TechTip: Need a Safe IBM i Internet Connection?

IT Infrastructure - Other
Typography
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

With Apache Reverse Proxy, you can implement an Internet Web service confidently.

 

One reason that businesses may limit the IBM i's connection to the Internet is the reluctance to expose one of the most sensitive company assets, its data, to the risk of uncontrolled access from the network. On the other hand, the need for some presence in the public network has resulted in companies providing Web sites based on a few static pages that don't allow interaction with company data. Usually, these Web sites are developed by people outside the company or by a small team within the company but totally separated from the IBM i development team. The obvious consequences are that IBM i growth in the Web area is inhibited and the development team doesn't grow.

 

How can businesses overcome this irrational fear? Apache HTTP server provides an interesting way out. Look at the example of a company environment in Figure 1.

 

102210PerottiFigure1

Figure 1: This example company has three networked computers.

 

The company has three computers on a LAN. Computer A is any computer running Apache HTTP and connected to the public network through an Internet router, a firewall, etc. This computer provides a public Web site based on data sent once per day from computer B. Computer B is an IBM i that holds company data and services internal users through an intranet Web service. Computer C is a separate IBM i dedicated to application development, including Web development. Computers B and C run an Apache HTTP service. In this configuration, computers B and C are safe from any external attacks, as they are not on the public network.

 

What Apache HTTP server provides is a way to transfer selected Web requests to another computer, wait for the answers from it, and transfer the answers back to the remote browsers. This technique, called "Reverse Proxy," enables multiple systems on a LAN to provide Web services to an external network through a single computer connected to the external network. Computers on the LAN that are just responding to Reverse Proxy requests simply cannot be hacked.

 

The Apache Reverse Proxy allows the developer to re-route to other HTTP servers any incoming requests that contain given (partial) URIs and to receive responses and send them to requesters as if the requests were processed by the receiving HTTP server. A URI (Uniform Resource Identifier) is the portion of the URL (Uniform Resource Locator) that identifies the resource to be accessed. As an example, in URL http://www.easy400.net/cgidev2/start, the URI is /cgidev2/start.

 

In order to implement Reverse Proxy, you simply add some HTTP directives to the Apache HTTP instance of the Web server system (computer A in Figure1).

 

As an example, let us assume that all requests starting with "/prod/" must be routed to the HTTP server of computer B, with IP address 192.168.0.200. And all requests starting with "/test" must be routed to the HTTP server of computer C, with IP address 192.168.0.300.

 

If computer A is a Windows PC, you must add the following HTTP directives:

 

LoadModule proxy_module modules/mod_proxy.so AddModule_proxy.c

 

# Reverse Proxy connecting to the http server instance of computer B

 <Location /prod/>               

 ProxyPass         http://192.168.0.200/         

 ProxyPassReverse  http://192.168.0.200/          

 </Location>                       

# Reverse Proxy connecting to the http server instance of computer C

 <Location /test/>                    

 ProxyPass         http://192.168.0.300/          

 ProxyPassReverse  http://192.168.0.300/               

 

 </Location>                           

If computer A is an IBM i, you must add the following HTTP directives:

 

LoadModule proxy_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule proxy_ftp_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule proxy_http_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

LoadModule proxy_connect_module /QSYS.LIB/QHTTPSVR.LIB/QZSRCORE.SRVPGM

ProxyReverse on

# Reverse Proxy connecting to the http server instance of computer B

 <Location /prod/>                         

 ProxyPass         http://192.168.0.200/               

 ProxyPassReverse  http://192.168.0.200/             

 </Location>                        

# Reverse Proxy connecting to the http server instance of computer C

 <Location /test/>                  

 ProxyPass         http://192.168.0.300/                  

 ProxyPassReverse  http://192.168.0.300/              

</Location>                            

            

Safe and Secure Internet Access

Now you have a safe way to provide Internet access on your IBM i. For more information, go to the following two references.

 

 

 

as/400, os/400, iseries, system i, i5/os, ibm i, power systems, 6.1, 7.1, V7,

 

 

 

 

BLOG COMMENTS POWERED BY DISQUS