Level: Introductory John Yao-An Liao, Program Manager, Mindspeed Technologies
08 Jul 2003 Author John Liao highlights a powerful tool -- an Apache reverse proxy server -- in the struggle to keep sensitive data secure while providing Web-enabled access to it for employees and other trusted users. This real-world case study covers IBM Lotus Notes applications and Domino servers and explains how his company crafted a solution that worked and stayed within budget.
What do you do when your company comes to this familiar point in its business cycle?
- The company has an ever-growing database of necessary proprietary and sensitive data that is not for public consumption
- Employees and other trusted individuals need Web access to this data
- The budget for solving this problem may be relatively tight in these economic times
I've found that the Apache Web server can be a powerful and versatile answer to this problem. In this article, I describe the problem my company faced and what we did to solve it.
The dilemma of providing secure Web data access
The company that I work for uses Domino servers for such groupware capabilities as e-mail, calendar sharing, and content sharing. In addition, my company has also developed many IBM Lotus Notes applications on these Domino servers that access confidential data in databases, enterprise resource planning sources (ERP), and other data stores. The servers store a lot of proprietary and confidential content, content that we do not want to make available to the public. Due to these security concerns, the company decided that all the Domino servers must remain behind the corporate firewall.
However, employees are clamoring for Web-based access to e-mail and the other Web-enabled Lotus Notes applications. This is especially true for the executives and the sales force who often travel and need access to certain information captured in e-mail or in one of the Lotus Notes applications. My company needed to resolve the problem of how to deliver these capabilities to employees and other trusted users while providing the necessary security over the content stored on these Domino servers and the data stores that are accessed from these Domino servers.
This problem prompted a search for a solution, first in the traditional ways.
A good, old-fashioned fix
One of the first things my company did was to evaluate the purchase of an off-the-shelf system that would provide external access to e-mail and Web-based Lotus Notes applications. One vendor presented a product that came with a $30,000 licensing cost that included a limited number of concurrent users plus the cost of two additional servers. Now this may not sound like much to a large corporation, but that price was a big chunk of operating capital to my company, which faced the same dilemma that many companies face today -- caught in the middle of a tremendous economic downturn and unable to pay that much to provide these capabilities.
We had to search for an alternative solution.
A change in our thinking
We scoured the Internet and Domino documentation for solutions. In one of IBM's Redbooks on the iLotus Notes application (see Resources), the default Web-based access to e-mail in Domino, we found a section that describes a scenario whereby a reverse proxy server can be configured to provide secure access to a Domino servers sitting behind the corporate firewall.
Unfortunately, the document claims compatibility only with proxy servers by Sun, Tivoli, and IBM. We didn't have the budget to purchase any of these additional items. Again, the Internet proved to be a valuable source toward pointing us in the right direction.
From message threads in newsgroups, we discovered claims that the Apache Web server could be configured as a reverse proxy server to a Domino server. Buoyed by this tidbit of information and the fact that we have only enough money to host one additional server, we decided to proceed by trying to get Apache to work with Domino servers and to supply the capability our employees needed to be competitive in a tight market.
Developing the solution
Our problem was that we had only one server to be used as a reverse proxy server. We used multiple Domino servers for e-mail and calendaring with a single Domino server used strictly for Lotus Notes applications.
Our setup
Each employee is assigned to a single Domino server as his mail home. Once the employee is authenticated by our Web application, we want the reverse proxy server to connect the employee to the correct Domino server. We hoped to build an environment as shown in Figure 1.
Figure 1. Network diagram of Apache reverse proxy server with Domino
Users would connect to the reverse proxy server in the DMZ zone that would allow them to connect to the Domino servers inside the corporate firewall.
The Apache reverse proxy server acts as bastion host. A bastion host is a gateway between the internal network and external network and is designed to defend against attacks aimed at the internal network. (See Building Internet Firewalls, 2nd Edition, in Resources for more on bastion hosts.)
The Apache reverse proxy server bastion host is where we focus our security and auditing efforts. While the various postings and message threads in newsgroups that suggested 1-to-1 mapping between the reverse proxy server and Domino server was possible, we couldn't find a posting of anyone who successfully configured a single Apache reverse proxy server to multiple Domino servers.
So we tried to configure the modules mod_proxy and mod_rewrite to successfully achieve a 1-to-many mapping between the Apache reverse proxy server and Domino servers.
Key to the mapping problem
The key to solving this 1-to-many server mapping problem is the mod_rewrite module. The Apache documentation calls this module the "Swiss Army Knife of URL manipulation."
Our task was to determine which pieces of information, captured by this module, can be used to redirect requests to the appropriate Domino servers. The configuration directive that does the redirection is the RewriteCond directive. This module possesses a rule-based redirection capability that can redirect requests based on various tests, including server variables, environment variables, HTTP headers, and other pieces of information.
One of the simplest ways to determine where to redirect the request uses the HTTP header variable REQUEST_URI. If you can embed the server name in the URL (like http://proxy.mycompany.com/mymail.nsf?host=mailhost1 or http://proxy.mycompany.com/mailhost1/mymail.nsf), then you can easily specify a rule condition to redirect the request as shown here:
RewriteCond %{REQUEST_URI} *host=mailhost1*
RewriteRule /(.*) http://mailhost1.mycompany.com/$1 [P]
|
Changes to iNotes?
However, you cannot do this without making changes to the default out-of-the-box iNotes application. Even if you can initially redirect the request to the appropriate server by prefixing or appending the hostname, once the iNotes application takes over, the iNotes application will no longer add hostname to subsequent requests.
Without planning to make any changes to the default iNotes application or extensive changes to other Notes applications, this means you cannot take the easy way out and ask Domino to rewrite all the applications' URLs to append or prefix the server name to the URL so you can use the REQUEST_URI variable in the mod_rewrite module to do the redirection. If the mail files have originally been placed in a folder with the same name as the hostname, you might have used that help in the redirection.
In my company's case, the mail file for all employees has been placed in the generic mail folder. To move the mail file to another folder would require desktop support to go to each user's computer and help them change the Lotus Notes client to specify the new location of their personal mail file -- this was not a practical avenue for us.
My company did use the REQUEST_URI variable on our customized Lotus Notes applications. We moved all the customized Lotus Notes apps into a special folder called apps. Now, all the requests to the Lotus Notes applications that begin with /apps are redirected to our Domino application server.
For example, if a Web-enabled Lotus Notes application is called myapp1, the URL request to access that Lotus Notes application would be:
http://domapp1.mycompany.com/apps/myapp1.nsf
|
This URL then can be mapped by the mod_rewrite module along with any other Web-enabled Lotus Notes application such that all incoming requests with URLs beginning with /apps are redirected to domapp1.mycompany.com (and domapp1.mycompany.com is the Domino server that hosts all the Lotus Notes applications) as in the following:
RewriteCond %{REQUEST_URI} ^/apps
RewriteRule /(.*) http://domapp1.mycompany.com/$1 [P]
|
More work for a correct link
To correctly link users to the appropriate Domino server requires more work. In the end, my company decided that one way to do this was to deduce which Domino server the authenticated user is assigned to as the mail home and then to set a client-side cookie.
With this cookie, the iNotes application can blissfully proceed without worrying about rewriting URLs or worrying about where the user is coming from. With this client-side cookie, we could now set the following RewriteCond directive:
RewriteCond %{HTTP:Cookie} noteshost=mailhost1.mycompany.com
RewriteCond %{REQUEST_URI} ^/(.*).nsf(.*)
RewriteRule /(.*) http://mailhost1.mycompany.com/$1 [P]
|
These directives basically tell the Apache reverse proxy server to use the user's cookies and to grab the noteshost value. If the value matches mailhost1.mycompany.com, then the request is redirected to mailhost1 to be processed. If it fails, it drops through to the next block of directives which check the value against the next Domino server. You can serially chain these directives until all the Domino servers are exhausted.
Look at how one might make these changes in the Apache server configuration files.
Changes to the Apache configuration files
First, specify the server to load the appropriate modules. Typically, these modules are commented out when first installed. You need to un-comment these lines shown in Listing 1:
Listing 1. Loading the appropriate modules
#----------------------------------------------------------------------
# Load appropriate modules for configuration
#----------------------------------------------------------------------
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule rewrite_module modules/mod_rewrite.so
|
These additional lines of configuration (as shown in Listing 2) are the heart of the mod_rewrite capability that allows you to redirect the user to the correct Domino server for mail or for Lotus Notes applications.
Listing 2. Reverse proxy configuration into Domino servers
#----------------------------------------------------------------------
# Reverse proxy configuration!
#----------------------------------------------------------------------
RewriteEngine on
# Use 2 for normal login
RewriteLog "rewrite.log"
RewriteLogLevel 0
# In our example, we also hosted Tomcat on the same server as the
# Apache reverse proxy server. The Tomcat server served the jsp page
# needed for user to select the appropriate mail server.
RewriteRule /(.*).jsp(.*) http://proxy.mycompany.com:8080/$1.jsp$2 [P]
# Rewrite rule for notes applications.
RewriteCond %{REQUEST_URI} ^/apps
RewriteRule /(.*) http://domapp1.mycompany.com/$1 [P]
# Mapping of user cookies to specified mail server.
RewriteCond %{HTTP:Cookie} noteshost=mailhost1.mycompany.com
RewriteCond %{REQUEST_URI} ^/(.*).nsf(.*)
RewriteRule /(.*) http://mailhost1.la.mycompany.com/$1 [P]
RewriteCond %{HTTP:Cookie} .*noteshost=mailhost2.mycompany.com.*
RewriteCond %{REQUEST_URI} ^/(.*).nsf(.*)
RewriteRule /(.*) http://mailhost2.mycompany.com/$1 [P]
RewriteCond %{HTTP:Cookie} .*noteshost=mailhost3.mycompany.com.*
RewriteCond %{REQUEST_URI} ^/(.*).nsf(.*)
RewriteRule /(.*) http://mailhost3.mycompany.com/$1 [P]
ProxyPassReverse / http://mailhost1.mycompany.com/
ProxyPassReverse / http://mailhost2.mycompany.com/
ProxyPassReverse / http://mailhost3.mycompany.com/
ProxyPassReverse / http://domapp1.mycompany.com/
|
Setting the user profile cookie
Once you configure the Apache reverse proxy server, you still need to have the front-end code set the appropriate cookie based on the user profile.
The easiest way is to have the user manually set the correct Domino server. You can create an HTML page with a drop-down list of all the available Domino servers used as a mail server (see Figure 2).
Figure 2. User selects a Domino server
Listing 3 shows the code to generate the drop-down list.
Listing 3. HTML code generates Domino server drop-down list
<html>
<body>
<form action="notes.jsp"/>
Please choose Domino server :
<select name="noteshost">
<option value="mailhost1.mycompany.com">mailhost1</option>
<option value="mailhost2.mycompany.com">mailhost2</option>
<option value="mailhost3.mycompany.com">mailhost3</option>
</select>
<p><input type="submit">
</form>
</body>
</html>
|
The user would then select the appropriate Domino server and submit the request to the next page which picks up the Domino server name as a request parameter and sets the appropriate client-side cookie. Listing 4 shows the code to set the client-side cookie.
Listing 4. JSP code for setting the user's cookie
-------------------------------------------------------------------------------
-- Code for setting user cookies!
-------------------------------------------------------------------------------
<%@ page language="java" import="java.util.*" session="true" %>
<%
String mailServer = request.getParameter("noteshost");
// Write Cookies!
Cookie mailServerCookie = new Cookie("noteshost",mailServer);
mailServerCookie.setDomain(".mycompany.com");
response.addCookie(mailServerCookie);
%>
<html>
<head>
<title>iNotes Redirect Page</title>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache">
<META HTTP-EQUIV="Expires" CONTENT="-1">
<META HTTP-EQUIV="Refresh"
CONTENT="0;URL=http://proxy.mycompany.com<%=mailUri%>">
</head>
<body>
<h3>Please wait a few seconds while we retrieve your profile and
send you to the appropriate mail server.</h3>
<hr>
Your mail server is <%=mailServer%>
<hr>
Your mail URI is <%=mailUri%>
<hr>
</body>
</html>
|
A better way to set user cookies
However, having internal employees selecting the correct Domino server is not acceptable given that most users have no idea what their default mail host is. A better way to do this, especially if you have user profile information in either the database or in LDAP, is to have processing code that goes to work after the user has authenticated to the Web server, code that extracts mail-host information from LDAP or the database and then sets the client-side cookie.
This code can be executed right after the login page: This way, when the user navigates to the proxy server, access to e-mail and Lotus Notes applications seems to be a seamless transition.
While the code my company used to set the client side cookie was JSP, you can write this in ASP, Perl, or any other server-side scripting languages. We protected the Domino servers with a Single Sign-On product and the reverse proxy server did not interfere with the operation of Single Sign-On.
Securing the solution
My company was delighted with the capabilities of the Apache Web server -- including its ability to integrate well with the Domino servers and customized and default Lotus Notes applications -- to help us solve the problem of keeping sensitive data secure while allowing authorized users Web-based access to the information. And all without breaking the bank!
Resources
- Study the important IBM Redbook that helped us create a secure system: iNotes Web Access, Deployment and Administration, written by Tommi Tulisalo, Wolfgang Hass, Leonardo Vidal, and Roger Zirn (2001).
- Check out author Tommi Tulisalo's 45
other helpful Redbooks on Lotus Notes and Domino servers.
- Read Building Internet Firewalls, 2nd Edition, a detailed guide that explains how to design and install firewalls and configure Internet services to work with a firewall (E. Zwicky, S. Cooper, and D. Chapman; O'Reilly, 2000; print version, online version).
- Find everything you could possible want on the Apache Web server -- according to the 2002 Netcraft Web Server Survey, the Apache Web server was in use on an astounding 63 percent of Web sites, making it more widely used than all other Web servers combined.
- In the "URL Rewriting Guide", see how Ralf Engelschall uses Apache's
mod_rewrite to solve typical URL-based problems by configuring URL rewriting rulesets.
- Read "Third-party security servers and WebSphere," which demonstrates a framework that allows a third-party reverse proxy security server to front-end an application server. It includes an alternative scenario that allows security plug-ins to perform front-end authentication and WebSphere security runtime to perform further authorization (developerWorks, July 2002).
- See this article from the DeveloperToolbox Technical Magazine, "WebSphere and Domino single sign-on," for an introduction to Lightweight Third Party Authentication, an integration mechanism between WebSphere application servers and the Domino server that allows for a single sign-on across a set of Web servers and lets servers delegate authentication to a common third-party service (developerWorks, January 2001).
- Try Mike Schlosser's 1999 overview, "IBM Framework for e-business," is still one of the best roadmaps to a basic understanding of Web-based, e-business security issues. The section on authentication covers single sign-on.(developerWorks, November 1999)
About the author  | | | John Liao is program manager of Web-application development at Mindspeed Technologies. He has developed software for the communication satellite, insurance, transportation, and semiconductor industries. His current job allows him to work with single sign-on, LDAP, application servers, databases, portals, ERP, EAI, and to develop the Web applications that glue all these together. He can be reached at johnliao@ix.netcom.com. |
Rate this page
| 
