Configure Apache Http Server as a Reverse Proxy to Archibus Web Central

Follow these steps to configure Apache Http Server as a reverse proxy to Archibus Web Central running on Apache Tomcat for Microsoft Windows.

Configure Apache in Reverse Proxy Mode for Web Central

After installing Apache Http Server from http://httpd.apache.org/download.cgi or from https://www.apachelounge.com/download/win64/ , edit the file apache\apache-http\conf\httpd.conf as follows:

  1. Uncomment the following modules by removing their preceding hash (#)
    • LoadModule headers_module modules/mod_headers.so
    • LoadModule proxy_module modules/mod_proxy.so
    • LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
    • LoadModule proxy_http_module modules/mod_proxy_http.so
    • LoadModule rewrite_module modules/mod_rewrite.so
    • LoadModule ssl_module modules/mod_ssl.so
  2. Configure the ServerName to match the name of the machine running Apache HTTP.
  3. Configure the Listen port to match the desired port for Apache to listen on.
  4. Add the ProxyPass and ProxyPassReverse directives to match the desired behavior
  5. Save the file and start the Apache server.

For example:

ProxyPass /archibus/ http://web-central-srv:8080/archibus/
ProxyPassReverse /archibus/ http://web-central-srv:8080/archibus/

The above configuration tells Apache that any requests that it receives that contain “/archibus/” will be forwarded on to the URL, http://web-central-srv:8080/archibus/ where, presumably, your Web Central server is listening for requests.

Test your configuration by launching the URL to your Apache server; the Web Central logon page will appear.

For more information on Apache Reverse Proxy configuration, review the following: http://httpd.apache.org/docs/2.2/mod/mod_proxy.html

Configure the Reverse Proxy for SSL

First, create a self-signed certificate for testing purposes only. For production, this would typically be replaced by a certificate generated by a legitimate Certificate Authority (CA) such as Commodo, Verisign, GoDaddy, etc.

  1. Open a DOS Command window using Start -> cmd.
  2. Create an environment variable that points to your apache installation’s /conf folder. For example:

C:\apache\apache-http\bin>set OPENSSL_CONF=C:\apache\apache-http\conf\openssl.cnf

  1. Enter the following command; replace “artemis” with your server name:

C:\apache\apache-http\bin>openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout artemis.key -out artemis.crt

  1. Enter the requested information as follows:

Loading 'screen' into random state - done Generating a 2048 bit RSA private key ...............................................................+++ .....+++ writing new private key to 'artemis.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:MASSACHUSETTS Locality Name (eg, city) []:BOSTON Organization Name (eg, company) [Internet Widgits Pty Ltd]:Archibus, Inc. Organizational Unit Name (eg, section) []:Archibus Common Name (e.g. server FQDN or YOUR name) []:artemis.boston.archibus.com Email Address []:

  1. Check the /bin folder for the .key and .crt files.
  2. Edit the apache httpd.conf file, near the end of the file, remove the comment (#) in front of the Include for httpd-ssl.conf and save. It should look like the following when you finish:

# Secure (SSL/TLS) connections
Include conf/extra/httpd-ssl.conf

  1. Edit the httpd-ssl.conf file in the \conf\extra sub folder. Edit the following two lines to match the patch and file names of the .key and .crt files generated in steps 1 through 4:

SSLCertificateFile "C:/apache/apache-http/bin/artemis.crt"
SSLCertificateKeyFile "C:/apache/apache-http/bin/artemis.key"

  1. Save and restart your Apache server
  2. Test your configuration by entering the fully qualified server URL into a browser:

https://artemis.boston.archibus.com/archibus/

  1. The browser will tell you the connection is untrusted because it is self-signed and not issued by a CA. Choose to continue to this website (or the equivalent step if using Chrome or Firefox).
    security_cert_message.png

    url_issue.png
  2. Follow the steps outlined in the following topic before connecting with the Smart Client: