Hello,
we have an Apache http server, version 2.2, configured as reverse proxy in front of some SAP web dispatcher instances.
The reverse proxy should send the requests, which he gets actually for three different domains, to the proper web dispatcher instance.
We use the reverse proxy because all domains should be available an the standard https port 443 respectively on port 80 for http connections. I know we can solve this with different web dispatchers on different hosts, but because the domain names are all for the same SAP system in the background, we want to avoid this solution.
Another reason for the reverse proxy is to send requests depending on the path in the URL to different webdispatchers. But this is not active at the moment.
For example:
https://sconnect.example.com/sgui -> webdispatcher1 connect to the production system
https://sconnect.example.com/sguitest -> webdispatcher connect to the test system
The problem we actually working on, is, that we can choose if we want operate the SAP http GUI with a security problem or without the possibility to login.
If we connect direct to the web dispatcher with the fqdn (full qualified domain name) everything works fine. If we put this fqdn in the remote proxy configuration and connect via the reverse proxy, the user gets the login screen and can enter his username and password. When the user continue to login he don´t get the http GUI masks. What the user get´s is the login screen again as often as he tries to login.
If we put the hostname of the web dispatcher in the reverse proxy configuration instead of the fqdn, the user can login, but must enter his username and password in an pop-up (where he, depending on the browser, can save the username password combination) and get´s a error message (SSO ticket cookie problem, which can be solved with the fqdn). But we want neither the message or the pop-up.
Example of the reverse proxy configuration part:
with fqdn:
Because of the laziness of the users we see a security problem in the pop-up. The one person which should be able to login saves username and password and every trainee can access the sap system.
Has everyone of you have had the same or a similar problems and how did you solve them?
What have you done to solve requirements like the one I described above? What would be your solution if you have a system landscape like this?
Best Regards
Jan Hormann