Child pages
  • Simple Apache Reverse Proxy For OpenAM With Certificate-Based Authentication
Skip to end of metadata
Go to start of metadata


The following will guide the buildout of an OpenAM server which utilizes an Apache Reverse Proxy, OWF (Ozone Widget Framework), and 2-way SSL authentication.  The backend OWF and OpenAM server names will not be displayed in the URL after configuration (this is expected in a reverse proxy environment).  This environment was built on CentOS 6.x 64-bit.  This guide will go into detail where needed, but basic understanding of the Apache web server is expected.

As-Built Requirements

The following list contains the packages that were utilized to build the environment.
As-Built Pakcages
  • OpenAm
  • OWF
  • CentOS 6.x x86_64
  • httpd.2.2.15-29.el6.centos.x86_64
  • httpd-tools.2.2.15-29.el6.centos.x86_64
  • mod_proxy_html.3.1.2-6.el6.x86_64
  • mod_ssl.1:2.2.15-29.el6.centos.x86_64
  • openssl.1.0.0-27.el6_4.2.x86_64
  • apr-1.3.9-5.el6_2.x86_64

  • Other packages as needed to satisfy dependencies
Red Hat Enterprise Linux 6.x

Standard build, including exceptions in firewall, SELinux, etc for the Apache services.  DNS and or hosts files must be complete and functional for this configuration to operate correctly.

Proxying Web Server

NOTE:  Additional supporting dependencies must be installed to accommodate the full functionality of the proxy and associated packages.

The OpenAM Server

OpenAM must be configured to accept user certificates from proxy.

The OWF Server

It is assumed the OWF server already allows OpenAM to manage certificate-based authentication for its services.

 Apache Configuration

**Note: To ensure functionality, all of the backend servers must trust each other's certificates and the end user's clients certificate.


https://www1.domain.external  – The externally facing web server which houses the reverse proxy

https://www2.domain.internal – The internally facing web server (same server as above)

https://owf.domain.internal – The internal OWF server (configured to allow OpenAM to manage authentication)

  • Assumes OWF is available internally on https://owf.domain.internal:8443/owf and requires certificate-based authentication

https://openam.domain.internal – The internal OpenAM server

  • Assumes OpenAM is available internally on https://openam.domain.internal:8443/openam and requires certificate-based authentication
Changes To ssl.conf (typically found at /etc/httpd/conf.d/ssl.conf)

The following changes were made to the ssl.conf configuration to enable the correct rewriting and redirection via the reverse proxy.

Outside The Virtual Host Container

  • Listen 8443
  • RequestHeader set X-Forwarded-Client-Cert ""
  • RequestHeader set X-Forwarded-Client-DN-CN ""
  • ##Set X-Forwarded-Client-Cert to the external client's certificate information
  • RequestHeader set X-Forwarded-Client-Cert "%{SSL_CLIENT_CERT}s"
  • ##Set X-Forwarded-Client-DN-CN to the external client's DN CN -- their name ie: John Doe
  • RequestHeader set X-Forwarded-Client-DN-CN "%{SSL_CLIENT_S_DN_CN}s"
  • ##Enable SSL/TLS for the proxy
  • SSLProxyEngine On
  • ##Enable mod rewrite, some buffering (should work fine, but may need modifying), etc
  • RewriteEngine On
  • SetOutputFilter proxy-html
  • ProxyHTMLDocType HTML
    • *****If JavaScript (or possibly other data) is being truncated or not displaying properly, set 'ProxyHTMLDocType' to 'ProxyHTMLDocType "<!DOCTYPE html>" XML', restart proxy, and retry
  • ProxyHTMLEnable On
  • ProxyHTMLExtended On
  • ProxyHTMLInterp On
  • ProxyHTMLMeta On
  • ProxyHTMLBufSize 32768
  • ##Enable mod_filter's output filter SUBSTITUTE for text/html
  • AddOutputFilterByType SUBSTITUTE text/html
    • *****Other JavaScript option is to modify to "AddOutputFilterByType DEFLATE text/javascript"
  • Header Edits:
    • It will likely be necessary to implement rewrites to the header location field and using a browser console, such as Firebug within Firefox, will assist in correctly configuring the rewrites  Using the "Net" portion of the console with the "All" tab selected will display output with "GET"s and they should not contain internal addresses either in the "Location" field
    • ##The following two examples will (first) rewrite the response from pointing to the internal openam server and the internal owf server to the external addresses (second) it will rewrite the response where the external openam is specficied, but still needs the external owf address rewritten to specify the owf external address
    • ##These are examples, but should provide a good starting point for the rewrites  The "(.*)" just directs the rewrite to store that portion of the string, in this case "?goto=https", and just insert it into the rewrite via the "$1" back reference.
    • ##Make sure header redirects are pointing to the correct proxied locations
    • Header edit Location ^https://openam.domain.internal:8443/openam https://www1.domain.external:8443/openam
    • Header edit Location ^https://owf.domain.internal:8443/owf https://www1.domain.external:8443/owf 

 Inside The Virtual Host Container

  •  <VirtualHost _default_:8443> (this is from the default of 443)
  • ##Address Compression Issues With OWF JavaScript -- INFLATES output
  • SetOutputFilter INFLATE
    • *****Other option is if issues with rendering occur, try adding "AddOutputFilterByType INFLATE;DEFLATE text/javascript application/javascript text/css", restart server, and retry  You may also try moving to a global option
  • ##Do not keep the origininator's address
  • ProxyPreserveHost Off
  • ##Make sure cookies can be translated between the two domains (It may be necessary to prefix the leading dot to the domain names ie: .domain.internal )
  • ProxyPassReverseCookieDomain domain.internal domain.external
  • ##This is used to setup the backend server to server SSL from proxy to OWF/OpenAM
  • ##This file is a concatenation of the server certificate and key (Just cat the server's key and certificate into one file!!)
  • SSLProxyMachineCertificateFile /etc/pki/tls/private/sslproxymach.crt
  • ##Proxy’s CA file -- this is sent to ask for client certs
  • SSLProxyCACertificateFile /etc/pki/tls/certs/ca-bundle.crt
  • ##Proxy OWF to backend
  • <Location /owf>
  • ProxyPass  https://owf.domain.internal:8443/owf
  • ProxyPassReverse  https://owf.domain.internal:8443/owf
  • </Location>
  • ##Proxy OpenAM to backend
  • <Location /openam>
  • ProxyPass https://openam.domain.internal:8443/openam
  • ProxyPassReverse https://openam.domain.internal:8443/openam
  • </Location>
Change To httpd.conf (typically found at /etc/httpd/conf/httpd.conf)

Module Loading


  • LoadModule deflate_module modules/
  • LoadModule headers_module modules/
  • LoadModule substitute_module modules/
  • LoadModule rewrite_module modules/
  • LoadModule proxy_module modules/
  • LoadModule proxy_http_module modules/
  • LoadModule proxy_ajp_module modules/
  • LoadModule proxy_connect_module modules/
  • LoadModule ssl_module modules/
  • LoadModule proxy_html_module modules/

 Changes To proxy_html.conf(typically found at /etc/httpd/conf.d/proxy_html.conf)

 Add the following to proxy_html.conf

  • ProxyHTMLLinks  td  style
  • ProxyHTMLLinks  tr  style
  • ProxyHTMLLinks  table  background

OpenAM Configuration

 This configuration assumes an already working and configured PKI instance protecting the OWF server.

  • Within the OpenAM console, go to “Access Control><REALM>>Authentication><PKIAuthModule>>.”

  • Under “Trusted Remote Hosts>Current Values”, add the following (server IP is for example):
  • ***NOTE: It must be an IP address not a hostname
    • ie: (IP address of https://www2.domain.internal)
  • Under “HTTP Header Name for Client Certificate:”, add the following (The actual header name is arbitrary, but it must be the same header created by Apache in the ssl.conf configuration file.  The name was used for convention’s sake.):
    • X-Forwarded-Client-Cert

 OWF Configuration

The Ozone Widget Framework configuration should not need to change since it is assumed protected via OpenAM

**Other Applications Of This Configuration

This configuration has also been used in other builds which utilized a standard Tomcat6 server which required certificate-based authentication. 

  • No labels