• Setting Up an OS/400 HTTP Firewall Using Reverse Proxy

    February 4, 2004 Shannon O'Donnell

    If you are a regular reader of our technical articles, you should already be familiar with how to configure an HTTP Server on your AS/400 and how to serve Web pages. Of course, by exposing your AS/400 to the Internet, you are also increasing the odds that someone will attempt to hack it. One method you can use to secure your OS/400 from hackers is to set up an HTTP reverse proxy server on another AS/400. This article will show you how.

    If you don’t remember how to set up an OS/400 HTTP Server, or how to store and serve Web pages, I encourage you to read these Midrange Programmer articles: “Displaying Static HTML Pages from the iSeries” and “iSeries Access for Web.”

    The first article explains how to serve static Web pages from an iSeries and how to configure the HTTP Server. The second article is a little bit more up to date on configuring the HTTP Server for iSeries, using OS/400 V5R2 examples. Either article will give you the information you need to configure a new HTTP Server instance, which you can use to build on for this article.

    REVERSE PROXY SERVING

    The goal of this article is to put up an impenetrable wall between your production HTTP Server and the outside world. While there are many ways to do so, this method uses a second AS/400 as that wall. We’ll configure a second HTTP Server instance on the outside AS/400–the AS/400 that will interface with the Internet and the rest of the world–which will take all of the Web URL requests and pass them to the AS/400 HTTP server behind the wall. And we’ll achieve this through the use of some magic known as reverse proxy serving.

    Reverse proxy serving, available only on Apache powered HTTP Servers, is a simple concept. Basically, it maps the server space of the server you are protecting into the server that is exposed to the Internet. When a user enters a URL to a Web page on your production AS/400, the one that sits behind your firewall, that URL first hits the external AS/400’s HTTP Server, which is configured as a reverse proxy server. The reverse proxy server passes that URL to the AS/400 HTTP server behind the firewall. The reverse proxy server knows which AS/400 HTTP server to pass the request onto because you tell it how to get there through a ProxyPass directive.

    CONFIGURING REVERSE PROXY

    A ProxyPass directive defines what URL requests you want to pass on, and where you want to pass them. After configuring a new HTTP Server powered by Apache on the outside AS/400 (the one that will interface with the Internet), I clicked the Proxy link in the left hand pane. Clicking this link brought up the Proxy configuration panel shown in Figure 1. As you can see, there lots of things you can do with proxy serving: everything from reverse proxy to forward proxy. Forward proxy, by the way, lets you control outgoing URL requests through your AS/400. Clicking the Reverse Proxy tab brings up the panel shown in the figure.

    Figure 1

    Figure 1: Configuring reverse proxy serving is simple

    The first thing to do is configure reverse proxy for this HTTP Server instance by selecting the Enabled option in the “Reverse proxy capabilities” drop-down box, shown in the figure. Next, define the path that the incoming URL requests will take to the AS/400 behind the firewall. Note that this is used internally by the HTTP server. It is not the URL the user would type into their browser. In this example, I am allowing all incoming URL requests by entering a slash (/) in the “Local virtual path” field. If you wanted to limit incoming URL requests, you could qualify this field with the full or partial URL path you want to limit it to.

    Next, I am directing URL requests to an HTTP Server running on an AS/400 at IP address http://192.168.254.106/. Notice the slash (/) on the end of this path. It tells the reverse proxy server that any directory on that HTTP Server can be forwarded to. If you wanted to limit directories, you could name the directory on the URL path. When you click on the OK button, the configuration tool will add the following statements to your HTTP configuration file: 

    LoadModule proxy_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule proxy_http_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule proxy_connect_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule proxy_ftp_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

ProxyPass /  http://192.168.254.106/

    There are additional proxy directives you may want to explore and use. For a complete list of these directives, click the “Directive Index” link on the left hand pane of the HTTP configuration panel.

    HAPPINESS IS SECURITY

    That’s all you need to do to secure one AS/400 HTTP server by using another as a firewall. You don’t need to do anything on the internal AS/400 beyond what you would normally do already to serve Web pages via that AS/400’s HTTP Server.

    Reverse proxy, available to HTTP Servers powered by Apache, is a quick and easy way to enable a level of security previously only available through the use of expensive routers. Of course, using an AS/400 as a firewall is also an expensive solution, but if you happen to have a second, small AS/400 sitting around gathering dust, or if you have an LPAR-capable AS/400, and you have no plans for that extra partition, this might be a firewall solution you want to pursue. In any event, you are now armed with the knowledge you need to use reverse proxy to secure your AS/400 from the outside world.

    Tags:

    Sponsored by
    DRV Tech

    Get More Out of Your IBM i

    With soaring costs, operational data is more critical than ever. IBM shops need faster, easier ways to distribute IBM applications-based data to users more efficiently, no matter where they are.

    The Problem:

    For Users, IBM Data Can Be Difficult to Get To

    IBM Applications generate reports as spooled files, originally designed to be printed. Often those reports are packed together with so much data it makes them difficult to read. Add to that hardcopy is a pain to distribute. User-friendly formats like Excel and PDF are better, offering sorting, searching, and easy portability but getting IBM reports into these formats can be tricky without the right tools.

    The Solution:

    IBM i Reports can easily be converted to easy to read and share formats like Excel and PDF and Delivered by Email

    Converting IBM i, iSeries, and AS400 reports into Excel and PDF is now a lot easier with SpoolFlex software by DRV Tech.  If you or your users are still doing this manually, think how much time is wasted dragging and reformatting to make a report readable. How much time would be saved if they were automatically formatted correctly and delivered to one or multiple recipients.

    SpoolFlex converts spooled files to Excel and PDF, automatically emailing them, and saving copies to network shared folders. SpoolFlex converts complex reports to Excel, removing unwanted headers, splitting large reports out for individual recipients, and delivering to users whether they are at the office or working from home.

    Watch our 2-minute video and see DRV’s powerful SpoolFlex software can solve your file conversion challenges.

    Watch Video

    DRV Tech

    www.drvtech.com

    866.378.3366

    Leave a Reply

Content archive