[BACK]Return to Domain_Configuration_WAF_Proxy.tex CVS log [TXT] [DIR] Up to [LON-CAPA] / loncom / html / adm / help / tex
File:  [LON-CAPA] / loncom / html / adm / help / tex / Domain_Configuration_WAF_Proxy.tex
Revision 1.3: download - view: text, annotated - select for diffs
Mon Dec 6 03:43:27 2021 UTC (2 years, 6 months ago) by raeburn
Branches: MAIN
CVS tags: version_2_12_X, version_2_11_X, version_2_11_4_uiuc, version_2_11_4_msu, version_2_11_4, HEAD
- Update documentation for WAF/Reverse Proxy domain config for SSO URL.

\label{Domain_Configuration_WAF_Proxy}
A LON-CAPA server requires a static IP address, and the hostname included in
the hosts.tab entry for the server should resolve to that IP address.  If the server is
part of the LON-CAPA network, the server will need to support connections from other
servers for both ``internal'' communication via the dedicated LON-CAPA port as well as
requests to standard web ports when replicating content.

Consequently, in order to run LON-CAPA server(s) behind a Web Application Firewall
(WAF), or Reverse Proxy, different hostname(s), or alias(es) to the default hostname
in /home/httpd/lonTabs/hosts.tab  must be requested by users' web browsers when
accessing LON-CAPA pages from a domain's server(s) via a WAF.

\begin{enumerate}

\item\textbf{Alias for WAF/Reverse Proxy}

The ``Web Application Firewall/Reverse Proxy'' domain configuration is used to indicate
if a WAF is in use, and if so, to provide the alias assigned to each LON-CAPA
server which will use the WAF.  For each one there is also an option to indicate whether 
a node supporting Single Sign On, will use the alias when redirecting to the URL used
to trigger SSO authentication: default is /adm/sso, but can be set in an Apache config
file using: PerlSetVar lonOtherAuthenUrl $<$other URL$>$

\item\textbf{Determining a user's remote IP address}

In order for LON-CAPA to reliably determine a remote user's IP address for inclusion
in the record of the user's LON-CAPA transactions, a list of IP address(es)
which the WAF uses to connect to a domain's servers, i.e., the WAF's Trusted IP range(s)
is needed.  The name of the header item, added by the WAF when forwarding a request,
which contains the user's remote IP address is also needed.

For the item: ``Method for determining user's IP'', select one of:

\begin{itemize}
\item Use Apache mod\_remoteip
\item Use headers parsed by LON-CAPA
\item Not in use
\end{itemize}

If mod\_remoteip is in use then the Apache configuration must be modified on each
of the domain's LON-CAPA servers to include the following:

\begin{itemize}

\item RemoteIPHeader
\item RemoteIPTrustedProxy

\end{itemize}

where RemoteIPHeader contains the name of the item in the headers sent by the WAF
which holds the user's remote IP address, and where RemoteIPTrustedProxy is a
space separated list of IP ranges from which the WAF's servers will connect to LON-CAPA.

If mod\_remoteip will not be used then the Apache configurations can be left unchanged,
but the same information will need to be provided via the ``Request header remote IP''
textbox and the ``Trusted IP range(s)'' text area in the WAF/Reverse Proxy domain
configuration.  If ``Not in use'' is chosen (not recommended), that information is not 
required, but the IP address logged will be the address used by the WAF itself when
forwarding the user's request to LON-CAPA.

\item\textbf{Apache log file format}

In order for Apache log files to log a user's remote IP address a modification is needed
to the LogFormat entry in the appropriate Apache config file(s).  If using mod\_remoteip
prepend \%a (or replace \%h with \%a), otherwise prepend \%\{X-Forwarded-For\}i or replace
\%h with that string.

\item\textbf{Access for VPN users}

If some users in the domain will access LON-CAPA when connected to the campus network
via the institution's VPN service, you may optionally choose to allow VPN users to
connect to LON-CAPA without using the WAF.  A reason for doing that would be to configure
LON-CAPA to log the internal IP address assigned to each user's VPN session instead
of logging one of the backend IP addresses assigned for campus communication with WAF.

For the item: ``Access from institutional VPN'', select one of:

\begin{itemize}
\item Access via regular hostname (no WAF)
\item Access via aliased hostname (WAF)
\end{itemize}

If VPN users will not use WAF, but other users will, then the following are needed:

\begin{itemize}
\item IP Range for backend WAF connections
\item Internal IP Range(s) for VPN sessions
\end{itemize}

\item\textbf{Forwarding http and https requests}

If using WAF select one of:

\begin{itemize}
\item WAF forwards both http and https requests to https
\item WAF forwards http requests to http and https to https
\end{itemize}

\end{enumerate}
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>