Devolution gateway behind Apache reverse proxy

Hi,

Putting aside the Apache reverse proxy configuration, here are the generic steps to configure Devolutions Gateway standalone web access through a reverse proxy of your choosing.

1) Enable the Gateway web instance, uncheck "Generate a self-signed HTTPS certificate" as we'll have Devolutions Gateway listen on HTTP, and have the reverse proxy handle HTTPS. You can of course use HTTPS in between Apache and Devolutions Gateway if you want instead.



2) Select your HTTP listener port to which you want to point your reverse proxy to. By default, we use port 7171, but you can use any port you want:



3) Last but not least, configure an *HTTPS* external URL and host - that's your Apache reverse proxy listening in HTTPS on a port (443) which may be different from the internal HTTP listener port (7171).



4) Configure Apache to reverse proxy traffic from https://gateway-external-access.com:443 to http://internal-gateway-host:7171

That's it!

Hello Marc-Andre,
thanks for your reply. I did try this configuration, but something is wrong with the authentication.
It does not matter, if I set the authentication to none, or if I define custom password and login, it never works through the reverse proxy.
The Apache is requesting authentication. It is a must, when put in internet. I enter my login and pass.
If the password in Devolutions is set, I do get the login page displayed and after entering login/pass I get http 401.
If I set the Devolutions authentication to none, then I can see the content page for a short while, but then the apache is asking again for the login/pass. It goes like this in a loop, maybe 10 times and at the end I see the login page from Devolutions asking for password, which is not defined at all.
It looks like the Devolutions GW is trying to reuse some headers from Apache for authentication, even if no authentication is configured :(

Hi,

Can you share your procedure to configure Apache as a reverse proxy server in front of Devolutions Gateway? Include your configuration file, what you're describing looks a bit odd. If you set authentication to None in Devolutions Gateway to use your own authentication at the reverse proxy level, it should normally just work. Otherwise disable any kind of authentication at the reverse proxy level and set authentication at the Devolutions Gateway level and see if that can work well.

Best regards,

Hi,
my problem is, that I can not disable the apache auth.

Here the config:
ProxyPass /remote/ http://proxtest.internal.com:7171/
ProxyPassReverse /remote/ http//proxtest.internal.com:7171/

<Location /remote/>
ProxyPreserveHost Off
RequestHeader unset Authorization
ProxyAddHeaders Off
RewriteEngine Off
Options +FollowSymLinks
###auth mail_users
AuthBasicProvider ldap
AuthType Basic
here some LDAP settings for the backend
###end auth
</Location>
#################################################################
#################################################################
# ProxyPassMatch ^/webmail/ws/im wss://mail.hnup.de/webmail/ws/im

ProxyPass /jet/webapp/ http://proxtest.internal.com:7171/jet/webapp/
ProxyPassReverse /jet/webapp/ http//proxtest.internal.com:7171/jet/webapp/

<Location /jet/webapp/>
ProxyPreserveHost Off
RequestHeader unset Authorization
ProxyAddHeaders Off
RewriteEngine Off
Options +FollowSymLinks
###auth mail_users
AuthBasicProvider ldap
AuthType Basic
here some LDAP settings for the backend
###end auth
</Location>

Hi,

Can't you reverse proxy an entire virtual host to Devolutions Gateway? I see you're forwarding only /jet/webapp, you'll want to forward all that begins with /jet at a bare minimum, as it will break some things if you forward just the static web frontend. Make sure WSS goes through properly. Also, why is ProxyPreserveHost Off? This would make the HTTP request remove the Host header from the client with the original external access URI, which can again break a few things.

As for LDAP authentication done at the reverse proxy level, I'd have to see if the resulting authorization headers can potentially cause interference with what we're doing in the Devolutions Gateway standalone mode.

Best regards,