Community
Select to view content in your preferred language

Using iptables PREROUTING NAT Instead of HTTP Proxy for Redirecting Port 443 to 8443 in ArcGIS Enterprise

277
2
Jump to solution
3 weeks ago
JPBogado
by
New Contributor
3 weeks ago

Hello everyone,

I’m currently configuring an ArcGIS Enterprise environment on an Oracle Linux server with a single-machine deployment where both the Portal and Server are deployed on the same Tomcat instance. By default, Tomcat handles HTTPS traffic on port 8443. However, to simplify access, I want to redirect HTTPS traffic from the standard port 443 to Tomcat’s 8443.

Instead of using a traditional HTTP proxy (like Apache or Nginx) as suggested in the documentation, I'm considering using iptables with a PREROUTING NAT rule to achieve this port redirection.

My current iptables configuration is as follows:

iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-port 8443


This approach seems to work for redirecting traffic, but I'm curious about the potential implications or limitations compared to using an HTTP proxy. Specifically:

  1. Are there any known issues or performance considerations when using iptables NAT for port redirection in an ArcGIS Enterprise setup?
  2. What advantages might I be missing by not using a dedicated HTTP proxy for this purpose?
  3. Could this approach affect SSL/TLS management or impact other ArcGIS Enterprise components?

    Given that this is a single-machine deployment on Oracle Linux with both Portal and Server on the same Tomcat server, I would appreciate any insights or experiences that others have had with similar setups.

    Thanks in advance!

0 Kudos
1 Solution

Accepted Solutions
JonathanEpstein
by
Occasional Contributor
3 weeks ago

@JPBogado I urge you (for reasons having little to do with Esri, but only as a modern best-practice) to avoid iptables and instead use a firewalld-based solution such as Esri uses in their cookbooks.   See:

 

https://github.com/Esri/arcgis-cookbook/tree/main/cookbooks/esri-tomcat

 

and drilling down, use the port-forwarding shown at https://github.com/Esri/arcgis-cookbook/blob/main/cookbooks/esri-tomcat/recipes/firewalld.rb#L46

 

My team has wrapped Ansible playbooks around these Chef cookbooks, and it works very well for us.   Unfortunately we have too many custom and proprietary bits to share these Ansible playbooks anytime soon.

 

 

View solution in original post

2 Replies
JonathanEpstein
by
Occasional Contributor
3 weeks ago

@JPBogado I urge you (for reasons having little to do with Esri, but only as a modern best-practice) to avoid iptables and instead use a firewalld-based solution such as Esri uses in their cookbooks.   See:

 

https://github.com/Esri/arcgis-cookbook/tree/main/cookbooks/esri-tomcat

 

and drilling down, use the port-forwarding shown at https://github.com/Esri/arcgis-cookbook/blob/main/cookbooks/esri-tomcat/recipes/firewalld.rb#L46

 

My team has wrapped Ansible playbooks around these Chef cookbooks, and it works very well for us.   Unfortunately we have too many custom and proprietary bits to share these Ansible playbooks anytime soon.

 

 

JPBogado
by
New Contributor
3 weeks ago

Thank you for the recommendation! I’ve followed your advice and implemented the firewalld-based solution as suggested in the Esri cookbooks. The configuration was straightforward and fits our needs perfectly. I really appreciate your help and the reference to the GitHub resource—it has been incredibly useful.

Thanks again for the valuable guidance!

0 Kudos