VMware Horizon Community
AGMONTES
Contributor
Contributor
‎09-03-2009 03:14 AM

Using Apache as a reverse proxy for View Security Server, is it possible?

Hi,

We´re trying to use an Apache web server (Apache 2.0.63) to act as a reverse proxy for the internet clients to connect to our View Security Server.

It´s seems to work fine until it tries to setup the ssh tunnel, then it timeouts. Here are my directives in the apache conf file:

revprox.domain.com is the apache server, and srvviewsec is our View Security Server.

ExtFilterDefine fixtext mode=output intype=text/html cmd="/bin/sed s-SRVVVIEWSEC-revprox.domain.com-g"

<Location />

ProxyPass

SetOutputFilter fixtext

</Location>

RewriteRule /(.*)

ProxyPassReverse /

The question is if anyone has been able to setup this kind of configuration with apache as a reverse proxy for the Security View server.

Thanks in advance.

0 Kudos
6 Replies
mpryor
Commander
Commander
‎09-07-2009 02:37 AM

Most reverse proxies will by default attempt to receive the full contents of an HTTP POST request before forwarding it on to the backend server. This won't work for the secure tunnel (as it won't for any VPN solution also using HTTPS encapsulation) as there is two way traffic involved. You should exclude the tunnel requests from any request caching (/ice/*).

0 Kudos
AGMONTES
Contributor
Contributor
‎09-07-2009 04:28 AM

Hi, Thanks for the answer but I don´t get it.

Do u mean that I should exclude the URL /ice/* from the reverse proxy or just setup the proxy to not cache that URL?.

Do u know anyone with this kind of configuration with Apache?.

Thanks again.

0 Kudos
mpryor
Commander
Commander
‎09-07-2009 05:46 AM

Ideally you should exclude the URL altogether. I'm not familiar with the mod_proxy plugin but it's important that it passes the tunnel stream through as-is without waiting - waiting for the client to send all its data before forwarding to the backend server will cause the tunnel to fail. If simply disabling caching for that URL pattern is sufficient for this behaviour then that should be fine too. If you can't configure it that way, you may need to avoid proxying requests to the server completely. I've not yet come across anybody successfully using View behind Apache reverse proxy but have seen one other question on the topic.

AGMONTES
Contributor
Contributor
‎09-07-2009 06:13 AM

Well, If i have any success with this i´ll post it here.

Thans for the answers.

0 Kudos
StylusEater
Contributor
Contributor
‎08-31-2011 11:36 AM

I setup a reverse proxy for my internal view connection servers. It works like a charm. You can find the configuration on my bitbucket ccount at https://bitbucket.org/StylusEater/random/src/18cc72e7e74ac15e961713da1819a2eaca1554ba/vdi/loadbalanc.... This configuration DOES NOT (currently) seem to work with external security servers. I'm working with VMware on that right now. I'll try to remember to update this page when I've solved the issue.

UPDATE: I no longer administer VDI at my workplace and VMware never responded to my request for help with the security server.

0 Kudos
SaturnoTech
Contributor
Contributor
‎08-08-2022 07:12 AM 

The solution is to also create a virtualhost for port 22443, in the path /d, and point it to wss://{ipbackend}, together with the configuration of the certificates, as in the case of the virtualhost for port 443. 
This way the connection with the secure websocket will work, on port 22443, and will open the published application or desktop, without problems. 
I leave the example of the complete configuration, tested and in production:


<VirtualHost *:80>

ServerName exampledomain.com
Redirect permanent / https://exampledomain.com
</VirtualHost>

 

<VirtualHost *:443>

ServerName exampledomain.com
ProxyPreserveHost on
ProxyPass / https://{ip-backserver}/
ProxyPassReverse / https://{ip-backserver}/


SSLEngine on
# certificados
SSLCertificateFile /cert/ssl-cert.crt
SSLCertificateKeyFile /cert/ssl-cert.key
SSLCertificateChainFile /cert/ssl-cert-intermediate.crt

ProxyRequests off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

 

</VirtualHost>


<VirtualHost *:22443>

ServerName exampledomain.com
ProxyPreserveHost off
ProxyPass /d wss://{ip-backserver}:22443/d/$1
ProxyPassReverse /d wss://{ip-backserver}:22443/d/$1


SSLEngine on
# certificados
SSLCertificateFile /cert/ssl-cert.crt
SSLCertificateKeyFile /cert/ssl-cert.key
SSLCertificateChainFile /cert/ssl-cert-intermediate.crt

ProxyRequests off
SSLProxyEngine on
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

 

</VirtualHost>

 

 

0 Kudos