How the service proxy works with Nginx reverse proxy?

In iPortal, you can use service proxy and reverse proxy together to provide double protection for the security of the portal and services. The reverse proxy mechanism is used to protect the security of the iPortal portal platform. As the reverse proxy, Nginx is responsible for receiving and forwarding requests from the client. It acts as a server externally, and the client does not know the existence of other servers in the internal network, so the internal network servers can be protected. While the iPortal service proxy mechanism is used to secure the registered/hosted services in iPortal by providing portal-level service access control, establishing a mapping between the original service address and the proxied service address, so that authorized users can only access the proxied service address, thus the original service address is protected.

The following will introduce in detail how to use service proxy with Nginx reverse proxy. First of all, please make sure that the service proxy function is enabled on your iPortal. For specific configuration information, please refer to: Service Proxy Configuration.

Next, you need to configure the Nginx reverse proxy server.

Start Nginx

Here we take Windows as an example:

1. Unzip nginx to the specified directory
2. In the root directory of nginx, start nginx by the following command:

start nginx

Exit nginx command:

nginx –s quit

3. Verify nginx starts normally via one of the following ways:

• Open the task manager and check whether the nginx process has started.
• Open the browser, access http://127.0.0.1 or http://localhost, the page shows "Welcome to nginx!".

Configure Nginx

Open [nginx installation directory]\conf\nginx.conf file, modify the server node under http node:

server {

        listen       80;

        server_name  www.myiportal.com;

        location /{

            proxy_pass   http://192.168.120.52:8090/;

            proxy_set_header Host $host:80;

            proxy_set_header X-Read-IP $remote_addr;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

        location /portalproxy/ {

            proxy_pass   http://192.168.120.52:8195;

            proxy_set_header Host $host:80;

            proxy_set_header X-Read-IP $remote_addr;

            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        }

• Listen: Sets the listening port of the reverse proxy site, the default is 80.
• server_name: The reverse proxy server name, usually uses the domain of the reverse proxy server.
• proxy_pass: Sets the address of the site to be forwarded, which can be in the form of an IP address or a domain name. There are two site addresses that need to be forwarded in the example, namely the portal address of iPortal: http://192.168.120.52:8190/, and the service proxy root address: http://192.168.120.52:8195.
• proxy_set_header: Sets the request header used to forward the request. Syntax format: proxy_set_header Field Value. Specific settings are as follows:
• Host: The request header field, corresponding value $host:80. Used to transfer the server name and proxy server port.
• X-Read-IP: A custom variable name, corresponding value $remote_addr. Used to obtain the real client IP, not the IP of the Nginx server.
• X-Forwarded-For(optional): The corresponding value is $proxy_add_x_forwarded_for. When two or more Nginx servers are used for reverse proxy, it is used to obtain the real client IP and Nginx server IP to ensure normal communication between proxy servers.

Save the above changes and restart nginx to make it effective. The restart command is as follows:

nginx -s reload

If you need to configure the reverse proxy for multi-iPortals or multi-iServers, you can configure multiple server nodes in nginx.conf.

Note: To ensure the accessibility of the services registered in iPortal when the iPortal service proxy is on, which had been proxied by Nginx service before registration, it's recommended to set the Host parameter as: Host $http_host.

If you need to match multiple service addresses, you can configure multiple locations in nginx.conf.

Configure the maximum number of bytes of a single file that Nginx allows the client to request

By default, Nginx allows the client to request the maximum single file byte size of 1m. If the user accesses iPortal through the Nginx proxy and uploads a large data file to the portal, 1m is not enough at this time. It is recommended to modify it to 1024m, that is It is allowed to upload a data file with a size of up to 1024m at a time. You can also configure it according to specific business needs. Specific operation:

Open the [Nginx installation path]\conf\nginx. conf file and add the following line of code under the HTTP node:

client_max_body_size 1024m;

client_max_body_size: Indicates the maximum allowable size of the server requested by the client, in megabytes. If the amount of data requested is greater than the value set in client_max_body_size, the HTTP protocol will report error 413: "Request Entity Too Large", so when the amount of data you upload is large, you need to increase the parameter value.

Note: If after completing the above configuration, iPortal still freezes when uploading files with a large amount of data, you need to continue to modify the content of client_max_body_size and keepalive_timeout under the http node to set larger values. For details, see:FAQ.

Configure iPortal

To use the Nginx to proxy the services of iPortal(when the service proxy is on) and hide the port of the service proxy, you also need to configure the iportal.xml file in the [SuperMap iPortal installation directory]\webapps\iportal\WEB-INF folder. Open the configuration file, add a <proxyServerRootUrl> node under the <serviceProxy> node to set the root address of the Nginx reverse proxy. Since there are two ways to display the Host in the proxy service address: domain name or IP, there are two ways to configure the <proxyServerRootUrl> node:

Method 1: Domain format

<serviceProxy>

    <enable>true</enable>  

    <port>8195</port>  

    <proxyServerRootUrl>http://www.myiportal.com[:port]</proxyServerRootUrl>  

    <httpConnPoolInfo>

      <maxTotal>20</maxTotal>  

      <defaultMaxPerRoute>2</defaultMaxPerRoute>

    </httpConnPoolInfo>

  </serviceProxy>

Method 2: IP format

<serviceProxy>

    <enable>true</enable>  

    <port>8195</port>  

    <proxyServerRootUrl>http://{ProxyHost}[:port]</proxyServerRootUrl>  

    <httpConnPoolInfo>

      <maxTotal>20</maxTotal>  

      <defaultMaxPerRoute>2</defaultMaxPerRoute>

    </httpConnPoolInfo>

  </serviceProxy>

After configuration, restart iPortal.

Note: For the two above methods, [:port] represents the Nginx service port. If you leave it empty, it uses the default port number: 80.

Access iPortal and the services of iPortal

After the above configurations, you can access the iPortal service via the address of the Nginx service address, for example: using ip http://192.168.120.40:80, or using the domain name http://www.myiportal.com:80 in your actual business, where the default port 80 can be hidden. To access the services in iPortal, using the same access address.