reversed proxy-ing the C series management interface

steven_geerts · ‎05-14-2008

Hello citizens,

I was just wondering if anyone is having some experience with reverse proxy-ing the Ironport management interface.

We have a few C series machines and a management host (just an ordinary UNIX host) that we use as central point for SSH connections to the C-series and a few other functions.

With the apache mod_proxy module I like to create a centralized point of https access too.
So: if I connect to https://managementhost/ironport1, I like to get access to the management interface of Ironport1, if I connect to https://managementhost/ironport2 I like to get access to the management interface of Ironport 2 etc. This would be a great gain in our security because I can remove all the admin workstations from the firewall access list if this is functional.

I'm not an Apache specialist so any help, how to configure the mod_proxy configuration would be appreciated. (Apache is running without any problems and the mod_proxy modules are loaded correctly)

Thanks, Steven

andrea.murari · ‎05-15-2008

I never tried to reverse-proxy an ironport management interface, and I don't know if it is possible; it basically depends on how links are built: if they are built using protocol and hostname (e.g. http://ironport1/link.html) just forget about it, but if they contain only relative urls (e.g. /panel1/link.html) it should work.
If you are connecting to your ironport through https, you will need at least apache 2.0 along with mod_ssl and mod_proxy_http, while if you are using http then apache 1.3 should be enough.
Said that, your configuration should be something like this:

ProxyPass /ironport1 http://ironport1
ProxyPassReverse /ironport1 http://ironport1
ProxyPass /ironport2 http://ironport2
ProxyPassReverse /ironport2 http://ironport2

change the http://ironportN with your addresses.
If you are connecting to your ironport through https, you will need to change http into https and add also this directive:
SSLProxyEngine on

good luck

Donald Nash · ‎05-18-2008

if they are built using protocol and hostname (e.g. http://ironport1/link.html) just forget about it

A quick look says that they do indeed use absolute URLs rather than relative ones.

Bart_ironport · ‎05-20-2008

We usually use SSL VPN devices for remote management. They can rewrite all URLs, relative or absolute.

Some reverse proxies can rewrite the response that comes back from the server - you'll have the define the rules manually but it should also work. I don't know if Apache can do that though..

Donald Nash · ‎05-20-2008

I don't know if Apache can do that though..

I'm no Apache expert, but I know enough to know that mod_rewrite is really potent mojo. It should be able to handle something like this.

Bart_ironport · ‎05-20-2008

I'm no Apache expert, but I know enough to know that mod_rewrite is really potent mojo. It should be able to handle something like this.

As far as I know, thats only for request-rewriting. However, someone told me there is something called mod_substitute in recent versions that can be used to rewrite response bodies. I have no experience with it, but in looks like "simple" regular expressions to me.

Donald Nash · ‎05-20-2008

As far as I know, thats only for request-rewriting.

The documentation for mod_rewrite specifically mentions using it in conjunction with mod_proxy. That documentation says that mod_rewrite can be used in conjunction with mod_proxy "to map remote content into the namespace of the local server." Sounds like exactly what Steven is after.

The ProxyPass directive of mod_proxy can do the same thing more easily but with less flexibility.

andrea.murari · ‎05-21-2008

The documentation for mod_rewrite specifically mentions using it in conjunction with mod_proxy. That documentation says that mod_rewrite can be used in conjunction with mod_proxy "to map remote content into the namespace of the local server." Sounds like exactly what Steven is after. 

The ProxyPass directive of mod_proxy can do the same thing more easily but with less flexibility.

I think Bart is right twice; mod_rewrite can be used to rewrite a requested URL into something else and then can pass it to mod_proxy for getting the actual content. Mapping remote content into the namespace of the local server is mod_proxy's job: you can build your own tree of directories for an http host and pick each of them on different web servers (eg. my.domain.com/products/ picks the actual content on products.domain.com/, while my.domain.com/support/ picks its content from support.domain.com/en/.
I didn't know anything about mod_substitute, which seems what is required to get rid of absolute URLs in responses.

Donald Nash · ‎05-21-2008

I didn't know anything about mod_substitute, which seems what is required to get rid of absolute URLs in responses.

Ah, that's the part I wasn't picking up on. The absolute URLs in the responses would hurt you if you didn't fix them up, and mod_substitute will do that. I hadn't heard of it either until now.

So mod_proxy, possibly with help from mod_rewrite, will handle the requests; and mod_substitute will handle the responses. Looks like it is reasonably straightforward to anyone familiar with Apache.

steven_geerts · ‎06-02-2008

Hello Guy's,

Thank you for thinking with me!
Unfortunately I'm not an apache specialist and do not have one nearby that can help me with the rewriting stuff.

I'm currently experimenting with a less friendly form of reversed proxy-ing, I will create an DNS Alias for each of my Ironports on the DNS record of my management server. This way I can create a simple reversed proxy config just like an ISP uses to host more that one website on a single web server.
When I have my config ready I will post it for those who are interested.

Best regards, Steven