Multiple Reverse Proxies

Discussion created by stufletcher on Sep 12, 2012
Latest reply on Jul 16, 2013 by myESRIUName
Hi there,

We have an ArcGIS Server 10.1 instance that sits behind 2 corporate reverse proxies (Apache). Basically in this configuration:

ArcGIS Server  ---Reverse Proxy 2----   Internal Site   ----Reverse Proxy 1----    External Site

The reverse proxies we are using utilise Apache and are configured based on the info below

Reverse Proxy 2 configuration:
ProxyPass       /arcgis/rest/  http://arcgisserver_address:6080/arcgis/rest/
ProxyPassReverse /arcgis/rest/  http:// arcgisserver_address:6080/arcgis/rest/
ProxyPass       /arcgis/tokens/  http://arcgisserver_address:6080/arcgis/tokens/
ProxyPassReverse /arcgis/tokens/  http://arcgisserver_address:6080/arcgis/tokens/
ProxyPass       /arcgis/services/  http://arcgisserver_address:6080/arcgis/services/
ProxyPassReverse /arcgis/services/  http://arcgisserver_address:6080/arcgis/services/
ProxyPass       /arcgis/sdk/  http://arcgisserver_address:6080/arcgis/services/
ProxyPassReverse /arcgis/sdk/  http://arcgisserver_address:6080/arcgis/services/

Reverse Proxy 1 configuration:
ProxyPass       /  http://internalsite_address/
ProxyPassReverse  /  http://internalsite_address/

This largely works ok however some components of the ArcGIS server REST endpoint do not function correctly as it appears that some of the java libraries used by the pages appear to pickup the fact that the request has been parsed through via a reverse proxy and utilise one of the following HTTP headers X-FORWARDED_HOST or X-FORWARDED-SERVER. This works ok when there is only 1 proxy however when there are two (or more) proxies these headers contain a comma separated list of all proxies.

I.e in the case of the above example:
X-FORWARDED-HOST = externalsite_address, internalsite_address

This causes issues with many rest pages that when returned have malformed URLs as they contain multiple comma separated domains including the javascript map preview, the wmts capabilities and the links at the top of all rest pages (to name a few).

This can be fixed partially by modifying some of the JSP files used however it is not possible with some such as the the page you are redirected to after login. Fixing the JSPs involves converting the urls to just the absolute path not a fully qualified url. This is not an ideal solution and will cause maintenance issues in the future.

The best overall solution would be for ESRI to look at changing the behavior of some of the classes used including:

I wouldn't have thought we are the only organisations using a chain of reverse proxies. Has any one else experienced these problems and if so how have you dealt with them.


Stuart Fletcher