Configuring IBM HTTP Server as a reverse proxy for WebSphere Application Server
This topic describes how to configure IBM® HTTP Server as a reverse proxy for WebSphere® Application Server. A reverse proxy server provides an additional layer of security, protects HTTP servers further up the chain, and improves the performance of Secure Sockets Layer (SSL) requests. Also allows you to change your deployment topology at a later time.
A reverse proxy server is a special HTTP server that prevents direct access to the content HTTP server. All request for the content HTTP server go through the reverse proxy server. For more information about reverse proxies, see Reverse proxy servers in topologies.
These are some of the main advantages of using a reverse proxy server:
- Future deployment topology changes: When using a reverse
proxy in your deployment, you can provide a single host name in your
public URL regardless of the machines and port numbers that the applications
are deployed on. This enables you to change your deployment topology
at a later time.Note: The context root used for the public URL must be the same as the context root used for installing the application and deploying the application to its application server, even when a reverse proxy server is used in the topology. To choose a different context root for your installation, see Choosing a different context root than default.
- Security: The reverse proxy server provides an additional layer of security and can protect HTTP servers further up the chain. If you are using a firewall between the reverse proxy server and the content HTTP server, you can configure the firewall to allow only HTTP requests from the reverse proxy server.
- Performance: A reverse proxy server can increase the performance of the WebSphere Application
Server in several ways:
- Encryption and SSL acceleration: You can equip the reverse proxy server with SSL acceleration hardware that can improve the performance of SSL requests.
Configuring WebSphere Application Server web server plug-in
To install and configure IBM HTTP Server and the Web server plug-ins, refer to the following resources:
Optional: Additional configuration for application ETL data collection jobs
If your application reporting ETL jobs are configured to use Jazz® Team Server (oAuth) authentication and there is an HTTP fronting server in the application topology, you must add an additional entry to the httpd.conf file.
- Navigate to the installation directory for your IBM HTTP Server.
- Open conf\httpd.conf in an editor.
- In the Global section (Section 1) of the file, add this entry:
SetEnv websphere-nocanon 1
- Restart your web server.
Optional: Changing the port number of the web server
By default, the web server uses port 443 for secure communications over HTTPS. This means that the port number is not displayed in the URL. For example, https://clm.example.org/jts/. You can use the default port 443 for new deployments, however, if you are using the reverse proxy to change your deployment from a departmental (all-in-one) topology to a distributed topology, then you must configure the web server to use the existing port number from your original deployment. The default port number for deployments not using a reverse proxy is 9443.
- From the Integrated Solutions Console click .
- Click your defined web server link to open its Configuration page.
- To change the non-SSL port number, enter the new port number in the Port field.
- To change the SSL port number, under Configuration settings click Web Server Virtual Hosts.
- Click the virtual host link that you want to change the port number for to open its Configuration page.
- Enter the new port number in the Port field.
- Click Apply and Save directly to the master configuration.
- Restart your web server.