I have a Domino server inside office firewall, so port 443 is directed to it. I would like to server other https sites.

I am testing inside firewall for now. I configured one Fedora 26 machine to reverse proxy for Nextcloud served from a second machine. For this I use,

ServerAdmin root@company.com DocumentRoot /var/www/html/ ErrorLog /var/log/httpd/error_log CustomLog /var/log/httpd/access_log combined LogLevel debug SSLEngine On # Set the path to SSL certificate # Usage: SSLCertificateFile /path/to/cert.pem SSLCertificateFile /etc/pki/tls/certs/company.crt SSLCertificateKeyFile /etc/pki/tls/private/company.key ProxyPreserveHost On ProxyPass / http://nextcloud.company.com/ ProxyPassReverse / http://nextcloud.company.com/ ServerName gandalf.company.com:443

Using https://gandalf.company.com/nextcloud https://gandalf.company.com/nextcloud I can get the Nextcloud on second machine. Second machine is called Nextcloud.

I followed instructions from here,

Solved: reverse proxy for domino with ssl configuration | Experts Exchange https://www.experts-exchange.com/questions/24653172/reverse-proxy-for-domino-with-ssl-configuration.html

My configuration is,

ServerName webmail.company.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://webmail.company.com/
ProxyPassReverse / http//webmail.company.com/
LogLevel debug
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key
DocumentRoot /var/www/html
Errorlog /var/log/domino-error.log
CustomLog /var/log/domino-access_log combined

SSLProxyEngine on
SetOutputFilter proxy-html
#ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding

The machine ‘office’ is the same machine ‘gandalf’. Normally to get to email, we use,

https://webmail.company.com https://webmail.company.com

This gives the login screen which redirects to correct users email database.

Now I use https://office.company.com https://office.company.com hoping to get to https://webmail.company.com https://webmail.company.com. I did remove the Nextcloud configuration and restarted httpd, yet this url gets me to the directory location showing Nextcloud directory (it does not open Nextcloud site).

Clearly I am missing something. Is anyone able to set me straight?

Thank you,

Durwin

Subject: Apache reverse proxy for Domino

All the domains involved are correctly resolved in DNS.

I was missing proxy_html. I installed it with no improvements. I assume ‘headers’ was httpd_devel. I installed again no improvements.

I don’t understand 'Create a new apache virtual host '. As for adding www to it, my www.company.com http://www.company.com resolves to a hosted service outside firewall.

As for adding the code, I was only missing,

<Proxy *>
allow from all

which I added, again no improvement.

In my virtualhost office.company.com I have commented out

#ProxyHTMLURLMap / /

I got an error with it uncommented. I do not know what should be there.

What I find odd is, as I first mentioned, I created a reverse proxy for ‘Nextcloud’. This worked. To prevent any conflicts, I removed the configuration for it before trying Domino proxy. Yet when I go to https://office.company.com https://office.company.com, I get to the ‘Nextcloud’ ‘file system’. It shows the directory ‘nextcloud’ in the browser. office.company.com is the machine where ‘Nextcloud’ is. It is also where the reverse proxy is running. But it is not mapping to webmail.company.com. Is this perhaps where I need to use ProxyHTMLURLMap? If so, how?

Thank you

Subject: Apache reverse proxy for Domino

Have you configured your DNS so that Apache can resolve the Domino server?

Here are some instructions I used before when I was reverse proxy-ing domino with Apache. Later I moved on to nginx. Some examples follow. I was not using SSL, but I don’t think your problem is SSL-related so perhaps this will help.

1. Make sure internal DNS is set up to allow your apache proxy server to properly resolve the real webserver for the website you are reverse proxy-ing
2. Enable the apache modules proxy, proxy_http, proxy_html, headers
3. Create a new apache virtual host
4. Add the www to the alternate virtual server names
5. Add the following code to the virtual host’s directives file:
   ProxyPass / http://yourdomain.com/ http://yourdomain.com/
   ProxyPassReverse / http://yourdomain.com/ http://yourdomain.com/
   <Proxy *>
   allow from all
   
6. Apply changes to apache: “apachectl graceful” command
7. Test!

ServerName blog.company.com
ProxyPass / http://blog.company.com/ http://blog.benanni.com/
ProxyPassReverse / http://blog.company.com/ http://blog.benanni.com/
<Proxy *>
allow from all

ServerName company.com
ProxyPass / http://company.com/ http://computerconsulting.co/
ProxyPassReverse / http://company.com/ http://computerconsulting.co/
<Proxy *>
allow from all

ServerAlias www.company.com <>

Subject: Apache reverse proxy for Domino

I used this reference and got some false hope.

Apache as a reverse proxy for IBM Domino iNotes with home server redirection https://www.ibm.com/developerworks/lotus/documentation/apacherproxy4inotes/index.html

I used this config.

ProxyRequests off

SSLSessionCache “shmcb:logs/ssl_scache(512000)”
SSLSessionCacheTimeout 300

Site info

ServerName herc1.company.com
ServerAlias herc1.company.com
ServerAdmin root@company.com

Rewrite engine on

RewriteEngine On
RewriteOptions Inherit

Enable SSL

SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key

Log filenames

ErrorLog /var/log/httpd/error-inotes-redirect
CustomLog /var/log/httpd/access-inotes-redirect common

LogLevel warn

The iNotes Specific configurations comes after this line

Rule 1: Read domino server name from first access to the mail

directory, save it to the cookie and redirect to the mail server

RewriteCond %{REQUEST_URI} ^/(.)/mail
RewriteRule /(.)/mail/(.*) http://$1.company.com/mail/$2 http://$1.mgtsciences.com/mail/$2 [P,CO=iNotesServer:$1:.company.com]

Rule 2: If cookie is set, use it to rewrite rules for iNotes generated

URLs for the server defined in the cookie iNotesServer

RewriteCond %{REQUEST_URI} ^/
RewriteCond %{HTTP_COOKIE} ^.iNotesServer=([^;]+)
RewriteRule /(.) http://%1.company.com/$1 http://%1.mgtsciences.com/$1 [P]

Rule 3: if no cookie set, on first access on the iNotes iwaredir.nsf

RewriteCond %{REQUEST_URI} ^/
RewriteRule /(.*) http://webmail.company.com/$1 http://webmail.mgtsciences.com/$1 [P]

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

ProxyPassReverse /webmail/mail/ http://webmail.company.com/mail/ http://webmail.mgtsciences.com/mail/
ProxyPassReverse / http://webmail.company.com/ http://webmail.mgtsciences.com/

On the LAN, I got to the Domino server. But that is only because it rewrote the url. It does not truly act as a proxy (all web traffic going through the proxy server).

Outside the firewall, after changing the https port to address (in this case ‘herc1’ machine) of proxy machine, and using https://office.company.com https://office.mgtsciences.com https://office.mgtsciences.comI still could not connect to Domino server.

Thank you,

Durwin

Subject: domlog

For this test I redirected firewall ports 80 and 443 to proxy server (172.23.93.248, normally it is directed to mailserver).

Using a browser on laptop connected to mobile hotspot I used https://office.company.com https://office.company.com. Before firewall change this would get me directly to mailserver. Because of the change, it is being directed to proxy server.

The proxy server should proxy for mailserver. The browser gets error INET_E_REDIRECT_FAILED. Domlog shows this.

=============

HTTP Request:
Server Address: webmail.company.com
Date: 10/03/2017 01:05:55 PM

User Address: 172.23.93.248 (this is the proxy server)
Authenticated User: -
User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; Trident/7.0; rv:11.0) like Gecko
Cookie:

Request: GET / HTTP/1.1
Status: 302 FOUND (The data requested has a different URL temporarily)

Content Length: 0 bytes
Content Type:
Process Time: 0 ms
Error:

Translated URI:
Translated Request: webmail.company.com/
Decoded Query:

Referring URL:
Decoded Query:

=================

The Apache configuration for the site is this, where office is the proxy server, and webmail is mailserver on Domino server.

ProxyRequests off

SSLSessionCache “shmcb:logs/ssl_scache(512000)”
SSLSessionCacheTimeout 300

Site info

ServerName office.company.com
ServerAlias office.company.com
ServerAdmin root@company.com

Rewrite engine on

RewriteEngine On
RewriteOptions Inherit

Enable SSL

SSLEngine On
SSLProxyEngine On
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key

Log filenames

ErrorLog /var/log/httpd/error-inotes-redirect
CustomLog /var/log/httpd/access-inotes-redirect common

LogLevel warn

The iNotes Specific configurations comes after this line

Rule 1: Read domino server name from first access to the mail

directory, save it to the cookie and redirect to the mail server

RewriteCond %{REQUEST_URI} ^/(.)/mail
RewriteRule /(.)/mail/(.*) http://$1. http://$1.mgtsciences.com/mail/$2company.com/mail/$2 http://$1.mgtsciences.com/mail/$2 [P,CO=iNotesServer:$1:.company.com]

Rule 2: If cookie is set, use it to rewrite rules for iNotes generated

URLs for the server defined in the cookie iNotesServer

RewriteCond %{REQUEST_URI} ^/
RewriteCond %{HTTP_COOKIE} ^.iNotesServer=([^;]+)
RewriteRule /(.) http://%1. http://%1.mgtsciences.com/$1company.com/$1 http://%1.mgtsciences.com/$1 [P]

Rule 3: if no cookie set, on first access on the iNotes iwaredir.nsf

RewriteCond %{REQUEST_URI} ^/
RewriteRule /(.*) http://webmail. http://webmail.mgtsciences.com/$1company.com/$1 http://webmail.mgtsciences.com/$1 [P]

#~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~#

ProxyPassReverse /webmail/mail/ http://webmail. http://webmail.mgtsciences.com/mail/company.com/mail/ http://webmail.mgtsciences.com/mail/
ProxyPassReverse / http://webmail. http://webmail.mgtsciences.com/company.com/ http://webmail.mgtsciences.com/

Thank you,

Durwin

Subject: Apache reverse proxy for Domino

Thank you. You did find an error in the config. I corrected it. However, there is no improvements.

Your suggestions are very logical.

From the proxy machine (gandalf/office) I did connect to https://webmail.company.com https://webmail.company.com. I got the Domino login screen.

This config does get me to Nextcloud.

ServerAdmin root@company.com DocumentRoot /var/www/html/ ErrorLog /var/log/httpd/error_log CustomLog /var/log/httpd/access_log combined LogLevel debug SSLEngine On # Set the path to SSL certificate # Usage: SSLCertificateFile /path/to/cert.pem SSLCertificateFile /etc/pki/tls/certs/compay.crt SSLCertificateKeyFile /etc/pki/tls/private/company.key ProxyPreserveHost On ProxyPass / http://nextcloud.company.com/ ProxyPassReverse / http://nextcloud.company.com/ ServerName gandalf.company.com:443

So I copied it to proxy-ssl-webmail.conf and changed 4 lines.

ServerAdmin root@company.com DocumentRoot /var/www/html/ ErrorLog /var/log/httpd/error_log CustomLog /var/log/httpd/access_log combined LogLevel debug SSLEngine On # Set the path to SSL certificate # Usage: SSLCertificateFile /path/to/cert.pem SSLCertificateFile /etc/pki/tls/certs/compay.crt SSLCertificateKeyFile /etc/pki/tls/private/company.key ProxyPreserveHost On ProxyPass / http://webmail.company.com/ ProxyPassReverse / http://webmail.company.com/ ServerName office.company.com:443

But using https://office.company.com https://office.mgtsciences.com still sends me to the nextcloud folder.

Thank you.

Subject: Question

I get a teamroom login screen. What happens when you enter proper credentials. Does it then fail on the redirect db? Does it work when you try it internally and authenticate to the teamroom login and then get sent over to the redirect db?

Subject: Apache reverse proxy for Domino

Thank you for your reply. It is not that simple. I can’t leave the firewall pointing to the proxy as there might me someone needing to use webmail. For my testing, I change the firewall, test (using mobile hotspot), then restore setting. The code you posted is the redirect.nsf.

I do not know about ltpa. I am just trying to proxy https traffic from proxy machine to Domino server.

I do have one configuration (it is listed here in one of my posts) that does work. It is Nextcloud. Accessing it from outside firewall (after changing the firewall to direct https traffic to proxy), it does send https traffic to Nextcloud machine which is a third machine. This occurs without rewriting url.

So I do have a proxy configuration which works when the destination is another Apache server. The problem is when destination is Domino.

Can Domino ‘Internet Site’ document be configured to reverse proxy? Can an Internet site document be configured to route traffic to an Apache server running on a different machine?

Thank you,

Durwin

Subject: simplification

I noticed a syntax error in your Virtual Host:config on the ProxyPassReverse line. Maybe it was just a typo when you put it here in the forum. If not, you should correct it and re-read your apache config (apachectl graceful).

ServerName webmail.company.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass / http://webmail.company.com/ http://webmail.company.com/
ProxyPassReverse / http//webmail.company.com/
LogLevel debug
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/company.crt
SSLCertificateKeyFile /etc/pki/tls/private/company.key
DocumentRoot /var/www/html
Errorlog /var/log/domino-error.log
CustomLog /var/log/domino-access_log combined

SSLProxyEngine on
SetOutputFilter proxy-html
#ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding

If that’s not it, I’d recommend eliminating as much as possible to get down to the bottom of what’s going on. Check the basics. (Just like hardware troubleshooting by removing everything not absolutely critical to turning it on.)

First, open the browser on your Fedora Apache server. Browse to webmail.company.com. Do you get Domino? If not, then fix the networking/DNS/whatever is needed to make that happen. Without that, nothing else will work.

Second, start with a simple config. Reverse proxying is very simple in how it works. Only six lines between the VirtualHost bracket lines like I gave in my blog example. Don’t use SSL yet. Open port 80 on your firewall while testing if needed.

One by one, add in your other parameters/features as needed/desired. Don’t forget to re-read your config after each change. Eventually, you’ll find your gremlin.

Also, I recommend testing from outside your firewall. Tor browser is good for this.

Subject: I tried

when I tried I got to the server. If you have domlog.nsf you should see the attempt.

You need to try from a outside connection. I take it you have a common ltpa token from the first server to that mail servers? Why not do small steps and see if you get to the first server and then open the redirect db manually by taking out the redifre.nsf as the defualt db a but a db that requires authentication.

This is the source for the page I got

>

Subject: clarify

You are getting to the domino server. That is what is prompting you for authentication. As far as ltpa tokens you need a common ltpa token n the DOMINO servers so once you authenticate you wont need to reauthenticate

https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Configuring_single_sign-on_with_an_LTPA_token_on_IBM_WebSphere_and_IBM_Lotus_Domino_platforms https://www-10.lotus.com/ldd/dominowiki.nsf/dx/Configuring_single_sign-on_with_an_LTPA_token_on_IBM_WebSphere_and_IBM_Lotus_Domino_platforms

If you try the login server inside do you automatically redirected over to the mail server? If so ltpa is set up. Did you enable domlog on the authentication server and see what the url is that you are coming in as?

Subject: Teamroom login

I can’t leave the firewall directed to the proxy server. When I am ready to test, I forward the port to proxy server, after test, I forward it back to mailserver. That is why you get the teamroom login. My tests lasts only a few minutes at most.