Hi Isaias, nice to know that is possible use the WEB DISPATCHER with Proxy Reverse.

Bu we try to use this rule, and when we access http://oursite.domain/irj it dont chance to https://oursite.domain/irj

What should we do? Have you any idea?

Thanks a lot for your help.

Marcos

Hello Marcos,

Please note that the Web Dispatcher is not a reverse proxy. What I've stated is that it has a redirect feature.

Please try the following rule instead:

icm/HTTP/redirect_0 = PREFIX=/, FROMPROT=http, PROT=https

If it doesn't work either, please try:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https

Regards,

Isaías

Hello Samuli,

The Web Dispatcher is a load balancer. This is its main functionality.

But it also has some features that are present at a reverse proxy.

And ok, the Web Dispatcher fits the definition of reverse proxy that you've sent, however a reverse proxy usually has much more specific features that are not present at the Web Dispatcher (since it is a load balancer, not a reverse proxy).

Cheers,

Isaías

Hi Isaias, thanks a lot for your tips and help.

Our wishes is to substitut the Apache and starts using the WEBDISPATCHER with the load balance and proxy_reverse, because our Apache is difficult to understand sometimes, and keep the same platform (SAP) and don't use third softwares.

I configure in the profile of our SAP WEBDISPATCHER the parameter that you have sent to us, but it is not running as our expectation.

To your better understand: We are trying to configure the WEB DISPATCHER to redirect all access from HTTP to HTTPS.

Thanks.

Marcos.

Hello Marcos,

I'm sorry, there is an option missing at the parameter I've suggested. You must specify "HOST" whenever you use PORT or PROT. Please try this rule:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https,

                     HOST=<hostname of Web Dispatcher>

Regards,

Isaías

Hi Isaias, thanks for your help and sorry for the delay.

We added the information, but only in https is running fine.

Our wishes is when access the url from http redirect to https.

Thanks

Marcos

Hello Marcos,

The rule I've posted must do the trick:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https,

                     HOST=<hostname of Web Dispatcher>

I've performed several tests, and this rule works.

Can you please past your Web Dispatcher profile, and give an example of which URL you've accessed through HTTP, that didn't get redirected to HTTPS with the above rule in place? (note that you must replace "<hostname of Web Dispatcher>" for the actual hostname.

Regards,

Isaías

Hi Isais, thanks so much for helping us.

Bellow a part of our WDISP profile.

#-----------------------------------------------------------------------

rdisp/mshost = NAME OF THE SERVER WHERE THE ENTERPRISE IS INSTALLED

ms/http_port = 8102

#-----------------------------------------------------------------------

# Configuration for medium scenario

#-----------------------------------------------------------------------

icm/max_conn = 500

icm/max_sockets = 1024

icm/req_queue_len = 500

icm/min_threads = 10

icm/max_threads = 50

mpi/total_size_MB = 80

#-----------------------------------------------------------------------

# SAP Web Dispatcher Ports

#-----------------------------------------------------------------------

#icm/server_port_0 = PROT=HTTP,HOST=WDISPSERVER,PORT=81$$

#icm/server_port_1 = PROT=HTTP,HOST=localhost,PORT=81$$

#icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=81$$

#-----------------------------------------------------------------------

# Start webdispatcher

#-----------------------------------------------------------------------

_WD = wd.sap$(SAPSYSTEMNAME)_$(INSTANCE_NAME)

Execute_00 = local rm -f $(_WD)

Execute_01 = local ln -s -f $(DIR_EXECUTABLE)/sapwebdisp$(FT_EXE) $(_WD)

Start_Program_00 = local $(_WD) pf=$(_PF)

icm/server_port_0 = PROT=HTTP,PORT=8102,TIMEOUT=120,PROCTIMEOUT=600

icm/server_port_1 = PROT=HTTPS,PORT=8443,TIMEOUT=120, PROCTIMEOUT=600

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=8102

#icm/HTTP/redirect_0 = PREFIX=/,FROMPROT=http, PROT=https, PORT=8443

##icm/HTTP/redirect_0 = PREFIX FROM=/irj/portal/, FROMPROT=HTTP, HOST=OURPAGE.DOMAIN, PORT=8443, PROT=https, TO=/irj/portal

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https, HOST=SERVER OF OUR WEBDISPATCHER

wdisp/ssl_encrypt = 0

wdisp/add_client_protocol_header = true

Hello Marcos,

You're welcome!

The rule didn't work because your Web Dispatcher is not using the default port for the HTTPS protocol (which is 443). In this case, you also need to use the PORT option. The rule for your case will look like:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https,

                 PORT=8443, HOST=<hostname of Web Dispatcher>

Regards,

Isaías

Hello Isaias, thanks again for helping us.

Bu I don't know why for us is not running fine.

I configured the tip that you've sent,but when I type:

- http://mywebsite.domain/irj/portal it doens't redirect to https://mywebsite.domain/irj/portal

This redirect is our goal, because we hope to eliminate the Apache and use only the WEBDISPATCHER with logon balance and proxy_reverse, using redirects.

We continue trying to understand how the SAP WEBDISPATCHER run.

Thanks a lot.

Marcos

Hello Marcos,

The rule should look like:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https,

                 PORT=8443, HOST=mywebsite.domain

If you have different hostnames that you can use to reach the Web Dispatcher (like mywebsite.domain, anothersite.domain), and you want the redirects to be applied only for one of the hostnames, you can use the FOR option, like:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FOR=mywebsite.domain:*,

                 FROMPROT=http, PROT=https,

                 PORT=8443, HOST=mywebsite.domain

Please refer to the following SAP Help webpage for the documentation of the redirect parameter:

http://help.sap.com/saphelp_nw70ehp3/helpdata/en/48/3d993fb08c72d1e10000000a42189c/frameset.htm

I've already posted it in this thread, I'm posting it here, again, for your convenience.

Regards,

Isaías

Hi Isaias, thanks a lot for your help and tips.

Now our redirect is running fine and when I type http://mywebsite.domain:8102/irj/portal it is redirecting to https://mywebsite.domain:8443/irj/portal.

That is great !!

Now, if you can help us, how can I hide the ports?

In our case the users cannot see the port 8443.

Have you ever configured the SAP WEBDISPATCHER to redirect a page and hide the ports?

Thanks

Marcos.

Hello Marcos,

You're welcome!

Regarding the ports, it is not possible to hide them.

The only option you would have is to use the default ports (e.g., 80 for HTTP and 443 for HTTPS). Then, the users would not have to specify the ports, as any browser will use the default port if it is not explicitly specified.

Regards,

Isaías

Hi Isaias, thanks for your help.

As you told us,it's not possible to change/hide the ports, I made this changes in the profile:

icm/server_port_0 = PROT=HTTP,PORT=8102,TIMEOUT=120,PROCTIMEOUT=600

icm/server_port_1 = PROT=HTTPS,PORT=443,TIMEOUT=120, PROCTIMEOUT=600

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=8102

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FOR=mysite.domain:*, FROMPROT=http, PROT=https, PORT=443, HOST=mysite.domain

The change tha I made was from 8443 to 443, but the site stoped run fine.

Have you any idea what's wrong?

Thanks

Marcos.

Hi Isaias, to solve the problem with the ports 80 and 443 I followed this SAP Note:

Note 421359 - ICM: Binding ports < 1024 on Unix

After this changes I can access the URLs without ports, but the redirect stoped running fine.

Do you nkow why?

Thanks

Marcos.

Hello Marcos,

You're changes seem fine. Please post the first 50-100 lines of the dev_webdisp trace file, so we can see the initialization information.

Regards,

Isaias

Hi Isaias, we made a lot of changes and now we have:

http://serverofwebdispatcher.domain/sap/admin/public/default.html = is running fine

http://myportal.domain/irj/portal = running over port 80 and here the user cannot see the port

https://myportal.domain/irj/portal = running over port 443 and here the user cannot see the port

The profile is:

icm/server_port_0 = PROT=HTTP,PORT=80,TIMEOUT=120,PROCTIMEOUT=600,EXTBIND=1

icm/server_port_1 = PROT=HTTPS,PORT=443,TIMEOUT=120, PROCTIMEOUT=600,EXTBIND=1

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=80

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FOR=myportal.domain:*, FROMPROT=http, PROT=https, PORT=443, HOST=myportal.domain

Thanks

Marcos.

Hello Marcos,

1) Note that the "HOST" option of the redirect parameter should point to the server of the Web Dispatcher itself. Otherwise, the requests will start to go to the backend system directly, bypassing the Web Dispatcher;

2) Clarify what is not working now;

3) You didn't post the first 50-100 lines of the dev_webdisp.

Cheers,

Isaias

Hi Isaias, thanks for your help.

Answering your points/questions:

1 - I made the changes and it was:

---> icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FOR=mysite.domain:*, FROMPROT=http, PROT=https, PORT=443, HOST=host of web disp.domain

2 - First, when in icm/server_port_0 = PROT=HTTP, PORT= **, was with the value 8102 and icm/server_port_1 = PROT=HTTPS,PORT=8443, it was redirectering fine, but in HOST= I was using the value "mysite.domain" and as you told in the first point, it must be our SAP WEBDISPATCHER server. I really understood that it was working fine, but the URL wasn't goig throught the WEBDISPATCHER.

After this I made this change:

icm/server_port_0 = PROT=HTTP,PORT=8003,TIMEOUT=120,PROCTIMEOUT=600,EXTBIND=1

icm/server_port_1 = PROT=HTTPS,PORT=8443,TIMEOUT=120, PROCTIMEOUT=600,EXTBIND=1

icm/HTTP/admin_0 = PREFIX=/sap/admin,DOCROOT=$(DIR_DATA)$(DIR_SEP)icmandir,AUTHFILE=$(icm/authfile),PORT=8003

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FOR=mysite.domaint:*, FROMPROT=http, PROT=https, PORT=8443, HOST=host of webdisp.domain

And when I call http://mysite.domain:8003/irj it show us that the certificate was not generated to the "host of webdisp.domain".

When I try to access the https://mysite.domain:8443/irj it run fine.

Bellow the lines of our dev_wdisp:

[Thr 140482854020960] Fri Aug 30 08:00:00 2013

[Thr 140482854020960] started security log to file ./dev_icm_sec

[Thr 140482854020960] SigISetDefaultAction : default handling for signal SIGCHLD

[Thr 140482854020960] SAP Web Dispatcher running on: brjgs854

[Thr 140482854020960] MtxInit: 30001 0 2

[Thr 140482854020960] ***LOG IM1=> IcmInit, Startup (SAP Web Dispatcher&hostofwebdispatcher&19215&) [icxxrout_mt. 1931]

[Thr 140482854020960] IcmInit: listening to admin port: 64998

[Thr 140482854020960] MPI: dynamic quotas disabled.

[Thr 140482854020960] MPI init: pipes=4000 buffers=1279 reserved=383 quota=10%

[Thr 140482854020960] CCMS: Initalized shared memory of size 40000000 for monitoring segment.

[Thr 140482854020960] CCMS: Checking Downtime Configuration of Monitoring Segment.

[Thr 140482854020960] IcrCoreInitSessionTable: Session table initialized

[Thr 140482707101440] HttpISubHandlerAdd: Added handler HttpRedirectHandler(0x7fc4a8000fe0), slot=0, flags=4098) for /, active: 1, table 0x7fc4a8000a70

[Thr 140482707101440] HttpExtractArchive: files from archive /usr/sap/WE0/SYS/exe/nuc/linuxx86_64/wdispadmin.SAR in directory /usr/sap/WE0/W01/data/icmandir are up to date

[Thr 140482707101440] HttpAdmHandlerInit: admin restricted to the port(s): 80

[Thr 140482707101440] HttpISubHandlerAdd: Added handler HttpAdminHandler(0x7fc4a8001210), slot=1, flags=36869) for /sap/admin, active: 1, table 0x7fc4a8000a70

[Thr 140482707101440] HttpISubHandlerAdd: Added handler HttpModHandler(0x7fc4a8001550), slot=2, flags=12293) for /, active: 1, table 0x7fc4a8000a70

[Thr 140482707101440] CsiInit(): Initializing the Content Scan Interface

[Thr 140482707101440]            AMD/Intel x86_64 with Linux (mt,ascii,SAP_CHAR/size_t/void* = 8/64/64)

[Thr 140482707101440] CsiInit(): CSA_LIB = "/usr/sap/WE0/SYS/exe/nuc/linuxx86_64/libsapcsa.so"

[Thr 140482707101440] HttpISubHandlerAdd: Added handler HttpAuthHandler(0x7fc4a8001690), slot=3, flags=12293) for /, active: 1, table 0x7fc4a8000a70

[Thr 140482707101440] HttpISubHandlerAdd: Added handler HttpWebDispHandler(0x7fc4a80087a0), slot=4, flags=1060869) for /, active: 1, table 0x7fc4a8000a70

[Thr 140482854020960] Started service PORT=80,PROT=HTTP,TIMEOUT=120,PROCTIMEOUT=600,EXTBIND=1

[Thr 140482707101440] =================================================

[Thr 140482707101440] = SSL Initialization    platform tag=(linuxx86_64_gcc43)

[Thr 140482707101440] =   (720_REL,Dec 17 2011,mt,ascii,SAP_UC/size_t/void* = 8/64/64)

[Thr 140482707101440]   profile param "ssl/ssl_lib" = "/usr/sap/WE0/SYS/exe/nuc/linuxx86_64/libsapcrypto.so"

[Thr 140482707101440]            resulting Filename = "/usr/sap/WE0/SYS/exe/nuc/linuxx86_64/libsapcrypto.so"

[Thr 140482707101440] =   found SAPCRYPTOLIB  5.5.5C pl32  (Apr  2 2011) MT-safe

[Thr 140482707101440] =   current UserID: "we0adm",  env-var USER="we0adm"

[Thr 140482707101440] =   found SECUDIR environment variable

[Thr 140482707101440] =   using SECUDIR=/usr/sap/WE0/W01/sec

[Thr 140482707101440]   profile param "ssl/server_pse" = "/usr/sap/WE0/W01/sec/SAPSSLS.pse"

[Thr 140482707101440]            resulting Filename = "/usr/sap/WE0/W01/sec/SAPSSLS.pse"

[Thr 140482707101440] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/WE0/W01/sec/SAPSSLC.pse" not found,

[Thr 140482707101440] =      using PSE "/usr/sap/WE0/W01/sec/SAPSSLS.pse" as fallback

[Thr 140482707101440] =  secudessl_Create_SSL_CTX():  PSE "/usr/sap/WE0/W01/sec/SAPSSLA.pse" not found,

[Thr 140482707101440] =      using PSE "/usr/sap/WE0/W01/sec/SAPSSLS.pse" as fallback

[Thr 140482707101440] ******** Warning ********

[Thr 140482707101440] *** No SSL-client PSE "SAPSSLC.pse" available

[Thr 140482707101440] *** -- this will probably limit SSL-client side connectivity

[Thr 140482707101440] ********

[Thr 140482707101440] = Success -- SapCryptoLib SSL ready!

[Thr 140482854020960] Started service PORT=443,PROT=HTTPS,TIMEOUT=120,PROCTIMEOUT=600,EXTBIND=1,VCLIENT=0

[Thr 140482854020960] SSL settings: verify_client: 0, cache_size: -1, cache_lifetime: -1, credfile: SAPSSLS.pse, ciphers: default

[Thr 140482854020960] SigISetDefaultAction : default handling for signal SIGCHLD

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 0

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 1

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 2

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 3

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 4

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 5

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 6

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 7

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 8

[Thr 140482854020960] IcmCreateWorkerThreads: created worker thread 9

[Thr 140482707101440] IcmWatchDogThread: watchdog started

Thanks

Marcos

Hi Isaias, doing other tests, we saw that when we change the port 8002 to 80 and 8443 to 443, it show us some Unauthorized error.

Redirect fine:

icm/server_port_0 = PROT=HTTP,PORT=8002

icm/server_port_1 = PROT=HTTPS,PORT=8443

Don't run fine:

icm/server_port_0 = PROT=HTTP,PORT=80

icm/server_port_1 = PROT=HTTPS,PORT=443

Have you ever seen this before?

Thanks

Marcos.

Hello Marcos,

"host of web disp.domain" and "mysite.domain" should point to the same server, where the Web Dispatcher is running at.

Otherwise, how would you expect that the request going to "mysite.domain" would reach the Web Dispatcher? Note that your end users only need to connect to the Web Dispatcher. They don't need to have direct access to the system behind the Web Disp.

And changing the Web Disp. ports will not interfere with the redirect behavior, as long as you adjust the "PORT" option of the redirect parameter accordantly.

Regards,

Isaías

Hi Isaias, thanks for your help.

It sounds weird the SAPWEBDISPATCHER and the Enterprise Portal (our website) should be in the same server.

We expect and know that our end users mustn't access the default URL and only the website that we are configuring.

I am going to configure a SAPWEBDISPATCHER in the same server of our Enterprise Portal and will tell you the result.

Thanks Isaias for helping us with this configuration.

Marcos.

Hello Marcos,

You misunderstood the information I've sent.

I dit not mean that you must run the Web Dispatcher at the same server as the Enterprise Portal.

What I meant is that your users must use an URL that points to the Web Dispatcher, and that the HOST option of the redirect parameter must point to the Web Dispatcher itself.

Your end users should never need to access/know the URL that points directly to the Portal, they must always use the URL that points to the Web Dispatcher.

Regards,

Isaias

Hi Isaias, thanks for your explanation and sorry for the misunderstood.

But in our case, the SAP WEBDISPATCHER is installed in server A, the Enterprise Portal in server B (http://ourserver.domain:50000/irj).

Our DNS http://mywebsite.domain/irj is configured to the server A and I mean that you've said in our case it is correct, where the end users will access this URL

But we don't know why the por 80 doesn't run fine. This is our doubt.

Could you explain us why?

Thanks

Marcos.

Hello Marcos,

I would need a trace level 3 from the Web Dispatcher (e.g., increase its trace level to 3, simulate the issue, decrease its trace level back to 1, I need all the information captured while the trace level was 3) to see why it is not working.

Note that at trace level 3 the complete HTTP content will be visible (e.g., hostnames, URLs, HTTP headers, etc.).

Regards,

Isaías

Hi Isaias, thanks for your help.

What we made: We removed the "FOR=myweglab.weg.net:*" from the profile and now the redirect is running fine. I mean that you don't need the logs with trace level 3.

Now the rule is:

icm/HTTP/redirect_0 = PREFIX=/, FROM=*, FROMPROT=http, PROT=https, PORT=443, HOST=myweglab.weg.net

Now when I type http://mywebsite.domain:80/irj it redirect to https://mywebsite.domain/irj/portal.

I think that this problem is solved an if you have any question, feel free to do it.

Thanks a lot for helping us with this big issue.

Marcos

Hello Marcos,

You're welcome! And thanks for updating this thread with the solution.

Regards,

Isaías