cancel
Showing results for 
Search instead for 
Did you mean: 

Basic Authentication with IISProxy?

achim_hauck2
Active Contributor
0 Kudos
87

hi,

is the IISProxy the appropriate tool for tunneling http-requests to http-servers behind a firewall (reverse proxy)?

i made it work with ep60. but accessing other http-servers with own mappings (for example <i>/tomcat/</i> directs to a tomcat server) fails.

problems I'm facing:

1. basic authentication is not transmitted to the http-server (e.g. tomcat). the logon-box pops up, but the data doesn't seem to be transmitted through IIsProxy.

2. URLs created from other servers don't know that the IISProxy requires a special filter-string (again <i>/tomcat/</i>) when they create absolute links.

are there other / better reverse proxys (apache?) that can handle these things?

kr, achim

ps: what about the filter-element attributes <i>authentication="normal" remote-address="skip"</i>?

i haven't found any documentation about them, but they look like to be configured...

Message was edited by: Achim Hauck

Accepted Solutions (0)

Answers (2)

Answers (2)

Former Member
0 Kudos

1. It doesn't authenticat your user against the target system, it mearly sends the username in a http header and expect the target system to trust that it has done the appropriate authentication. So you need some custom code in tomcat saying that it should read the username from the http header if the request came from the proxy (and not otherwise as this would ruin security totally)

If you need reverse proxy outside EP , then I would much rather prefer apaches mod_proxy (see http://www.apacheweek.com/features/reverseproxies for example)

achim_hauck2
Active Contributor
0 Kudos

Hi Dagfinn,

i just did a test installation of apache and played around with the mod_proxy module. and... it worked indeed.

coincidentally, i read your mentionted article some minutes ago and i've experienced, that i'll need the mod_proxy_html module, too because of absolute urls in html-code.

but now, i'm stucked again. i can't find a binary of the mod_proxy_html for <i>windows</i>...

and i'm not able to compile it due to lack of compiler.

just to be sure: if i replace my iis / iisproxy installation with apache / mod_proxy / mod_proxy_html i'm able to serve EP as well as any other http-server (tomcat, http-WAS-ABAP, etc...)?

with this, a basic auth. request (401) for example is tunneled through the apache to the client and back again?

kr, achim

Former Member
0 Kudos

Hi,

There is an IISproxy plugin available for apache somewhere, but otherwise mod_proxy is not really compatible with EP (EP requires the username to be sent in the HTTP header (you might make some fancy rewrite rule to do this) )

I am not sure that it passes basic auth to the target system.

My point is that apache's mod_proxy is a much more proven solution than IISProxy (and much more expressive) when it comes to non-SAP applications

achim_hauck2
Active Contributor
0 Kudos

IISproxy plugin for Apache??? I suppose it's a module that puts the user in the http-header. by SAP? by third party? free? commercial? i'll check the rewrite-thing.

To put some light on this topic, I fear to do a test installation with each host equipped with a sniffer.

(huh, that'll be a huge weblog, wouldn't it?)

thanks, achim

Former Member
0 Kudos

After checking some more I was wrong (I got it confused with a Sap logon ticket plugin)

But in note 480520 it is described how to setup reverse proxy with apache. There is an attached document to the note which explains it.

Text of the note:

Symptom

How to integrate SAP J2EE Engine 6.20 with Apache Webserver

Reason and Prerequisites

SAP J2EE Engine 6.20 can be integrated with Apache Web Server,no plugin is needed. The same is valid for SAPJ2EE 610 or In-Q-My 427.

Solution

General Information on how to use the Apache Webserver in combination with the SAP J2EE Web Application Server :

1. You are permitted to use the Apache Webserver together with the SAP J2EE Web Application Server. In this way SAP guarantees continued support for the SAP Application.

2. Due to the high number of possible configurations and versions available, SAP can only provide some examples of possible configurations. These normally suffice to use the SAP Application.

3. You might need to contact consultants specialized in this area for error analysis and further configurations.

This consultation is not provided by SAP Support.SAP J2EE Engine (and its predecessor In-Q-My Application Server) can be integrated with Apache web server, no plugin is needed.

Please review the attached Configuration Guide in order to get some configuration examples using Reverse Proxy and/or URL Rewriting.

Btw, the major benefit of using IIS and IISproxy is that Integrated windows authentication is possible (SSO from OS)

Great idea to make a blog out of this.

Former Member
0 Kudos

Hello Achim,

Does't know if it resolves your problem, but my parameter authentication="forward". It is working with me, but i'm using MS-IIS 5.

Good Luck,

Bruno Duque