An InAcademia node provides various services which internally live on different ports.

For a production node, we do not want to have external services connect to 'weird' ports. Therefor we want all traffic to terminate at a regular https port. To reach the internal applications, we redirect subdirectories to specific ports on the localhost web server. In additions, internal interfaces do not support https, whereas we only use https externally.

We use POUND to handle SSL termination, and use a webserver (currently Apache with mod_proxy) to redirect specific URLs to ports on the internal (localhost server)

 

Source: HTTP(s) flows

An example for the URL is: https://t01.t.inacademia.org/svs

POUND configuration (partial)
ListenHTTPS
    Address 0.0.0.0 
    Port 443
    AddHeader "X-Forwarded-Proto: https"
    HeadRemove "X-Forwarded-Proto"
    HeadRemove "X-Forwarded-For"
    Cert "/etc/ssl/localcerts/pound.pem"
    Service
        BackEnd
            Address 127.0.0.1
            Port 80
            Priority 1
        End
    End
End

 

Apache need mod_proxy and mod_proxy_http installed

Apache Config (partial)
        ProxyRequests Off
        <Proxy *>
            Order deny,allow
            Deny from all
            Allow from 127.0.0.1
        </Proxy>
        #SSLProxyEngine on

        # SvS core application
        ProxyPass /svs http://localhost:8087
        ProxyPassReverse /svs http://localhost:8087

        # MDX - Metadata handling
        ProxyPass /mdx http://localhost:8088
        ProxyPassReverse /mdx http://localhost:8088

        # DS - Discovery Service
        ProxyPass /ds http://localhost:8100
        ProxyPassReverse /ds http://localhost:8100

 

 

 

 

  • No labels