Inwards forwarding for HTTP(S) requests
Introduction
In order to, for example, send data to a profile via HTTP, a dedicated URL needs to be used. The schematic structure of the URL is:
|
http://<URL/IP and port Integration Server>/dw/Request/<URL suffix of profile> |
Now, if a DMZ server is in use, you want requests of this type to go to the DMZ server and be forwarded from there to the internal Integration Server (forwarding).
Note: In general, please consider which paths you want to make accessible via the DMZ server and only set up those that you really need.
Standard context on DMZ server
By default, the DMZ server reacts to HTTP requests whose URL path begins with the URL context "/forward". This default can be overridden in configuration file "./etc/startup_dmz.xml" (on the DMZ server) using the parameters "servletContext" and "servletPath" (see table in section Parameters). In the following, we assume that the default settings are used, so "servletContext=/forward and servletPath=/*".
Forwarding rules on DMZ server
Even if the DMZ server responds to the URL context "/forward" by default, forwarding rules must still be defined there, i.e. how such requests are forwarded, as the DMZ server itself does not respond to the requests. These forwarding rules are defined in the configuration file "./etc/forward.properties" (on the DMZ server).
If the DMZ server has multiple HTTP listeners (port 80, 443, and so on) defined in configuration file "./etc/hub.xml", all requests that arrive via one of the HTTP listeners and correspond to a forwarding rule are routed according to the rule.
Each line of this file represents an independent rule. The left side (source context), to the left of the equals sign, must be unique
Changes to the configuration file "./etc/forward.properties" are recognised during runtime and are reevaluated. A restart is not necessary.
For diagnostic purposes, the HTTP request log and the server log can be evaluated under "./logs". Caution: The times in the request log are in the time zone UTC, the times in the server log are in the system time zone.
Let us now assume the following forwarding rule and that the inner Integration Server has the IP shown.
.../forward/*=http://192.168.213.12:80...
In this case, all requests to the DMZ server that begin with the path "/forward" are forwarded to the inner Integration Server. All other paths are not forwarded.
The request "http://<URL/IP and port DMZ server>/forward/dw/Request/<URL suffix of the profile>" would therefore be forwarded to "http://192.168.213.12:80/dw/Request/<URL suffix of the profile>".
If you do not want to forward all requests, you can also make it a little more specific.
.../forward/dw/Request/*=http://192.168.213.12:80/dw/Request...Or even more specifically with the following rule. This could be used to set the URL suffixes of HTTP profiles so that only some are accessible from outside via the DMZ server. An HTTP profile with the URL suffix "outside/example1" would then be accessible via the DMZ server and an HTTP profile with the URL suffix "example2" would only be accessible via the internal Integration Server.
.../forward/dw/Request/outside/*=http://192.168.213.12:80/dw/Request/outside...Defining further contexts on DMZ server
In order for the DMZ server to respond to other contexts to which the inner Integration Server normally responds (and not only to "/forward"), the parameter "addStandardServlets" in configuration file "./etc/startup_dmz.xml" (on the DMZ server) must be set to "true" for the CommunicationForwardManager .
<Call name="addApplication"> <Arg> <New class="com.ebd.hub.datawizard.app.CommunicationForwardManager">... <!-- Add /dw/Trigger, /dw/Request (also in lowercase) and /partner servlets on demand --> <Call name="addStandardServlets"><Arg type="boolean">true</Arg></Call>... </New> </Arg></Call>The following contexts are activated on the DMZ server with this.
|
/dw/Request /dw/request |
See section HTTP (Input Agent). |
|
/dw/Trigger /dw/trigger |
See section Trigger/External call. |
|
/dw/Trigger |
See section "Trigger/External Call". |
|
/dw/oauth2 |
See section OAuth 2.0 (client). |
|
/dw/cloud |
See section CloudStorage (channel). |
|
/dw/register/oauth2 |
See section OAuth 2.0 (server). |
|
/partner/AS2Retrieve |
Important note: Please note that further settings are required for this, see section "AS2 Handling" below. |
Here too, corresponding forwarding rules must first be defined so that forwarding takes place. Important note: Please note that this is case-sensitive and please define both variants "Request"/"request" and "Trigger"/"trigger".
.../dw/request/*=http://<URL/IP and port inner Integration Server>/dw/request/dw/Request/*=http://<URL/IP and port inner Integration Server>/dw/Request/dw/trigger/*=http://<URL/IP and port inner Integration Server>/dw/trigger/dw/Trigger/*=http://<URL/IP and port inner Integration Server>/dw/Trigger/dw/oauth2/*=http://<URL/IP and port inner Integration Server>/dw/oauth2/dw/cloud/*=http://<URL/IP and port inner Integration Server>/dw/cloud/dw/register/oauth2/*=http://<URL/IP and port inner Integration Server>/dw/register/oauth2/partner/AS2Retrieve/*=http://<URL/IP and port inner Integration Server>/partner/AS2Retrieve...Note: If an HTTPS listener is active on the inner system, forwarding can also take place via HTTPS. However, as the connection from the DMZ server to the inner Integration Server takes place in a protected network section, a second encryption via HTTPS is normally not necessary there.
AS2 handling
AS2 requests can either be handled on the DMZ server or forwarded to the inner Integration Server. A combination of both variants is also possible.
AS2 on DMZ server
Parameter "handleAS2" in configuration file "./etc/startup_dmz.xml" (on DMZ server) is set to "true".
AS2-Service on DMZ server is active.
AS2 requests are forwarded by Message to the inner Integration Server. If the inner Integration Server is (temporarily) unavailable, the messages are buffered (as with FTP, etc.).
AS2 forwarding
Parameter "handleAS2" in configuration file "./etc/startup_dmz.xml" (on DMZ server) is set to "false".
Forwarding for context "/partner/AS2Retrieve" is configured (see instructions above).
All AS2 HTTP requests are forwarded to the inner Integration Server and the inner Integration Server sends MDNs and messages.
AS2 on DMZ server and forwarding
Here you set up AS2 on the DMZ server (see instructions above), but also define a forwarding via the default context "/forward" (see instructions above).
|
/forward/AS2Retrieve/*=http://<URL/IP and port inner Integration Server>/partner/AS2Retrieve |
AS2 requests via the path "/partner/AS2Retrieve/" are then processed on the DMZ server and AS2 requests via the path "/forward/AS2Retrieve/" are forwarded to the inner Integration Server.
Setting up HTTPS (DMZ server)
You can use HTTPS for the communication between the outside client and the DMZ server.
See section Adding an HTTPS listener.
Tunneling HTTP(S) (from DMZ server to inner system)
It is possible to tunnel HTTP(S) requests via the MessageService. To do so, insert the following option into configuration file "./etc/startup_dmz.xml" (on DMZ server) . The forwarding rules must also be set in this case (see above).
<Set name="tunnelHttp">true</Set>