Set up a reverse proxy in Windows

Setting up an Apache HTTP reverse proxy server in Windows requires the Apache 2.4 software and edits to some configuration file.

These instructions are only one example of how to set up a reverse proxy in Windows. You should consult your IT security department about the required protocols and security settings.

  1. Make sure you have set the REVERSE_PROXY_SETUP parameter as true in the properties.txt file when installing IXIASOFT CCMS Web.
  2. Edit the configuration file for the Tomcat server C:\Ixiasoft\ccms\apache-tomcat-9.0.60\conf\catalina.properties.
  3. Add the following line at the end of the file if it does not exist already:
    org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH=true
  4. Edit the server configuration file C:\Ixiasoft\ccms\apache-tomcat-9.0.60\conf\server.xml.
  5. Make sure <Connector> sections are set to listen only on the localhost (127.0.0.1) interface:
    <Connector port="8080" protocol="HTTP/1.1"
    address="127.0.0.1"
    ......other settings......
    connectionTimeout="20000"
    redirectPort="8443" />
  6. Restart the Tomcat service to apply the changes.
  7. Download the latest Apache 2.4 httpd binary release from Apache Lounge:
    1. Go to the Apache Lounge at https://www.apachelounge.com/download/
    2. Download the latest Apache 2.4 httpd, and extract it to a convenient location, such as C:\Ixiasoft\Apache24.
    3. Download and install the necessary VC runtime libraries.
  8. In the conf folder, edit the httpd.conf file and make the following changes:
    1. Correct all absolute paths of ServerRoot, DocumentRoot, Directory, and ScriptAlias properties throughout the file.
      You can use a text editor to search and replace the string C:\Apache24 with the path you need.
    2. Uncomment the following lines:
      LoadModule proxy_module modules/mod_proxy.so
      LoadModule proxy_http_module modules/mod_proxy_http.so
      LoadModule headers_module modules/mod_headers.so
      LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
      LoadModule ssl_module modules/mod_ssl.so
      LoadModule rewrite_module modules/mod_rewrite.so
      Include conf/extra/httpd-ssl.conf
  9. Create a new file in the conf/extra/ folder called reverse-proxy.conf with the following content:
    Note: In the following content, replace webserver.acme.com with your server's FQDN address.
    RedirectMatch ^/$ https://webserver.acme.com/ixiasoft-ccms
    ProxyRequests Off
    ProxyPreserveHost On
    RewriteEngine On
    RewriteRule "^/oxygen-webapp/app/admin.html" - [R=403]
    ProxyPass "/ixiasoft-ccms" "http://127.0.0.1:8080/ixiasoft-ccms"
    ProxyPassReverse "/ixiasoft-ccms" "https://webserver.acme.com/ixiasoft-ccms"
    ProxyPass "/oxygen-webapp" "http://127.0.0.1:8080/oxygen-webapp"
    ProxyPassReverse "/oxygen-webapp" "https://webserver.acme.com/oxygen-webapp"
  10. Copy your server's SSL certificate files to the appropriate location on the server.
    For example, copy the files to C:\Ixiasoft\ccms\Apache24\conf\cert.
  11. In the conf/extra folder, edit the https-ssl.conf configuration file and make the following changes:
    1. Correct the absolute paths of DocumentRoot, Directory, ScriptAlias, and Log files properties throughout the config file.
    2. Set the ServerName in the section VirtualHost according to the server FQDN that you specified earlier, such as webserver.acme.com.
    3. Configure paths for your SSL certificates in the properties: SSLCertificateFile, SSLCertificateKeyFile, and SSLCertificateChainFile, if applicable.
    4. Replace the lines (near line #52 and #83) beginning with SSLCipherSuite, SSLProxyCipherSuite, SSLProtocol, and SSLProxyProtocol with the following:
      SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      SSLProxyCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256
      
      SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
      SSLProxyProtocol all -SSLv3 -TLSv1 -TLSv1.1
      
    5. Add the following lines somewhere after line #55:
      SSLCompression off 
      SSLSessionTickets off
    6. Uncomment the following lines:
      SSLUseStapling On
      SSLStaplingCache "shmcb:C:/Ixiasoft/ccms/Apache24/logs/ssl_stapling(32768)"
      In a large deployments, the 32868 value might need to be higher. Contact IXIASOFT for more information.
    7. Add the following line in the end of the file just before the </VirtualHost> line:
      Include conf/extra/reverse-proxy.conf
  12. If you want Apache to run as a system service, do the following:
    1. Navigate to the apache bin folder, open a command window as an administrator, and enter the following command:
      httpd.exe -k install
    2. Start the Apache 2.4 service either from the Services console or by running a command line as an administrator and entering the following command:
      httpd.exe -k start