Hitachi

uCosminexus Application Server Security Management Guide

3.3.1 Deployment of reverse proxies

This section describes a configuration that uses a NIO HTTP server and a reverse proxy.

To use a NIO HTTP server in a system that connects to the internet, always prepare a demilitarized zone (DMZ) in which a reverse proxy is deployed. Standard configuration examples are shown later.

Organization of this subsection

(1) System configuration features

In this configuration, the reverse proxy server is deployed in a DMZ between the Web browsers and the application server.

The following figure shows an example of a configuration that uses a NIO HTTP server with a reverse proxy deployed in a DMZ.

Figure 3‒4: Example of a configuration that uses a NIO HTTP server with a reverse proxy deployed in a DMZ

[Figure]

For other examples, see 3.2 Description of the system configuration in the uCosminexus Application Server System Design Guide.

Features

  • Only the reverse proxy server accesses the application server, preventing direct access to it from Web browsers.

  • Usually, the reverse proxy does not store static content such as HTML.

Flow of requests

Access to the servlet and JSP from the clients goes through the Web server containing the reverse proxy module.

A load balance cluster can be used for load balancing by using a load balancer (layer 5 switch) for the reverse proxy server and the application server.

The next figure shows an example load balance cluster configuration with reverse proxies deployed in a DMZ.

Figure 3‒5: Example of a configuration that uses NIO HTTP servers with reverse proxies deployed in a DMZ (in the case of a load-balancing cluster configuration)

[Figure]

For other examples, see 3.2 Description of the system configuration in the uCosminexus Application Server System Design Guide.

Features

  • Only the reverse proxy servers access the application servers, preventing direct access to them from Web browsers.

  • Usually, the reverse proxies do not store static content such as HTML.

  • Scalability and availability can be ensured by distributing the load between the reverse proxy server and the application server.

Flow of requests

Access to servlets and JSPs from the client goes through the first load balancer, the Web servers containing the reverse proxy modules, and then the second load balancer.

For access from Web browsers, the first load balancer distributes the load between the two reverse proxy servers. For access from the reverse proxy servers, the second one distributes the load between the two application servers. The second load balancer also manages HTTP session such as affinity or sticky.

Note that when using HTTPS, you need to install an SSL accelerator in front of the first load balancer.

To Page Top

(2) Machine software required and processes to be activated

The following section describes the software and processes required for the machines.

(a) Reverse proxy server machines

Install Cosminexus HTTP Server on the reverse proxy server machines.

The process shown below should always be activated.

  • Web servers

Each Web server should incorporate a reverse proxy module.

(b) Application server machines, management server machine, and client machine

The necessary software and processes to be activated on the application server machines, the management server machine, and the client machine are the same as those for system configurations that use a servlet and JSP as access points. For details, see 3.4.2 Configuration where servlets and JSPs are used as access points (when accessing the NIO HTTP server directly) in the uCosminexus Application Server System Design Guide.

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2022, Hitachi, Ltd.