Annotation of loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex, revision 1.1
1.1 ! raeburn 1: \label{Domain_Configuration_WAF_Proxy}
! 2: A LON-CAPA server requires a static IP address, and the hostname included in
! 3: the hosts.tab entry for the server should resolve to that IP address. If the server is
! 4: part of the LON-CAPA network, the server will need to support connections from other
! 5: servers for both ``internal'' communication via the dedicated LON-CAPA port as well as
! 6: requests to standard web ports when replicating content.
! 7:
! 8: Consequently, in order to run LON-CAPA server(s) behind a Web Application Firewall
! 9: (WAF), or Reverse Proxy, different hostname(s), or alias(es) to the default hostname
! 10: in /home/httpd/lonTabs/hosts.tab must be requested by users' web browsers when
! 11: accessing LON-CAPA pages from a domain's server(s) via a WAF.
! 12:
! 13: \begin{enumerate}
! 14:
! 15: \item\textbf{Alias for WAF/Reverse Proxy}
! 16:
! 17: The ``Web Application Firewall/Reverse Proxy'' domain configuration is used to indicate
! 18: if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA
! 19: server which will use the WAF.
! 20:
! 21: \item\textbf{Determining a user's remote IP address}
! 22:
! 23: In order for LON-CAPA to reliably determine a remote user's IP address for inclusion
! 24: in the record of the user's LON-CAPA transactions, a list of IP address(es)
! 25: which the WAF uses to connect to a domain's servers, i.e., the WAF's Trusted IP range(s)
! 26: is needed. The name of the header item, added by the WAF when forwarding a request,
! 27: which contains the user's remote IP address is also needed.
! 28:
! 29: For the item: ``Method for determining user's IP'', select one of:
! 30:
! 31: \begin{itemize}
! 32: \item Use Apache mod\_remoteip
! 33: \item Use headers parsed by LON-CAPA
! 34: \item Not in use
! 35: \end{itemize}
! 36:
! 37: If mod\_remoteip is in use then the Apache configuration must be modified on each
! 38: of the domain's LON-CAPA servers to include the following:
! 39:
! 40: \begin{itemize}
! 41:
! 42: \item RemoteIPHeader
! 43: \item RemoteIPTrustedProxy
! 44:
! 45: \end{itemize}
! 46:
! 47: where RemoteIPHeader contains the name of the item in the headers sent by the WAF
! 48: which holds the user's remote IP address, and where RemoteIPTrustedProxy is a
! 49: space separated list of IP ranges from which the WAF's servers will connect to LON-CAPA.
! 50:
! 51: If mod\_remoteip will not be used then the Apache configurations can be left unchanged,
! 52: but the same information will need to be provided via the ``Request header remote IP''
! 53: textbox and the ``Trusted IP range(s)'' text area in the WAF/Reverse Proxy domain
! 54: configuration. If ``Not in use'' is chosen (not recommended), that information is not
! 55: required, but the IP address logged will be the address used by the WAF itself when
! 56: forwarding the user's request to LON-CAPA.
! 57:
! 58: \item\textbf{Apache log file format}
! 59:
! 60: In order for Apache log files to log a user's remote IP address a modification is needed
! 61: to the LogFormat entry in the appropriate Apache config file(s). If using mod\_remoteip
! 62: prepend \%a (or replace \%h with \%a), otherwise prepend \%\{X-Forwarded-For\}i or replace
! 63: \%h with that string.
! 64:
! 65: \item\textbf{Access for VPN users}
! 66:
! 67: If some users in the domain will access LON-CAPA when connected to the campus network
! 68: via the institution's VPN service, you may optionally choose to allow VPN users to
! 69: connect to LON-CAPA without using the WAF. A reason for doing that would be to configure
! 70: LON-CAPA to log the internal IP address assigned to each user's VPN session instead
! 71: of logging one of the backend IP addresses assigned for campus communication with WAF.
! 72:
! 73: For the item: ``Access from institutional VPN'', select one of:
! 74:
! 75: \begin{itemize}
! 76: \item Access via regular hostname (no WAF)
! 77: \item Access via aliased hostname (WAF)
! 78: \end{itemize}
! 79:
! 80: If VPN users will not use WAF, but other users will, then the following are needed:
! 81:
! 82: \begin{itemize}
! 83: \item IP Range for backend WAF connections
! 84: \item Internal IP Range(s) for VPN sessions
! 85: \end{itemize}
! 86:
! 87: \item\textbf{Forwarding http and https requests}
! 88:
! 89: If using WAF select one of:
! 90:
! 91: \begin{itemize}
! 92: \item WAF forwards both http and https requests to https
! 93: \item WAF forwards http requests to http and https to https
! 94: \end{itemize}
! 95:
! 96: \end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Domain_Configuration_WAF_Proxy.tex CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / html / adm / help / tex