A reverse proxy server is a computer that is deployed in a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet) that handles requests from the internet and forwards them to the machines in your internal network. By forwarding requests, the reverse proxy server masks the identity of the machines behind your organization's firewall, thus protecting internal machines from being attacked directly by internet users. Additional security functions can be implemented in the reverse proxy server to further protect your internal network from outside users.
If your reverse proxy server supports a health check function, you can use the ArcGIS Mission Server health check endpoint to determine if the site is available to receive requests. This is useful to quickly determine if there's a software or hardware failure in the site. To do this, for example, browse to https://machine.domain.com:20443/arcgis/rest/info/healthcheck.
Note:
Starting at the 10.9 Enterprise release, administrators are able to configure Apache HTTPD with ArcGIS Mission Server more seamlessly. Administrators can now generate an Apache Proxy Configuration file via the Admin API's 'Generate Proxy Configuration' endpoint.
Generating a Proxy Configuration
Administrators are now be able to configure Apache HTTPD through ArcGIS Mission Server's Admin API.
- Sign in to the ArcGIS Mission Server Administrator Directory at https://machine.domain.com:20443/arcgis/admin/proxyGen as a user with administrator privileges.
- Enter the Top Context of your reverse proxy, for example entering topcontext will result in proxy directives that will route requests to https://my.reverse.proxy/topcontext. This context will be used to write the proxy directives and route requests appropriately based on the requests protocol and context.
- Select the Set Context URLs? check box. This will automatically set the appropriate ArcGIS Mission Server WebContextURL and WebSocketContextURL system properties when the request is submitted.
- Enter the Proxy FQDN of your reverse proxy server, for example my.reverse.proxy will result in proxy directives that will route requests to https://my.reverse.proxy/topcontext.
- Select the desired output Format
- Click Submit
- You've successfully generated an Apache HTTPD Configuration file and set the proper ContextURL system properties. Next, you will need to read the information displayed in this file and then apply it to your Apache HTTPD Proxy as necessary. Please refer to your respective distribution's documentation to do so.
Manually add ArcGIS Mission Server to your reverse proxy server
You can configure your organization's reverse proxy server to communicate directly with ArcGIS Mission Server by adding the corresponding URLs to the proxy directives.
To configure an Apache HTTP Server as a reverse proxy, enable Apache modules: mod_ssl, mod_proxy, mod_proxy_http, mod_proxy_wstunnel. To enable Apache modules, see the Apache documentation for the platform specific configuration locations. For example:
LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
To complete the configuration of an Apache HTTP Server as a reverse proxy, we'll need to set a combination of ProxyPass and ProxyPassMatch directives, and set the correct SSL settings. ArcGIS Mission Server uses HTTPS, as a result, we will need to configure Apache HTTP server SSL to use the same certificate uploaded to ArcGIS Mission Server as well:
##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
## Enable Proxy for SSL
SSLProxyEngine on
## If using a self-signed certificate on ArcGIS Mission Server, disable strict
## certificate verification
SSLProxyVerify none
## Proxy ArcGIS Mission Server URLs to the proper backend ports
## The order of these directives are important.
ProxyPass /topcontext/missions/ wss://machine.domain.com:20301/arcgis/missions/ disablereuse=On
ProxyPass /topcontext/ https://machine.domain.com:20443/arcgis/
ProxyPassReverse /topcontext/ https://machine.domain.com:20443/arcgis/
## Use the same SSL Certificate and Key as ArcGIS Mission Server
## (adjust path to your specific certificate locations)
SSLCertificateFile /path/to/arcgis/mission/<server_cert>.pem
SSLCertificateKeyFile /path/to/arcgis/mission/<private_key>.pem
## End of ArcGIS Mission Server reverse proxy config https://machine.domain.com:20443/arcgis/
For ArcGIS Mission Server to appropriately create WebSocket communications to clients, it is required that you set the ArcGIS Mission Server WebContextURL and WebSocketContextURL system property. This helps ArcGIS Mission Server construct the correct URLs on all resources it sends to the end user. Do the following to change the WebContextURL and WebSocketContextURL:
- Sign in to the ArcGIS Mission Server Administrator Directory at https://machine.domain.com:20443/arcgis/admin as a user with administrator privileges.
- Click system > properties > update.
- In the Properties text box, insert the following JSON, substituting your own ArcGIS Mission Server URL as seen by users outside your organization's firewall.
{ "WebContextURL": "https://machine.domain.com/mygis", "WebSocketContextURL":"wss://machine.domain.com/mygis" }
- Click Update.