4 Replies Latest reply on Jan 10, 2012 8:47 AM by eelsasser

    Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

    Troja

      Hi all,

      has someone any idea how this can work with MWG 7.1.6. I´m using MWG as an HA Reverse Proxy Cluster. SSL terminates on MWG. This traffic is redirected to a Webserver where virtual Hosts are used.

       

      There is no setting to define the virtual host name which MWG should use. MWG always connects with the url.host Value to the Webserver. 

       

      I compared the functionality with an Microsoft ISA Server. There you have the choice to use the original url.host or the virtual host name.

       

      Anyone any idea?

       

       

      Best, Thorsten

        • 1. Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)
          asabban

          Hi Thorsten,

           

          can you give an example of what is happening and what would be expected?

           

          With an Event you can set the URL.Host property to whatever value you like, so maybe it is possible to change this behaviour by manually rewriting the property to the desired host?

           

          Best,

          Andre

          • 2. Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)
            Troja

            Hi Andre,

            today MWG it´s not able to use ost Headers on a web server.

             

            Webserver configuration. It´s called virutal host with Apache and Host Headers with Windows IIS Servers. The goal is not using physical IP Adresses to connect to different webservers/webservices.

            Take a look at the screenshots. There are different virtual Websites using one ip-address.

            webserver1.company.local: 192.168.1.120 with different websites using the same IP-adress. Therefore the webserver takes a look into the hostheader to connect the client to the right website.

            - WebsiteA.company.local with IP 192.168.1.120

            - WebsiteB.company.local with IP 192.168.1.120

            - WebsiteC.company.local with IP 192.168.1.120

             

             

            MWG configuration:

            Redirect Ruleset - Next Hop Proxy to WebsiteA.company.local.

             

            Access to the ressources:

            - Client connects to reverse.company.com (HTTP/HTTPS)

            - SSL terminates on MWG reverse proxy.

            - In the Host Header always reverse.company.com is shown. I checked this with a packet trace.

             

             

            The question is, how to set the host header field in the right way.

             

            Best,

            Thorsten

             

            image001.jpg

            image002.jpg

            • 3. Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)
              asabban

              Hi Thorsten,

               

              are all the three sites WebsiteA, WebsiteB and WebsiteC made available externally via reverse.company.com?

               

              I beleive when you cann reverse.company.com in your browser, the GET request will look similar to this:

               

              GET / HTTP/1.1

              Host: reverse.company.com

              ...

               

              So the client already inserts the Host header, which contains the requested URL from the address bar as a value (at least I think this is the case). So MWG by default will keep this value.

               

              Which information are you using to decide if a request which goes to reverse.company.com is for WebsiteA, B or C? If there is an information we can grab from the request to decide, it should be possible to rewrite the host header to allow virtual hosts.

               

              Assuming we use the port, it could look like this:

               

              reverse.company.com:81 -> WebsiteA

              reverse.company.com:82 -> WebsiteB

              reverse.company.com:83 -> WebsiteC

               

              In this case I would try a rule on Web Gateway which does the following:

               

              If URL.Port = 81, then call Event: Set Property Value(URL.Host) to WebsiteA

              If URL.Port = 82, then call Event: Set Property Value(URL.Host) to WebsiteB

              If URL.Port = 83, then call Event: Set Property Value(URL.Host) to WebsiteC

               

              Before the request leaves the proxy, MWG should rewrite the request which is sent to the Web Server:

               

              GET / HTTP/1.1

              Host: WebsiteA

               

              If the request arrives at the Web Server with the correct host header, the Web Server should be able to determine which site should be displayed.

              • 4. Re: Reverse Proxy - Webserver using virtual Hosts (virtual Host Name)

                Here's an example of my reverse proxy setup.

                 

                Reverse Proxy
                Enabled
                Applies to Requests: True / Responses: False / Embedded Objects: False
                Always
                EnabledRuleActionEventsComments
                Enabledhttps://*.lordchariot.com
                1: Command.Name equals "CONNECT"
                ContinueSSL Client Context without CA<*.lordchariot.com>
                Enabledlordchariot.com
                1: URL.Host equals "lordchariot.com"
                Stop Rule SetSet URL.Host = "www.lordchariot.local"
                Enabledwww.lordchariot.com
                1: URL.Host equals "www.lordchariot.com"
                Stop Rule SetSet URL.Host = "www.lordchariot.local"
                Enabledtorment.lordchariot.com
                1: URL.Host equals "torment.lordchariot.com"
                Stop Rule SetSet URL.Host = "torment.lordchariot.local"
                Enabledremote.lordchariot.com
                1: URL.Host equals "remote.lordchariot.com"
                Stop Rule SetSet URL.Host = "remote.lordchariot.com"
                Enabledsheogorath.lordchariot.com
                1: URL.Host equals "sheogorath.lordchariot.com"
                Stop Rule SetSet URL.Host = "sheogorath.lordchariot.local"
                Enabledscan.lordchariot.com
                1: URL.Host equals "scan.lordchariot.com"
                Stop Rule SetSet URL.Host = "scan.lordchariot.com"
                Enabledhttps://epo.lordchariot.com
                1: URL.Protocol equals "https"
                2: AND URL.Host equals "epo.lordchariot.com"
                Stop Rule SetSet URL.Port = 8443
                Set URL.Host = "epo.lordchariot.local"
                Enabledhttp://mwg7.lordchariot.com
                1: URL.Protocol equals "http"
                2: AND URL.Host equals "mwg7.lordchariot.com"
                Stop Rule SetSet URL.Port = 4711
                Set URL.Host = "mwg7.lordchariot.local"
                Enabledhttps://mwg7.lordchariot.com
                1: URL.Protocol equals "https"
                2: AND URL.Host equals "mwg7.lordchariot.com"
                Stop Rule SetSet URL.Port = 4712
                Set URL.Host = "mwg7.lordchariot.local"
                Enabledhttp://webreporter.lordchariot.com
                1: URL.Protocol equals "http"
                2: AND URL.Host equals "webreporter.lordchariot.com"
                Stop Rule SetSet URL.Port = 9111
                Set URL.Host = "sheogorath.lordchariot.local"
                Enabledhttps://webreporter.lordchariot.com
                1: URL.Protocol equals "https"
                2: AND URL.Host equals "webreporter.lordchariot.com"
                Stop Rule SetSet URL.Port = 9112
                Set URL.Host = "sheogorath.lordchariot.local"
                EnabledBlock All
                Always
                Block<(Default)>

                 

                All incoming connections on 80 and 443 go to reverse proxy.

                 

                "sheogorath" and "scan" both go to an apache server using apach host headers.

                "webreporter" goes to a different service and port on "sheogorath".

                 

                "torment" and "remote" both go to the same instance of IIS server using it's host headers.

                 

                What else are you trying to do?