Reverse proxy mode provides SSL encryption connection between the client and IWSVA, however, the connection between IWSVA and the Web server is always via HTTP. Therefore, to use reverse proxy mode, you must adjust the targeted protected web server considering that the connection is via HTTP.
In the following scenario, even if the client has established a connection with IWSVA via SSL, the web server returns an HTTP URL such as http://xxxx.xx.xx/ in the Location header. This causes to switch communication protocol from HTTPS to HTTP because the client tries to access http://xxxx.xx.xx.
Changing the configuration could help to keep the SSL connection although there may be an issue on the web server side.
Trend Micro strongly recommends that you check the Location header of the web server before using reverse proxy mode.
Workaround
- Log on to IWSVA as root via SSH (for example with an SSH shell such as PuTTy).
-
Create a backup copy of the file https.conf:
# cp -p /var/iwss/reverse_proxy/conf/service_conf/https.conf /var/iwss/reverse_proxy/conf/service_conf/https.conf.bak
-
Use vi to edit the file https.conf:
# vi /var/iwss/reverse_proxy/conf/service_conf/https.conf
-
Insert the "proxy_redirect http:// https://;" string under the proxy_set_header line.
If the web server is running on port 8080, "proxy_redirect http://$host:8080/ https://$host/;" must be inserted instead.Before:
-------------------------------------------------- server { ... proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header real-host $host; --------------------------------------------------
After:
-------------------------------------------------- server { ... proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header real-host $host; proxy_redirect http:// https://; --------------------------------------------------
- Save the file and quit.
-
Restart the reverse proxy service.
# /etc/iscan/S99ISreverseproxy restart