Solved

hosting domino website on Apache

Posted on 2004-09-30
9
401 Views
Last Modified: 2013-11-16
I am using a domino for mail and webmail is enabled on it.

I have installed an apache with server & client certificates and want to use it to authinticate webmail users before they reach domino.

so my network should be like this:

(web client with certificate)-----HTTPS---------->(Apache verifying clients certificates and running ssl and domino website)------>(Actual domino server)

Or if possible like this:

(web client with certificate)-----HTTPS---------->(Apache verifying clients certificates and running ssl without domino website)----HTTP---------->(actual domino server running Domino webserver and pages)

Any Clue?????????????????/
0
Comment
Question by:last
  • 4
  • 4
9 Comments
 
LVL 46

Expert Comment

by:Sjef Bosman
ID: 12189214
I'd say it's impossible to bypass Domino security: Domino will check certificates on its own. And a Domino-website has its pages built from dynamic data contained in a database, there are usually very few fixed html-files.
0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12197601
So you want to use Apache as a reverse proxy ?

The separate parts of this setup should work just fine.  But you are mixing 2 things here:
- SSL tunneling for the reverse proxy.  This is no problem, you can simply leave the authentication mechanism in Domino (but this won't work for the client certificate)
- Single sign on : if the user is authenticated on Apache (using the certificates), you want single sign on with the Domino server.  This is possible if you use the Domino Directory to authenticate users in Apache.  Look on the internet.   Caution: I'm not sure this will work for client certificates , but there only 1 way to find out.  Also, there is a bug in the LDAP module on Apache, so this setup is not 100% reliable.

We have this same setup, and single sign on works fine (users authenticate on the Apache Proxy - then open the Domino portal site (using ssl tunneling) - and are signed in automatically (well this actually doesn't work  100% of the time, but it works mostly).  I can't help you with the SSL client certificates ,though !  

cheers,

Tom
0
 

Author Comment

by:last
ID: 12198337
Tom

it seems that you had setup the same thing.

My users will have to provide the domino passwords after authenticating to the apache. it is a portal for them.

But do you have SSL running on Domino or just on apache??

Is your setup of the form:

Client---------HTTPS-------->Apache-----------HTTP----->Domino   ??

if yes, what I need to do on apache to forward the request to Domino in clear text and bring it back to the clients SSLed?????

thanx
0
 
LVL 15

Accepted Solution

by:
Bozzie4 earned 250 total points
ID: 12201377
Just run ssl on apache.  We have the same setup (exept for client certificates, we just run ssl without the client certs).

You need to install the reverse proxy modules on apache, (don't know exaclty what they're called, but you'll find it quite easily).

cheers,

Tom
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:last
ID: 12206707
Tom,

Aprreciated, I will try runnning the apache as a reverese proxy.
So you are running Domino on HTTP without (SSL) HTTPS?
and ssl is running only on apache.



0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12208561
Yes, that's the idea.

It works fine - but there are other products on the market that do the same.  They could be better in your case, especially if you need single sign on and ldap integration with domino (Websphere Edge server, for instance is built  on a simple Apache reverse proxy, but IBM changed some modules, so it works better with Domino LDAP)

cheers,

Tom
0
 

Author Comment

by:last
ID: 12368243
Tom

proxying works fine now.

but the mail users are not getting the Jave applets buttons (new memo....etc) on thier browsers when they log on to domino!

Any idea?

0
 
LVL 15

Expert Comment

by:Bozzie4
ID: 12368559
Have you considered using iNotes ?  That works fine, as long as you use the necessary rules in the reverse proxy.

To make the java applets work, they must be able to use the applets directory on the server too !  If that still doesn't work, use Mozilla to connect, and use the Sun java 2 SE console to see what it says there....

cheers,

tom
0
 

Author Comment

by:last
ID: 12380194
Tom,

the users have no problems if they connect to the domino webmail directly.the only thing is when they connect through the proxy they dont see the applets.

What is meant by "they must be able to use the applets directory"? do you mean the applets directory in the domino?  then the proxy should access it......

Pls provide more details...

Thanks,
last
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

I thought it will be a good idea to make a post as it will help in case someone else faces these issues. I trust this gives an idea how each entry in Notes.ini can mean a lot for the Domino Server to be functioning properly. This article discusses t…
This article covers general Notes 8.5 troubleshooting information including recreating the Notes\Data folder.
In this seventh video of the Xpdf series, we discuss and demonstrate the PDFfonts utility, which lists all the fonts used in a PDF file. It does this via a command line interface, making it suitable for use in programs, scripts, batch files — any pl…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

24 Experts available now in Live!

Get 1:1 Help Now