Reverse Proxy Apache front OpenAM with web Policy Agent on it

This topic has 2 replies, 2 voices, and was last updated 5 years, 10 months ago by [email protected].

  • Author
    Posts
  • #2465

    Hi everyone,

    One of you have ever try to install an Apache in front of OpenAM with an Web Policy Agent in the same time. My goal of doing this is have only one server web for protect an application and front my openam

    
      __________              ________________________   
    |  Browser   | -------> | Reverse Proxy w/agent    |                  ______________
    |  Client    |          | VHost IP1 openam.foo.bar | -------------> | Openam Server  |
                            |                          |      _____________________
                            | VHost IP2 toto.foo.bar   | -> | Protected Application |
    

    So my openam are configured with cookie .foo.bar. I set the agent with com.sun.identity.agents.config.notenforced.url[0] = http://openam.foo.bar/openan/*

    The problem is when i start my Apache nothing log in Debug/amAgent even if debug is set on all:5 plus when i try to access on ressource of web server with browser nothing happend, keep loading. If i do the same with NetCat and send a GET /myressources HTTP/1.1
    Host: toto

    No answer ….

    So I think there are a loop on Apache something like webAgent try authenticate from URL of OpenAM but this URL is serve by the same apache and don’t want to let pass the request because not authentified like infinite loop :-(

    Have you any suggestion ??

    Excuse my bad english

    • This topic was modified 5 years, 9 months ago by Peter Major. Reason: Moving topic under OpenAM forum
    #2635
     Pawel Pietrzynski
    Participant

    Hi There,

    You should not protect OpenAM reverse proxy with an agent. You should either have another Apache instance without an agent for OpenAM or limit access in a different way, but OpenAM should be accessible from the browser without an agent. Also OpenAM should be accessible by the agents without going through an agent.

    Cheers,

    Pawel

    #2636

    Hi,

    Thank you for the answer and your time, i had some doubts about that.

    Cheers,

    Jonathan

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?