Yes, FirstSpirit supports reverse proxies. Some of our customers use it over the following web application firewall systems: IBM Webseal, CA Siteminder, Astaro UTM. To have complete transparent support for FirstSpirit, i.e. without any firewall exceptions, the reverse proxy is required to forward the session cookie which is used between client and reverse proxy towards the FirstSpirit backend. In FirstSpirit configuration file fs-server.conf the parameter clientCookieNames must list the name of this cookie. Without forwarding of the cookie, some firewall exception must be added or two files within firstspirit5/web/fs5root enhanced with some Javascript code.
http or https can be used between the reverse proxy and FirstSpirit
For forwarding the SSO authentication of the reverse proxy, a custom FirstSpirit JAAS login module is available which uses mutual https authentication for security (https client certificate on reverse proxy). The username is forwarded as http header by the proxy, for instance as "iv-user" when using Webseal.
URL exceptions, if clientCookieNames is not used in fs-server.conf:
http://fshost.e-spirit.de/jnlp/*
http://fshost.e-spirit.de/servlet/ClientIO/*
http://fshost.e-spirit.de/start/FIRSTspirit.jnlp:
Configuration for Webseal used at one of our customers:
Junction Path: /jctfirstspirit
Destination: https://fsserver.domain:8443
Scripting-Support: no
mutual SSL Auth: yes
Parameter: iv-user
transparent Junction: yes (means, path /jctfirstspirit will be send to backend FirstSpirit)
firstspirit5/conf/fs-server.conf:
URL=https://websealhost.domain/jctfirstspirit
fs.url.hostname=websealhost.domain
fs.url.httpport=443
WEBAPP_ROOT_URL=/jctfirstspirit
WEBAPP_PREVIEW_URL=/jctfirstspirit/fs5preview
WEBAPP_STAGING_URL=/jctfirstspirit/fs5staging
WEBAPP_WEBMON_URL=/jctfirstspirit/fs5webmon
WEBAPP_WEBEDIT5_URL=/jctfirstspirit/fs5webedit
With Webseal you can also use VirtualHost-Junctions so the /jfctfirstspirit path is not required.
