How the service proxy works with Nginx reverse proxy? |
In iPortal, you can use service proxy and reverse proxy together to provide double protection for the security of the portal and services. The reverse proxy mechanism is used to protect the security of the iPortal portal platform. As the reverse proxy, Nginx is responsible for receiving and forwarding requests from the client. It acts as a server externally, and the client does not know the existence of other servers in the internal network, so the internal network servers can be protected. While the iPortal service proxy mechanism is used to secure the registered/hosted services in iPortal by providing portal-level service access control, establishing a mapping between the original service address and the proxied service address, so that authorized users can only access the proxied service address, thus the original service address is protected.
The following will introduce in detail how to use service proxy with Nginx reverse proxy. First of all, please make sure that the service proxy function is enabled on your iPortal. For specific configuration information, please refer to: Service Proxy Configuration.
Next, you need to configure the Nginx reverse proxy server.
Here we take Windows as an example:
start nginx
Exit nginx command:
nginx –s quit
Open [nginx installation directory]\conf\nginx.conf file, modify the server node under http node:
server {
listen 80;
server_name www.myiportal.com;
location /{
proxy_pass http://192.168.120.52:8090/;
proxy_set_header Host $host:80;
proxy_set_header X-Read-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /portalproxy/ {
proxy_pass http://192.168.120.52:8195;
proxy_set_header Host $host:80;
proxy_set_header X-Read-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
Save the above changes and restart nginx to make it effective. The restart command is as follows:
nginx -s reload
If you need to configure the reverse proxy for multi-iPortals or multi-iServers, you can configure multiple server nodes in nginx.conf.
Note: To ensure the accessibility of the services registered in iPortal when the iPortal service proxy is on, which had been proxied by Nginx service before registration, it's recommended to set the Host parameter as: Host $http_host.
If you need to match multiple service addresses, you can configure multiple locations in nginx.conf.
By default, Nginx allows the client to request the maximum single file byte size of 1m. If the user accesses iPortal through the Nginx proxy and uploads a large data file to the portal, 1m is not enough at this time. It is recommended to modify it to 1024m, that is It is allowed to upload a data file with a size of up to 1024m at a time. You can also configure it according to specific business needs. Specific operation:
Open the [Nginx installation path]\conf\nginx. conf file and add the following line of code under the HTTP node:
client_max_body_size 1024m;
client_max_body_size: Indicates the maximum allowable size of the server requested by the client, in megabytes. If the amount of data requested is greater than the value set in client_max_body_size, the HTTP protocol will report error 413: "Request Entity Too Large", so when the amount of data you upload is large, you need to increase the parameter value.
Note: If after completing the above configuration, iPortal still freezes when uploading files with a large amount of data, you need to continue to modify the content of client_max_body_size and keepalive_timeout under the http node to set larger values. For details, see:FAQ.
To use the Nginx to proxy the services of iPortal(when the service proxy is on) and hide the port of the service proxy, you also need to configure the iportal.xml file in the [SuperMap iPortal installation directory]\webapps\iportal\WEB-INF folder. Open the configuration file, add a <proxyServerRootUrl> node under the <serviceProxy> node to set the root address of the Nginx reverse proxy. Since there are two ways to display the Host in the proxy service address: domain name or IP, there are two ways to configure the <proxyServerRootUrl> node:
Method 1: Domain format
<serviceProxy>
<enable>true</enable>
<port>8195</port>
<proxyServerRootUrl>http://www.myiportal.com[:port]</proxyServerRootUrl>
<httpConnPoolInfo>
<maxTotal>20</maxTotal>
<defaultMaxPerRoute>2</defaultMaxPerRoute>
</httpConnPoolInfo>
</serviceProxy>
Method 2: IP format
<serviceProxy>
<enable>true</enable>
<port>8195</port>
<proxyServerRootUrl>http://{ProxyHost}[:port]</proxyServerRootUrl>
<httpConnPoolInfo>
<maxTotal>20</maxTotal>
<defaultMaxPerRoute>2</defaultMaxPerRoute>
</httpConnPoolInfo>
</serviceProxy>
After configuration, restart iPortal.
Note: For the two above methods, [:port] represents the Nginx service port. If you leave it empty, it uses the default port number: 80.
After the above configurations, you can access the iPortal service via the address of the Nginx service address, for example: using ip http://192.168.120.40:80, or using the domain name http://www.myiportal.com:80 in your actual business, where the default port 80 can be hidden. To access the services in iPortal, using the same access address.