Symantec Access Management

Hi guys,

Customer want move proxying of his application from ReverseProxy on  Apache Web Server to CA Access Gateway (12.52 SP1).

Current working rules on Apache WS are:

    RewriteRule ^/sigedes/(.*) ajp://backend.server.es:8009/sigedes/$1 [P]

    ProxyPassReverse /sigedes ajp://backend.server.es:8009/sigedes

I tried with following proxyrules:

<!-- Proxy Rules-->
<nete:proxyrules xmlns:nete="Test">
  <nete:cond type="host">
    <nete:case value="customers.virtual.host.es">
      <nete:cond type="uri" criteria="beginswith">
        <nete:case value="/sigedes">
          <nete:forward>ajp://backend.server.es:8009/sigedes$1</nete:forward>
        </nete:case>
        <nete:default>
           <nete:forward>https://www.customer.site.com/</nete:forward>
        </nete:default>
      </nete:cond>
    </nete:case>
    <nete:default>
      <nete:forward>https://www.customer.site.com/</nete:forward>
    </nete:default>
  </nete:cond>
</nete:proxyrules>

But result is page without images, styles and so on - see attachments.

Some one can help in this use case?

Thank you!

Camil

Camil,

I wonder where their original  images, styles and so on being served from. Some client provides them in apache, not from back end server.  Check if they have any local apache static deployment.

If everything is from backend, it depends on how they organized their application too.

For example, this is one SPS proxyrule for admin ui, which has both content and  styles proxy separately.

It is also interesting that you use ajp protocol instead of http, not sure what that entails or if makes difference in outcome. 

Protect the Administrative UI with CA Single Sign-On - CA Single Sign-On - 12.52 SP1 - CA Technologies Documentation

Regards,

Hongxu

Thank you Hongxu,

Basically ajp protocol is not supported by Access Gateway.

However the same contents is reachable via http(s), tipicaly on 8080 or 8443 ports.

Contents I have had wrongly seen was default contents defined in the proxy rules.

Thank you

Camil

Though AJP is not supported by CA Access gateway directly yet there is a workaround for this.

You can use http server configuration for AJP based communication. Update the httpd.conf file as following for this communication.

#below 5 lines are added to post header on ajp port for appB portal
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule rewrite_module modules/mod_rewrite.so
RewriteEngine On
RewriteRule ^/appA/(.*) ajp://127.0.0.1:8010/appB/$1 [P]

A side effect of this is that the request bypasses the webagent and goes directly to the backend.

It's possible to do something like pass the request to tomcat on first go, once passed, then forward it to localhost:80 so that ti goes back through apache and then pass that onto the backend.   But you want to pick something (like localhost) that can be used to match 2nd request in a RewriteCond so it only forwards the 2nd request not the first request via apj://  

That then kindof goes like : 

    client ---> (SPS: httpd -> {tomcat[webagent/proxyrule fwd to localhost } -> httpd ) -- apj:/ --> backend 

But its not as straightforward as one would like. 

Cheers - Mark

You are correct Mark.

For this situation, As an alternative, I have created a dummy application and protected it with CA SSO then from this dummy application I was forwarding the traffic to AJP port.

AJP traffic will not trigger if the user is not authenticated on the dummy application.