am
hpl123 wrote: Wed Feb 24, 2021 12:40 pm If a reverse proxy is configured, Tomcat can be hidden or blocked from the web, how is this done?
The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.
Yeah but Tomcat can still be accessed from the web? You are blocking it in the firewall or how?
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Reverse proxy issues with resources?

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 12:18 am
hpl123 wrote: Wed Feb 24, 2021 12:27 pm If you configure a reverse proxy, the URL may need rewriting in some cases as the public URL is different from the private URL. Have anyone experienced problems with this when using a reverse proxy with Aware?
The URL is rewritten from the public URL to an internal private IP address.

You would run two servers
One with NGINX (or whatever) and that would be exposed to the internet.
Second one with Aware that is shielded from the internet and running on a private IP address. There is no URL for this server as it is not publicly accessible.
The problems I was referring to are mainly resource access problems so say I have a resource (image, file whatever) on the server and it is opened up by Aware, in that case the file would be accessed using the private URL BUT when the proxy rewrites the URL in the for the user, the file is not correctly opened as there exists no file at that URL. Not sure I am explaining this correctly and I had some issues with this initially when setting up IIS but don´t any more and/so I am not sure in what circumstances this actually happened but I know it can happen. Complex stuff.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Re: Extra Server Required - Proxy Con

Post by hpl123 »

PointsWell wrote: Thu Feb 25, 2021 12:21 am
hpl123 wrote: Wed Feb 24, 2021 12:29 pm
PointsWell wrote: Wed Feb 17, 2021 3:36 am To run a reverse proxy you have to set up another server, so one more to manage.

The server doesn't have to be particularly hefty though as it is just managing connections and traffic.
One thing I am wondering about is how much a revere proxy actually toll a system. I am using IIS as a reverse proxy and I know others are using NGINX and it is ONLY used for that so I would think it does´nt take much but I don´t know.
I am not in production at the moment, so am not putting much load on my proxy server. I am able to run it on a micro AWS device with minimal resources.

Mark is also using this setup and can probably give you more details on his server setup in production.
It probably doesn´t take much, I am using it on a small scale only and in my situation, the toll is almost unnoticeable. How it looks as usage grows is the interesting part for me as it´s another factor when thinking about scaling and/but if you are also using the reverse proxy as a load balancer, I guess it can be an advantage instead of a flaw.
Henrik (V8 Developer Ed. - Windows)
hpl123
Posts: 2644
Joined: Fri Feb 01, 2013 1:13 pm
Location: Scandinavia

Reverse proxy as load balancer?

Post by hpl123 »

Is anyone using a reverse proxy as a load balancer?
Henrik (V8 Developer Ed. - Windows)
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Reverse proxy issues with resources?

Post by PointsWell »

hpl123 wrote: Thu Feb 25, 2021 1:18 pm
PointsWell wrote: Thu Feb 25, 2021 12:18 am
hpl123 wrote: Wed Feb 24, 2021 12:27 pm If you configure a reverse proxy, the URL may need rewriting in some cases as the public URL is different from the private URL. Have anyone experienced problems with this when using a reverse proxy with Aware?
The URL is rewritten from the public URL to an internal private IP address.

You would run two servers
One with NGINX (or whatever) and that would be exposed to the internet.
Second one with Aware that is shielded from the internet and running on a private IP address. There is no URL for this server as it is not publicly accessible.
The problems I was referring to are mainly resource access problems so say I have a resource (image, file whatever) on the server and it is opened up by Aware, in that case the file would be accessed using the private URL BUT when the proxy rewrites the URL in the for the user, the file is not correctly opened as there exists no file at that URL. Not sure I am explaining this correctly and I had some issues with this initially when setting up IIS but don´t any more and/so I am not sure in what circumstances this actually happened but I know it can happen. Complex stuff.
The directive includes subdirectories within it.
If you rewrite

Code: Select all

cust.yourDomain.com to 10.20.30.40:8080/AwareIM/ 
then everything within AwareIM is included. So if you made a call to a file in AwareIM/Documents then you could access that via cust.yourDomain.com/Documents or you could redirect cust.yourDomain.com/somethingElse to 10.20.30.40:8080/AwareIM/Documents/

Similarly you can exclude access via the proxy as well.

I may not have understood the question.
PointsWell
Posts: 1476
Joined: Tue Jan 24, 2017 5:51 am
Location: 'Stralya

Re: Hiding or blocking Tomcat?

Post by PointsWell »

hpl123 wrote: Thu Feb 25, 2021 1:13 pm
PointsWell wrote: Thu Feb 25, 2021 12:15 am
hpl123 wrote: Wed Feb 24, 2021 12:40 pm If a reverse proxy is configured, Tomcat can be hidden or blocked from the web, how is this done?
The directive uses proxy_pass command to rewrite

customerName.yourDomain.com to internalIP:8080/AwareIM/...

CURL to the URL shows NGINX as the responder.
Yeah but Tomcat can still be accessed from the web? You are blocking it in the firewall or how?
You block access to the AIM server in your firewall. Create access only between reverse proxy and AIM server. The internal IP address should not be accessible from the outside world as this defeats the purpose of the reverse proxy.

The firewall would want to allow
80 and 443 access to the reverse proxy from external
8080 access between the reverse proxy and AIM
3306 access between AIM and the Database.

You probably also want
22 to the AIM server so that you can tunnel with SSH for access to the AIM desktop (unless you are operating headless in which case you'd use SSH for terminal access) and to connect remotely to the database. Though you may want to set up a separate server that is spun up only when you want to use SSH access to ensure that you have adequately isolated the AIM server from everything but the proxy
Post Reply