|Email Plug-in (Reporting):||1.0.1-048|
|Email Plug-in (Encryption):||1.0.0-036|
I was just wondering if anyone is having some experience with reverse proxy-ing the Ironport management interface.
We have a few C series machines and a management host (just an ordinary UNIX host) that we use as central point for SSH connections to the C-series and a few other functions.
With the apache mod_proxy module I like to create a centralized point of https access too.
So: if I connect to https://managementhost/ironport1, I like to get access to the management interface of Ironport1, if I connect to https://managementhost/ironport2 I like to get access to the management interface of Ironport 2 etc. This would be a great gain in our security because I can remove all the admin workstations from the firewall access list if this is functional.
I'm not an Apache specialist so any help, how to configure the mod_proxy configuration would be appreciated. (Apache is running without any problems and the mod_proxy modules are loaded correctly)
I never tried to reverse-proxy an ironport management interface, and I don't know if it is possible; it basically depends on how links are built: if they are built using protocol and hostname (e.g. http://ironport1/link.html) just forget about it, but if they contain only relative urls (e.g. /panel1/link.html) it should work.
If you are connecting to your ironport through https, you will need at least apache 2.0 along with mod_ssl and mod_proxy_http, while if you are using http then apache 1.3 should be enough.
Said that, your configuration should be something like this:
ProxyPass /ironport1 http://ironport1
ProxyPassReverse /ironport1 http://ironport1
ProxyPass /ironport2 http://ironport2
ProxyPassReverse /ironport2 http://ironport2
change the http://ironportN with your addresses.
If you are connecting to your ironport through https, you will need to change http into https and add also this directive:
if they are built using protocol and hostname (e.g. http://ironport1/link.html) just forget about it
We usually use SSL VPN devices for remote management. They can rewrite all URLs, relative or absolute.
Some reverse proxies can rewrite the response that comes back from the server - you'll have the define the rules manually but it should also work. I don't know if Apache can do that though..
I don't know if Apache can do that though..
I'm no Apache expert, but I know enough to know that mod_rewrite is really potent mojo. It should be able to handle something like this.
As far as I know, thats only for request-rewriting.
The documentation for mod_rewrite specifically mentions using it in conjunction with mod_proxy. That documentation says that mod_rewrite can be used in conjunction with mod_proxy "to map remote content into the namespace of the local server." Sounds like exactly what Steven is after.
The ProxyPass directive of mod_proxy can do the same thing more easily but with less flexibility.
I didn't know anything about mod_substitute, which seems what is required to get rid of absolute URLs in responses.
Thank you for thinking with me!
Unfortunately I'm not an apache specialist and do not have one nearby that can help me with the rewriting stuff.
I'm currently experimenting with a less friendly form of reversed proxy-ing, I will create an DNS Alias for each of my Ironports on the DNS record of my management server. This way I can create a simple reversed proxy config just like an ISP uses to host more that one website on a single web server.
When I have my config ready I will post it for those who are interested.
Best regards, Steven