IBM HTTP Server as reverse proxy

I encountered an interesting case today at a customer where 2 IBM Domino applications in the backend needed to be reachable from the internet. To make this possible a reverse proxy server was installed in the DMZ. As this customer uses a lot of IBM products, the choice for a reverse proxy server fell upon IBM HTTP Server 9.0.

In the past a reverse proxy setup for one of these Domino applications was made using IBM HTTP Server 8.5.5 combined with the IBM WebSphere plugin where the traffic from the plugin to IBM Domino was sent over http. Due to application requirements, traffic to the 2nd Domino application (on a different server) should be forwarded over https.

I felt the setup with the IBM WebSphere plugin was unneccesarily complex as IBM HTTP Server is perfectly capable of serving as reverse proxy without it. As I didn’t have an IBM HTTP Server 9.0 available in my home network to test the setup, I did my setup on IBM HTTP Server I came up with this configuration. Add the following lines to httpd.conf

# Enable the needed modules by removing the # that's by default in front of them
LoadModule proxy_module modules/
LoadModule proxy_http_module modules/
LoadModule rewrite_module modules/

# For a reverse proxy you need to switch ProxyRequests off
ProxyRequests Off
ProxyPreserveHost on
# In IBM HTTP Server 8.5.5 you need to use the NameVirtualHost statement to be able to serve multiple virtual hosts.
# In IBM HTTP Server 9.0 NameVirtualHost is assumed and this line should be ommitted.
NameVirtualHost *:443

# We only want to allow https traffic, so rewrite all http traffic to https
<VirtualHost *:80>
RewriteEngine On
RewriteCond %{HTTPS} !=on
RewriteRule ^/?(.*) https://%{SERVER_NAME}/$1 [R,L]

# For IBM HTTP Server we need the IBM SSL module
LoadModule ibm_ssl_module modules/
Listen 443

# Here we have the first virtual host which forwards over https to the Domino server
# The general keystore contains a wildcard certificate, so it can be used for both virtual hosts, but also 
# as client certificate for the session to the Domino server. That's why the KeyFile line is commented out
# in the VirtualHost section. This section contains no rewrite rules to the Domino application, as these
# were already in place on the Domino server itself.
<VirtualHost *:443>
SSLProxyEngine On
#KeyFile /opt/IBM/HTTPServer/ihsserverkey.kdb
ProxyPass /
ProxyPassReverse /
# Unnecessary to select the SSLServerCert for this virtual host, as all urls use the default wildcard certificate
# SSLServerCert

# Here's the 2nd virtual host. This one forwards the 2nd application to the 2nd Domino server on port 80. 
# Also here, the rewrite rules were already in place on the Domino server. No need to duplicate them.
<VirtualHost *:443>
ProxyPass /
ProxyPassReverse /

KeyFile /opt/IBM/HTTPServer/ihsserverkey.kdb

This setup worked perfectly to configure IHS as reverse proxy for the 2 Domino applications. Don’t forget the usual tuning of worker threads, timeouts etc.