Guru: Serve Web Pages Safely Using A Reverse Proxy
July 23, 2018 Alan Seiden
If you are hosting a website or API from your IBM i server, but wish to reduce your worry about allowing access from the Internet, we often recommend a reverse proxy (or “gateway”) server. An industry-standard solution, a reverse proxy server acts as a layer of safety between your production server and your firewall. On IBM i, the IBM HTTP Server (powered by Apache) for i can act as a reverse proxy server, so there’s nothing additional to install.
While there are several ways to set it up, one approach is to put the reverse proxy or gateway in a special IBM i partition situated in your network’s “demilitarized zone” (DMZ), open to the Internet, while your production server sits safely behind it in your private intranet. The reverse proxy pulls appropriate content from your production web server and displays the content to users.
Alternatives include appliances such as Symantec’s Blue Coat proxy and cloud-based gateways such as cloudflare.com.
To configure a reverse proxy server under IBM i, follow these steps:
- Ask your administrators to set up (or make available to you, if one exists already) an IBM i logical partition in your network’s DMZ. The partition won’t need much in the way of resources.
Also ask for the internal IP address of your server that will be protected. For our example, say it’s 192.168.0.200.
- Create an Apache instance in your DMZ partition. Name it something like GATEWAY. Instructions for creating the instance are on this page: https://www.ibm.com/support/knowledgecenter/en/SSAW57_8.5.5/com.ibm.websphere.installation.nd.iseries.doc/ae/tins_is_ihsnew.html
You may wish to add additional features, such as SSL support, to your instance. SSL instructions: http://www-01.ibm.com/support/docview.wss?uid=nas8N1018776
- Edit this gateway instance so that it functions as a reverse proxy server. You’ll need to edit the appropriate Apache instance configuration file. Its location will depend on your web server instance name. For example, if your Apache instance is named GATEWAY, then the file is likely to be located at /www/gateway/conf/httpd.conf. This is a simple text file, so you may choose from several editors: IBM’s HTTP Server Admin GUI at port 2001 (if *ADMIN is started), the WRKLNK/EDTF command, or your favorite text editor.
Add the following directives to httpd.conf’s main section (pound signs are comments):
LoadModule proxy_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM LoadModule proxy_http_module /QSYS.LIB/QHTTPSVR.LIB/ZSRCORE.SRVPGM LoadModule proxy_connect_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM # URL path / will pull content from server 192.168.0.200. ProxyPass http://192.168.0.200/ ProxyPassReverse http://192.168.0.200/
- Use the Start TPC/IP Server (STRTCPSVR) CL command to restart your Apache instance (in this case, “GATEWAY”).
STRTCPSVR SERVER(*HTTP) RESTART(*HTTP) HTTPSVR(GATEWAY)
- Now your website should be accessible to the public through the gateway server’s address.
An IBM Champion and founder of Seiden Group, Alan Seiden leads a team that mentors clients in building APIs and web/mobile applications using open source, PHP, Python and IBM i business logic. Alan’s passion for the IBM i community inspires him to host the bi-annual CIO Summit and offer a free monthly tips newsletter.