Annotation of loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex, revision 1.2
1.1 raeburn 1: \label{Domain_Configuration_WAF_Proxy}
2: A LON-CAPA server requires a static IP address, and the hostname included in
3: the hosts.tab entry for the server should resolve to that IP address. If the server is
4: part of the LON-CAPA network, the server will need to support connections from other
5: servers for both ``internal'' communication via the dedicated LON-CAPA port as well as
6: requests to standard web ports when replicating content.
7:
8: Consequently, in order to run LON-CAPA server(s) behind a Web Application Firewall
9: (WAF), or Reverse Proxy, different hostname(s), or alias(es) to the default hostname
10: in /home/httpd/lonTabs/hosts.tab must be requested by users' web browsers when
11: accessing LON-CAPA pages from a domain's server(s) via a WAF.
12:
13: \begin{enumerate}
14:
15: \item\textbf{Alias for WAF/Reverse Proxy}
16:
17: The ``Web Application Firewall/Reverse Proxy'' domain configuration is used to indicate
18: if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA
1.2 ! raeburn 19: server which will use the WAF. For each one there is also an option to indicate whether
! 20: a node supporting Shibboleth Single Sign On, will use the alias when redirecting to /adm/sso.
1.1 raeburn 21:
22: \item\textbf{Determining a user's remote IP address}
23:
24: In order for LON-CAPA to reliably determine a remote user's IP address for inclusion
25: in the record of the user's LON-CAPA transactions, a list of IP address(es)
26: which the WAF uses to connect to a domain's servers, i.e., the WAF's Trusted IP range(s)
27: is needed. The name of the header item, added by the WAF when forwarding a request,
28: which contains the user's remote IP address is also needed.
29:
30: For the item: ``Method for determining user's IP'', select one of:
31:
32: \begin{itemize}
33: \item Use Apache mod\_remoteip
34: \item Use headers parsed by LON-CAPA
35: \item Not in use
36: \end{itemize}
37:
38: If mod\_remoteip is in use then the Apache configuration must be modified on each
39: of the domain's LON-CAPA servers to include the following:
40:
41: \begin{itemize}
42:
43: \item RemoteIPHeader
44: \item RemoteIPTrustedProxy
45:
46: \end{itemize}
47:
48: where RemoteIPHeader contains the name of the item in the headers sent by the WAF
49: which holds the user's remote IP address, and where RemoteIPTrustedProxy is a
50: space separated list of IP ranges from which the WAF's servers will connect to LON-CAPA.
51:
52: If mod\_remoteip will not be used then the Apache configurations can be left unchanged,
53: but the same information will need to be provided via the ``Request header remote IP''
54: textbox and the ``Trusted IP range(s)'' text area in the WAF/Reverse Proxy domain
55: configuration. If ``Not in use'' is chosen (not recommended), that information is not
56: required, but the IP address logged will be the address used by the WAF itself when
57: forwarding the user's request to LON-CAPA.
58:
59: \item\textbf{Apache log file format}
60:
61: In order for Apache log files to log a user's remote IP address a modification is needed
62: to the LogFormat entry in the appropriate Apache config file(s). If using mod\_remoteip
63: prepend \%a (or replace \%h with \%a), otherwise prepend \%\{X-Forwarded-For\}i or replace
64: \%h with that string.
65:
66: \item\textbf{Access for VPN users}
67:
68: If some users in the domain will access LON-CAPA when connected to the campus network
69: via the institution's VPN service, you may optionally choose to allow VPN users to
70: connect to LON-CAPA without using the WAF. A reason for doing that would be to configure
71: LON-CAPA to log the internal IP address assigned to each user's VPN session instead
72: of logging one of the backend IP addresses assigned for campus communication with WAF.
73:
74: For the item: ``Access from institutional VPN'', select one of:
75:
76: \begin{itemize}
77: \item Access via regular hostname (no WAF)
78: \item Access via aliased hostname (WAF)
79: \end{itemize}
80:
81: If VPN users will not use WAF, but other users will, then the following are needed:
82:
83: \begin{itemize}
84: \item IP Range for backend WAF connections
85: \item Internal IP Range(s) for VPN sessions
86: \end{itemize}
87:
88: \item\textbf{Forwarding http and https requests}
89:
90: If using WAF select one of:
91:
92: \begin{itemize}
93: \item WAF forwards both http and https requests to https
94: \item WAF forwards http requests to http and https to https
95: \end{itemize}
96:
97: \end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Domain_Configuration_WAF_Proxy.tex CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / html / adm / help / tex