Annotation of loncom/html/adm/help/tex/Domain_Configuration_WAF_Proxy.tex, revision 1.3
1.1 raeburn 1: \label{Domain_Configuration_WAF_Proxy}
2: A LON-CAPA server requires a static IP address, and the hostname included in
3: the hosts.tab entry for the server should resolve to that IP address. If the server is
4: part of the LON-CAPA network, the server will need to support connections from other
5: servers for both ``internal'' communication via the dedicated LON-CAPA port as well as
6: requests to standard web ports when replicating content.
7:
8: Consequently, in order to run LON-CAPA server(s) behind a Web Application Firewall
9: (WAF), or Reverse Proxy, different hostname(s), or alias(es) to the default hostname
10: in /home/httpd/lonTabs/hosts.tab must be requested by users' web browsers when
11: accessing LON-CAPA pages from a domain's server(s) via a WAF.
12:
13: \begin{enumerate}
14:
15: \item\textbf{Alias for WAF/Reverse Proxy}
16:
17: The ``Web Application Firewall/Reverse Proxy'' domain configuration is used to indicate
18: if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA
1.2 raeburn 19: server which will use the WAF. For each one there is also an option to indicate whether
1.3 ! raeburn 20: a node supporting Single Sign On, will use the alias when redirecting to the URL used
! 21: to trigger SSO authentication: default is /adm/sso, but can be set in an Apache config
! 22: file using: PerlSetVar lonOtherAuthenUrl $<$other URL$>$
1.1 raeburn 23:
24: \item\textbf{Determining a user's remote IP address}
25:
26: In order for LON-CAPA to reliably determine a remote user's IP address for inclusion
27: in the record of the user's LON-CAPA transactions, a list of IP address(es)
28: which the WAF uses to connect to a domain's servers, i.e., the WAF's Trusted IP range(s)
29: is needed. The name of the header item, added by the WAF when forwarding a request,
30: which contains the user's remote IP address is also needed.
31:
32: For the item: ``Method for determining user's IP'', select one of:
33:
34: \begin{itemize}
35: \item Use Apache mod\_remoteip
36: \item Use headers parsed by LON-CAPA
37: \item Not in use
38: \end{itemize}
39:
40: If mod\_remoteip is in use then the Apache configuration must be modified on each
41: of the domain's LON-CAPA servers to include the following:
42:
43: \begin{itemize}
44:
45: \item RemoteIPHeader
46: \item RemoteIPTrustedProxy
47:
48: \end{itemize}
49:
50: where RemoteIPHeader contains the name of the item in the headers sent by the WAF
51: which holds the user's remote IP address, and where RemoteIPTrustedProxy is a
52: space separated list of IP ranges from which the WAF's servers will connect to LON-CAPA.
53:
54: If mod\_remoteip will not be used then the Apache configurations can be left unchanged,
55: but the same information will need to be provided via the ``Request header remote IP''
56: textbox and the ``Trusted IP range(s)'' text area in the WAF/Reverse Proxy domain
57: configuration. If ``Not in use'' is chosen (not recommended), that information is not
58: required, but the IP address logged will be the address used by the WAF itself when
59: forwarding the user's request to LON-CAPA.
60:
61: \item\textbf{Apache log file format}
62:
63: In order for Apache log files to log a user's remote IP address a modification is needed
64: to the LogFormat entry in the appropriate Apache config file(s). If using mod\_remoteip
65: prepend \%a (or replace \%h with \%a), otherwise prepend \%\{X-Forwarded-For\}i or replace
66: \%h with that string.
67:
68: \item\textbf{Access for VPN users}
69:
70: If some users in the domain will access LON-CAPA when connected to the campus network
71: via the institution's VPN service, you may optionally choose to allow VPN users to
72: connect to LON-CAPA without using the WAF. A reason for doing that would be to configure
73: LON-CAPA to log the internal IP address assigned to each user's VPN session instead
74: of logging one of the backend IP addresses assigned for campus communication with WAF.
75:
76: For the item: ``Access from institutional VPN'', select one of:
77:
78: \begin{itemize}
79: \item Access via regular hostname (no WAF)
80: \item Access via aliased hostname (WAF)
81: \end{itemize}
82:
83: If VPN users will not use WAF, but other users will, then the following are needed:
84:
85: \begin{itemize}
86: \item IP Range for backend WAF connections
87: \item Internal IP Range(s) for VPN sessions
88: \end{itemize}
89:
90: \item\textbf{Forwarding http and https requests}
91:
92: If using WAF select one of:
93:
94: \begin{itemize}
95: \item WAF forwards both http and https requests to https
96: \item WAF forwards http requests to http and https to https
97: \end{itemize}
98:
99: \end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/back.gif){kind=icon}
Return to Domain_Configuration_WAF_Proxy.tex CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [LON-CAPA] / loncom / html / adm / help / tex