proxy Archive

How and Why we need to SECURE our Web Server

Introduction: Over the year’s internet and the internet based applications had revolutioned our life. They had created many new global business opportunities for enterprises conducting online business. However, the security risks associated with conducting e-business have resulted in security becoming a major factor for online success or failure.

Any high-profile hacking attack has proven that web security still remains a serious issue for any business that’s running its operations online. Web servers are one of the most targeted public faces of an organization, because of the sensitive data they usually host.  Hence, securing web server is as important as securing the website or web application itself.  If we have a secure web application and an insecure web server, or vice versa, it still puts business at a huge risk. Therefore, it is important for us to have a secured web server.


What is a Web Server?? A Web Server can be defined as an HTTP protocol dependant server used for re-direction of the client requests to the appropriate application servers. Following is the pictorial representation of the purpose of a web server:

*Security Implementation in Apache Web Server: Below is the schematic representation of the communication with a secured web server.

The security implementation inside the web server is implemented in two different steps:-

1) Installation of SSL Certificate

2) By following the security guide lines

Installation of certificate:- The installation of the SSL certificates for apache servers involves the following stages:

1. Create a Certificate Signing Request (CSR)
2. Apply online
3. Installing your Certificate
4. Displaying your Secure Site Seal


  1. For a webserver generate a CSR and a private key, use the following command:                                                       openssl req -config openssl.cnf -new -out my-server.csr


2. Removes the pass phrase from the private key because it contains the entropy information for creating the key and could be used for cryptographic attacks against your private key using the command:

rsa -in privkey.pem -out my-server.key

3.  Use the below command to generate the self signed certificate (later replace this with the certificate from Certifying Authority)

x509 -in my-server.csr -out my-server.cert -req -signkey my-server.key -days 365


4.  Create an Apache/conf/ssl directory and move my-server.key and cert into it


5.  Open the httpd.conf file and add the following lines:

LoadModule ssl_module modules/


6.   Add the following to the end of httpd.conf:

<code>        SSLMutex sem</code>
<code>        SSLRandomSeed startup builtin</code>
<code>        SSLSessionCache none</code>
<code> </code>
<code>        SSLLog logs/SSL.log</code>
<code>        SSLLogLevel info</code>
<code>        &lt;VirtualHost&gt;</code>
<code>        SSLEngine On</code>
<code>        SSLCertificateFile conf/ssl/my-server.cert</code>
<code>        SSLCertificateKeyFile conf/ssl/my-server.key</code>



Restart the Apache server and access the applications with the SSL mode.


Following are some of the tips and guidelines implementing, will help our apache servers to be more and more secured:-

1)      Update the Apache Server with the latest security patched and fix pack. (stable version of Apache)

2)      Hide the Apache Version number, and other sensitive information as below inside httpd.conf:

                       ServerSignature Off
                       ServerTokens Prod
<strong><span style="text-decoration: underline">Note</span></strong>: ServerSignature Off tells apache not to display the server version on error pages, or other pages it generates.
ServerTokens Prod tells apache to only return Apache in the Server header, returned on every page request.

3)      Many at times the apache installation run as anonyms or root, make sure that the apache is running under its own user account and group. You can check this information in httpd.conf:

        User apache
        Group apache


4)      Make sure that apache doesn’t use/access any of the files outside its web root directory (this is the location where we have all of apache files):


               <Directory />
                 Order Deny,Allow
                 Deny from all
                 Options None
                 AllowOverride None
               <Directory /web>
                 Order Allow,Deny
                 Allow from all


5)      In typical operation, Apache is started by the root user. Set the right permissions on ServerRoot Directories as follows:


mkdir /usr/local/apache
cd /usr/local/apache
mkdir bin conf logs
chown 0 . bin conf logs
chgrp 0 . bin conf logs
chmod 755 . bin conf logs


6) **Server Side Includes (SSI) presents an administrator with several potential security risks like increased load on the server, etc. Hence, turn off server side includes by Options directive inside a Directory tag inside the httpd.conf file. Set Options to either None or –Includes.


7)      Allowing users to execute ***CGI scripts in any directory should only be considered if:

Ø      You trust your users not to write scripts which will deliberately or          accidentally expose your system to an attack.

Ø      You consider security at your site to be so feeble in other areas, as to make one more potential hole irrelevant.

Ø      You have no users, and nobody ever visits your server


8)      Watch logs to keep up-to-date about what is actually going on against your server you have to check the Log Files. They will give you some understanding of what attacks is thrown against the server and allow you to check if the necessary level of security is present.

chown -R root:root /usr/local/apache
               chmod -R o-rwx /usr/local/apache
<em><span style="text-decoration: underline">Note</span></em>: /usr/local/apache is Apache installation directory

9)      Lower the time out and restrict request body requests as follows:

               Timeout 45
               LimitRequestBody 1048576

10)   Restrict the accessing of resource by using the IP restriction:

               Order Deny,Allow
               Deny from all
               Allow from


Note: **Server Side Include page is typically an HTML page with embedded command(s) that are executed by the Web server.


***CGI program is any program designed to accept and return data that confirms to the CGI specification. The program could be written in any programming language, including C, Perl, Java, or Visual Basic. CGI programs are the most common way for Web servers to interact dynamically with users






Working with Reverse proxy servers

The term “Proxy Servers” is mostly popular among our middleware techies as: “Server which forwards the request”.

But, for simple multiple reasons, this one lined defined server is vastly used in each and every environment in multiple forms like Forward Proxy Server, Reverse Proxy Server and Open Proxy Server.

The basic purpose of this document is to cover what is a proxy server, understanding of different proxy servers, configuration of Reverse proxy server.

Defining Proxy Server: Proxy Server is an intermediary server between your web browser (client) which requests for some information/data and your server (web server/Application server) that process the data.

Following is the schematic representation of the proxy server:-

Types of Proxy Server: They are three different types of proxy servers. They are as follows:

1)      Forward Proxy Server

2)      Open Proxy Server

3)      Reverse Proxy Server

Forward Proxy Servers: Forward Proxy Server is a server which forwards the request from the intranet clients (web browser) to the internet servers. These proxy servers are present in the same network of your client. Schematically, we can represent any forward proxy servers as follows:

Open Proxy Server: An open proxy is a proxy server which is accessible by any Internet user. Any proxy server that doesn’t restrict its client base to its own set of clients and allows any other client to connect to it is known as an “Open Proxy”. An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet services. They are in numerous open proxy servers present in Internet. For converting any flavor of proxy servers to Open Proxy servers we just have to enable the flag “ProxyRequests On” in the configuration file.

Following is the pictorial view of understanding our open proxy servers:

Reverse Proxy Server: A Proxy Server which takes requests from external clients (web browsers) or Internet and forwards them to servers in an internal network is called as Reverse Proxy Server. Generally, the reverse proxy servers are present in the same network where we have our App/Web servers.

Schematically we can represent all of our reverse proxy servers as follows:

After understanding the different types of proxy servers lets try knowing more about reverse proxy servers especially the advantages and configuration of proxy servers.

Advantages of using Reverse Proxy Servers:

The various advantages of using the proxy servers are as follows:

1)      Filtering

2)      Caching

3)      Bypassing filters and censorship

4)      Logging and eavesdropping

5)      Gateways to private networks

6)      Accessing services anonymously

Understanding and comparing these advantages with the other flavors of proxy servers every one of us would be interested to use the reverse proxy servers. So, lets try understanding how do we do the configuration of the reverse proxy servers.

Most of the present day proxy servers have the ability or the behavior to act as reverse proxy servers with an addition of a small module. Since, discussing about the configuration of all of those reverse proxy server with weblogic server wouldn’t be possible, this document restricts its scope only to Apache Server.

Configuration of Apache Reverse Proxy Server with Weblogic Server:

To begin the configuration of apache reverse proxy server, Lets consider a public site (or an application you deployed on cluster) which has a public IP and DNS entry and could be accessed across the globe.

Let’s consider that the application server on which this site is hosted is our weblogic application server having the two instances,

Following are the steps for configuring the apache proxy server with weblogic servers:-

1)      Post installing and creating a domain in weblogic server copy file from weblogic server to apache server modules folder.

2)      Download libxml2 (version shouldn’t be older than 2.6) from and install it.

3)      Copy and paste the file to the paths: /usr/lib/, with headers in /usr/include/libxml2/libxml/

4)      Download mod_proxy_html and mod_xml2enc from

5)      Load the following configuration inside the httpd.conf of our apache server:-

LoadModule proxy_module      modules/

LoadModule proxy_http_module modules/

LoadModule headers_module    modules/

LoadFile   /usr/lib/

LoadModule proxy_html_module modules/

LoadModule xml2enc_module modules/

ProxyRequests off

ProxyPass /app1/

ProxyPass /app2/ http://

ProxyHTMLURLMap http:// /app1

ProxyHTMLURLMap http:// /app2

<Location /app1/>

ProxyPassReverse /

ProxyHTMLEnable On

ProxyHTMLURLMap  /      /app1/

RequestHeader    unset  Accept-Encoding


<Location /app2/>

ProxyPassReverse /

ProxyHTMLEnable On

ProxyHTMLURLMap /       /app2/

RequestHeader   unset   Accept-Encoding


6)      Now, restart the apache server and weblogic application server instances.


1) – Special, Special thanks ..  🙂


Kerberos in a Proxy/Load Balancer/ Weblogic Cluster

Recently one of my colleague pointed out that I did not cover few aspects of Kerberos configurations in an earlier post. He had few queries such as how should he set the service principal name if a proxy is there in front of Weblogic Server. Or for that matter if there is a cluster of Weblogic Server.

Here are the answers.

If the proxy server is on the same machine as WLS, then the steps remain the same (outlined in an earlier post). The Kerberos ticket will be propagated to WLS.

If it’s in a different machine, then both the proxy url and the WLS url should be registered with WLS.


WLS Server Machine: beaiis
Proxy Server Machine: beaproxy

setspn -a HTTP/ beaiis.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin

And then configure your client browser with the proxy server url.

For a cluster of Managed servers running on different machine.

WLS Server Machine1 : beaiisone
WLS Server Machine2 : beaiistwo
WLS Server Machine3 : beaiisthree
Proxy Server Machine :beaproxy

Then we have to register all the urls with the KDC

setspn -a HTTP/ beaiisone.BEATEST.COM beawin
setspn -a HTTP/ beaiistwo.BEATEST.COM beawin
setspn -a HTTP/ beaiisthree.BEATEST.COM beawin
setspn -a HTTP/ beaproxy.BEATEST.COM beawin

And then verify

setspn -L beawin
Registered ServicePrincipalNames for CN=beawin,CN=Users,DC=BEATEST,DC=COM


Each Server will have the same keytab and krb5Login.conf file, preferably copied to the domains directory on all machines. And in the Client browser the local internet setting should have the proxy url.

Configuring two way SSL between Client and Weblogic server with Apache proxying the request.

Configure Apache for SSL

Create the certificates using openssl (present in apache_home\bin) using the below steps:

openssl genrsa -des3 -out server.key 1024

openssl req -config ..\conf\openssl.cnf -new -key server.key -out localhost

openssl x509 -req -days 730 -in localhost -signkey server.key -out server.crt

Add the following in the httpd.conf file

<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin

Listen 443
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile “C:\Program Files\Apache Group\Apache2\conf\server.crt”
SSLCertificateKeyFile “C:\Program Files\Apache Group\Apache2\conf\server.key”
SSLCACertificateFile “C:\Documents and Settings\Administrator\Desktop\cert\IntermediateCA.cer”
#SSLLog “C:\Program Files\Apache Group\Apache2\conf\ssl.log”
#SSLLogLevel debug

Configure SSL between Apache and Weblogic Server

Add the following in the Location Directive

SecureProxy ON
TrustedCAFile C:\bea101\wlserver_10.0\server\lib\CertGenCA.pem
RequireSSLHostMatch false

Configure Apache to Request for Client Certificate

Add the following in the Location Directive

SSLVerifyClient optional_no_ca
SSLOptions +ExportCertData

Configure Weblogic Server for 2-way SSL

mydomain> Servers> myserver>Keystores & SSL > Advanced Options
Hostname Verification: None
Two Way Client Cert Behavior: Client Certs Requested but not enforced

Apache_SSL> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter

Trusted Client Principals: provide CN of the Client Certificate
Types: X509


Use Default User Name Mapper: Checked
Default User Name Mapper Attribute Type: CN
Base64Decoding Required: Checked

Go the security realm and create a user wih the username as CN of the certificate

Add the following in the config.xml
<Server ClientCertProxyEnabled=”true”

Configure the Web Application

The Web Application should require client cert authentication.

Add the following in the web.xml


Add the following in the weblogic.xml

<principal-name> CN of the certificate</principal-name>