There are use cases where LiveCycle administrators want to expose only a subset of its functionality to users and programs outside of the machine LiveCycle is hosted on. Firewalls can be used to block certain ports. Apache Web Server can be used as a reverse proxy so that only certain URLs are “visible” to external callers.
1) Download and install Apache Web Server 2.2 from here.
JBOSS CONFIGURATION
——————————
2) Assuming that the DNS name of the machine hosting the Apache Web Server is apache.company.com, edit the Tomcat configuration file ($JBOSS_HOME/jboss-4.2.0_mssql2005/server/all/deploy/jboss-web.deployer/server.xml) of the JBoss instance hosting LiveCycle so that the HTTP Connector configuration looks similar to this:
<Connector port="8080" address="${jboss.bind.address}"
proxyName="apache.company.com" proxyPort="80"
maxThreads="250" maxHttpHeaderSize="8192"
emptySessionPath="true" protocol="HTTP/1.1"
enableLookups="false" redirectPort="8443" acceptCount="100"
connectionTimeout="20000" disableUploadTimeout="true" />
APACHE WEB SERVER CONFIGURATION
————————————————-
3) Edit the configuration file of Apache Web Server (httpd.conf) and enable proxying by uncommenting the following lines:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
4) Also add the folowing lines for additional configuration
# Prevent Apache from acting like a forward proxy
ProxyRequests Off
# Control Client Access
<Proxy http://jboss.company.com:8080/>
Order Deny,Allow
Allow from all
</Proxy>
# Set TCP/IP network buffer size for better throughput (bytes)
ProxyReceiveBufferSize 4096
5) Assuming that the DNS name of the machine hosting the JBoss AS is jboss.company.com, add Reverse Proxy configuration
The following is a simplistic configuration where every request (/) is allowed:
ProxyPass / http://jboss.company.com:8080/
ProxyPassReverse / http://jboss.company.com:8080/
Here’s a more restrictive configuration, allowing access only to the web UI of Rights Management and nothing else:
ProxyPass /edc http://jboss.company.com:8080/edc
ProxyPassReverse /edc http://jboss.company.com:8080/edc
ProxyPass /um http://jboss.company.com:8080/um
ProxyPassReverse /um http://jboss.company.com:8080/um
ProxyPass /rightsmgmt_help_en http://jboss.company.com:8080/rightsmgmt_help_en
ProxyPassReverse /rightsmgmt_help_en http://jboss.company.com:8080/rightsmgmt_help_en
More details are available here.
6) Re-start the Apache Web Server.
7) Re-start the JBoss instance that hosts LiveCycle ES
8) Verify by pointing your browser at the Apache machine:
http://apache.company.com/edc/Main.do
To configure HTTPS, see Carlos Guerrero’s blong entry here.
Any known issues with using the AJP13 connector instead of Mod_proxy?I currently have this working and it seems to be doing a fine job, but I want to ensure I do not run into any unforeseeable issues down the road.Thanks,Batch
No, I’m not aware of any issues. In fact, if you could post the steps you took to make it work with AJP, it would be great. Thanks.
Can a reverse proxy work for LiveCycle users, i.e. PDF forms within their workspaces?
Yes.
But please make sure you configure the following context roots:
/workspace
/um
/workspace-server
For additional debugging, you can use a tool like Charles. See here for more details.
Jayan
Do you have an update to this for ES2? I’m having trouble with the workspace attachments when there is a space in them. It appears mod_proxy is removing the spaces from the request URL. Thanks.
Nicholas:
It looks like you’d need to use mod_rewrite to handle situations where the attachment names have spaces in them. I am not familiar with that Apache module.