Configure Reverse Proxy and Audit Logging
A reverse proxy is a type of proxy server that typically sits behind the firewall in a private network and directs client requests to the appropriate backend server. A typical deployment of SuperWEB2 would use a reverse proxy to direct requests to the Tomcat instance where SuperWEB2 is installed. Using a reverse proxy allows you to implement SSL encryption so that your SuperWEB2 instance is served over a secure HTTPS connection.
This page provides some guidance on configuration of your reverse proxy with SuperWEB2. It is important to ensure that the reverse proxy is configured correctly so that:
- User registration can correctly generate full external links (scheme and host) without anything having to be configured or hard-coded separately.
- Audit logging will correctly record end-user IP addresses in logs. If this is not set up then the audit logs will record the IP address of the gateway or reverse proxy instead.
Prerequisites
To configure a reverse proxy for SuperWEB2 you will need:
- NGINX installed on an internet facing machine that has a public IP. This can be your SuperWEB2 machine, but we recommend using an independent VM. Your DNS server should point to this machine.
- An SSL certificate and the relevant key files.
Configure Reverse Proxy
Configure NGINX
- In a text editor, open <nginx_home>\conf\nginx.conf.
Add or edit the following lines of text in the
http {}block.Example
CODEhttp { server { server_name public.server.name.com; listen 443 ssl http2; ssl_certificate /etc/ssl_certs/public.server.name.com/fullchain.pem; ssl_certificate_key /etc/ssl_certs/public.server.name.com/privkey.pem; proxy_http_version 1.1; proxy_read_timeout 20m; location / { proxy_pass http://internal.superweb2.address:8080 proxy_set_header Host $http_host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } }Update server and file entries with details of your configuration.
Entry Description server_nameHost name of your NGINX server. ssl_certificatessl_certificate_keyPath to the locations of your key and certificate files.
proxy_passPath to your SuperWEB2 instance. This could be
http://localhost:8080/webapiif hosted on the same machine, orhttp://10.1.1.123:8080/webapiif hosted elsewhere.http://<host>:<port>- Save your changes and restart NGINX.
Configure Tomcat
- In a text editor, open <tomcat_home>\conf\server.xml.
Add the following lines of text.
CODE<Connector port="8080" connectionTimeout="20000" redirectPort="8443" maxThreads="48" minSpareThreads="10" enableLookups="false" acceptCount="10" debug="0" URIEncoding="UTF-8" protocol="org.apache.coyote.http11.Http11NioProtocol" scheme="https" secure="true" proxyName="public.server.name.com" proxyPort="443"/>- At
proxyName, enter the domain name of the URL that SuperWEB2 will be accessed from. - Save your changes and restart the Tomcat service.
Configure Audit Logging
Complete this step when configuring Audit Logging to configure Tomcat to use the built-in Remote IP Valve feature to replace the remote host, address and scheme values.
This step ensures that your audit logs will record the end user's IP address. Without this configuration, your audit logs will record the IP address of the reverse proxy instead.
- In a text editor, open <tomcat_home>\conf\server.xml.
Locate the block beginning with
<Engine name="Catalina" defaultHost="localhost">.Add the following lines of text to this block.
CODE<Valve className="org.apache.catalina.valves.RemoteIpValve" internalProxies="127\.0\.[0-1]\.1" remoteIpHeader="x-forwarded-for" requestAttributesEnabled="true" protocolHeader="x-forwarded-proto" protocolHeaderHttpsValue="https"/>- Save your changes and restart the Tomcat service.