Setting Up an OS/400 HTTP Firewall Using Reverse Proxy
February 4, 2004 Shannon O'Donnell
If you are a regular reader of our technical articles, you should already be familiar with how to configure an HTTP Server on your AS/400 and how to serve Web pages. Of course, by exposing your AS/400 to the Internet, you are also increasing the odds that someone will attempt to hack it. One method you can use to secure your OS/400 from hackers is to set up an HTTP reverse proxy server on another AS/400. This article will show you how.
If you don’t remember how to set up an OS/400 HTTP Server, or how to store and serve Web pages, I encourage you to read these Midrange Programmer articles: “Displaying Static HTML Pages from the iSeries” and “iSeries Access for Web.”
The first article explains how to serve static Web pages from an iSeries and how to configure the HTTP Server. The second article is a little bit more up to date on configuring the HTTP Server for iSeries, using OS/400 V5R2 examples. Either article will give you the information you need to configure a new HTTP Server instance, which you can use to build on for this article.
REVERSE PROXY SERVING
The goal of this article is to put up an impenetrable wall between your production HTTP Server and the outside world. While there are many ways to do so, this method uses a second AS/400 as that wall. We’ll configure a second HTTP Server instance on the outside AS/400–the AS/400 that will interface with the Internet and the rest of the world–which will take all of the Web URL requests and pass them to the AS/400 HTTP server behind the wall. And we’ll achieve this through the use of some magic known as reverse proxy serving.
Reverse proxy serving, available only on Apache powered HTTP Servers, is a simple concept. Basically, it maps the server space of the server you are protecting into the server that is exposed to the Internet. When a user enters a URL to a Web page on your production AS/400, the one that sits behind your firewall, that URL first hits the external AS/400’s HTTP Server, which is configured as a reverse proxy server. The reverse proxy server passes that URL to the AS/400 HTTP server behind the firewall. The reverse proxy server knows which AS/400 HTTP server to pass the request onto because you tell it how to get there through a ProxyPass directive.
CONFIGURING REVERSE PROXY
A ProxyPass directive defines what URL requests you want to pass on, and where you want to pass them. After configuring a new HTTP Server powered by Apache on the outside AS/400 (the one that will interface with the Internet), I clicked the Proxy link in the left hand pane. Clicking this link brought up the Proxy configuration panel shown in Figure 1. As you can see, there lots of things you can do with proxy serving: everything from reverse proxy to forward proxy. Forward proxy, by the way, lets you control outgoing URL requests through your AS/400. Clicking the Reverse Proxy tab brings up the panel shown in the figure.
Figure 1: Configuring reverse proxy serving is simple
The first thing to do is configure reverse proxy for this HTTP Server instance by selecting the Enabled option in the “Reverse proxy capabilities” drop-down box, shown in the figure. Next, define the path that the incoming URL requests will take to the AS/400 behind the firewall. Note that this is used internally by the HTTP server. It is not the URL the user would type into their browser. In this example, I am allowing all incoming URL requests by entering a slash (/) in the “Local virtual path” field. If you wanted to limit incoming URL requests, you could qualify this field with the full or partial URL path you want to limit it to.
Next, I am directing URL requests to an HTTP Server running on an AS/400 at IP address http://192.168.254.106/. Notice the slash (/) on the end of this path. It tells the reverse proxy server that any directory on that HTTP Server can be forwarded to. If you wanted to limit directories, you could name the directory on the URL path. When you click on the OK button, the configuration tool will add the following statements to your HTTP configuration file:
LoadModule proxy_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_http_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_connect_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_ftp_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM ProxyPass / http://192.168.254.106/
There are additional proxy directives you may want to explore and use. For a complete list of these directives, click the “Directive Index” link on the left hand pane of the HTTP configuration panel.
HAPPINESS IS SECURITY
That’s all you need to do to secure one AS/400 HTTP server by using another as a firewall. You don’t need to do anything on the internal AS/400 beyond what you would normally do already to serve Web pages via that AS/400’s HTTP Server.
Reverse proxy, available to HTTP Servers powered by Apache, is a quick and easy way to enable a level of security previously only available through the use of expensive routers. Of course, using an AS/400 as a firewall is also an expensive solution, but if you happen to have a second, small AS/400 sitting around gathering dust, or if you have an LPAR-capable AS/400, and you have no plans for that extra partition, this might be a firewall solution you want to pursue. In any event, you are now armed with the knowledge you need to use reverse proxy to secure your AS/400 from the outside world.