Apache reverse proxy for OpenAM

It is fairly typical in most enterprises to front-end an OpwnAM deployment with a reverse proxy. This article gives an example using Apache’s HTTP server on a Red Hat host.

In setting up a proxy it’s customary to hide the specific endpoint port the application is running on. For an identity app like OpenAM forcing all operations over HTTPS is also important.

In this example OpenAM is running on an Apache Tomcat server named appserver1.example.com using port 8080. The endpoint uri is http://appserver1.example.com:8080/openam.

The uri that we want to present to users is https://sso.example.com/openam.

In the OpenAM console navigate to Configuration… Servers and Sites. Scroll down to Sites and add a new site with the name “sso” and the uri https://sso.example.com/openam. Save and then go to Servers. Click on each server listed and use the drop-down menu under Site to select “sso” as the parent site. Save the configuration.

Next edit /etc/httpd/conf/httpd.conf to add a virtual host like this:

<VirtualHost *:80>
    ServerAdmin hostmaster@example.com
    DocumentRoot /var/www/html/login
    ServerName  sso.example.com
    ErrorLog logs/sso.example.com-error_log
    CustomLog logs/sso.example.com-access_log combined

    # This forces all operations to use HTTPS
    RewriteEngine On
    RewriteCond %{HTTPS} off
    RewriteRule .* https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]

    # Reverse Proxy for HTTP (if the above rewrite works this
    # should never be reached -- it is included as a fallback).
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /openam http://localhost:8080/openam
    ProxyPassReverse /openam http://localhost:8080/openam

Then create a corresponding virtual host in /etc/httpd/conf.d/ssl.conf (note, Apache can now serve, and all modern browsers can handle, HTTPS virtual hosts):

<VirtualHost *:443>
    DocumentRoot /var/www/html/sso
    ServerName sso.example.com
    ServerAdmin hostmaster@example.com
    ErrorLog  logs/sso.example.com-ssl_error_log
    TransferLog  logs/sso.example.com-ssl_access_log
    SSLEngine on
    SSLProtocol all -SSLv3 -SSLv2
    SSLCertificateFile /etc/pki/tls/certs/example.com.crt
    SSLCertificateKeyFile /etc/pki/tls/private/example.com.key
    SSLCertificateChainFile /etc/pki/tls/certs/exampleCA.crt
    CustomLog logs/ssl_request_log \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"

    # This is the reverse proxy directive
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyPass /openam http://localhost:8080/openam
    ProxyPassReverse /openam http://localhost:8080/openam

I added an index.html under /var/www/html/sso to force anyone accessing the base url, https://sso.example.com/, to https://sso.example.com/openam.

<!DOCTYPE html>
<meta http-equiv="refresh" content="0; url=https://sso.example.com/openam">
This entry was posted in Identity Management, Security, System Administration on by .

About phil

My name is Phil Lembo. In my day job I’m an enterprise IT architect for a leading distribution and services company. The rest of my time I try to maintain a semi-normal family life in the suburbs of Raleigh, NC. E-mail me at philipATlembobrothersDOTcom. The opinions expressed here are entirely my own and not those of my employers, past, present or future (except where I quote others, who will need to accept responsibility for their own rants).