http or https can be used between the reverse proxy and FirstSpirit
For forwarding the SSO authentication of the reverse proxy, a custom FirstSpirit JAAS login module is available which uses mutual https authentication for security (https client certificate on reverse proxy). The username is forwarded as http header by the proxy, for instance as "iv-user" when using Webseal.
URL exceptions, if clientCookieNames is not used in fs-server.conf:
Configuration for Webseal used at one of our customers:
Junction Path: /jctfirstspirit
mutual SSL Auth: yes
transparent Junction: yes (means, path /jctfirstspirit will be send to backend FirstSpirit)
With Webseal you can also use VirtualHost-Junctions so the /jfctfirstspirit path is not required.