Configure the AJAX proxy
Overview
By default, the Connections AJAX proxy is configured to allow cookies, headers or mime types, and all HTTP actions to be exchanged among the Connections applications. To change the traffic allowed from non-IBM Connections services, we must explicitly configure it.This task is typically not required. Only perform it to display information from an external service within Connections. the most common action is to enable feeds from external sites.
Configuring the proxy to mirror content from third-party servers may cause the proxy to mirror malicious content from those servers, so be sure to allow access to trusted sites only.
The proxy-config.tpl template file defines rules about which HTTP requests, headers, and cookies are allowed to be redirected to the Connections applications. When an IBM Connections server is started, it reads information about the applications from LotusConnections-config.xml, and, based on the rules defined in proxy-config.tpl. configures the proxy to be used by any web browsers or other servers that send requests to IBM Connections.
For example, to allow one application, such as Home page, to proxy a widget, but not allow any of the other applications to proxy it, create an application-specific version of proxy-config.tpl.
Configure the AJAX proxy
- Access the common AJAX proxy configuration template file:
cd app_server_root/profiles/Dmgr01/bin
./wsadmin.sh -lang jython -user admin_user_id -password admin_password -port SOAP_CONNECTOR_ADDRESS_PORT
execfile("connectionsConfig.py")
LCConfigService.checkOutProxyConfig("/tmp", "cell_name")
- Edit /tmp/proxy-config.tpl
- Options...
- Refuse all traffic from a specific site:
<proxy:policy url="malicious.site.com" acf="none"> <proxy:actions/> <proxy:headers/> <proxy:cookies/> </proxy:policy>
- Allow a particular service on the network to display a custom widget:
<proxy:policy url="http://my.network.com/widget/*" acf="none"> <proxy:actions> <proxy:method>GET</proxy:method> </proxy:actions> <proxy:headers> <proxy:header>User-Agent</proxy:header> <proxy:header>Accept.*</proxy:header> <proxy:header>Content.*</proxy:header> <proxy:header>Authorization.*</proxy:header> <proxy:header>If-.*</proxy:header> <proxy:header>Pragma</proxy:header> <proxy:header>Cache-Control</proxy:header> </proxy:headers> <proxy:cookies> <proxy:cookie>JSESSIONID</proxy:cookie> </proxy:cookies> </proxy:policy>
- If a service requires authentication, to allow basic authentication requests...
<proxy:policy url="http://my.network.com/service/*" acf="none" basic-auth-support="true"> ... </proxy:policy>If this attribute is not added, when an unauthenticated request is sent to a service that requires authentication, the service does not display the basic authentication dialog, but returns an HTTP 403 status code instead.
- Allow a particular service to run on the network, and to pass cookies for LTPA tokens to the applications:
<proxy:policy url="http://my.network.com/service/*" acf="none"> <proxy:actions> <proxy:method>GET</proxy:method> </proxy:actions> <proxy:headers> <proxy:header>User-Agent</proxy:header> <proxy:header>Accept.*</proxy:header> <proxy:header>Content.*</proxy:header> <proxy:header>Authorization.*</proxy:header> <proxy:header>If-.*</proxy:header> <proxy:header>Pragma</proxy:header> <proxy:header>Cache-Control</proxy:header> </proxy:headers> <proxy:cookies> <proxy:cookie>JSESSIONID</proxy:cookie> <proxy:cookie>LtpaToken</proxy:cookie> <proxy:cookie>LtpaToken2</proxy:cookie> </proxy:cookies> </proxy:policy>Specify the headers using regular expressions. If no cookies are specified, the proxy will pass all of them. To prevent it from passing any cookies, specify <proxy:cookies/>.
- Allow a particular service to run on the network configured with SSO, and to pass cookies for LTPA tokens and TAM or Siteminder to the service...
<proxy:policy url=" http://my.network.com/service/*" acf="none" basic-auth-support="true" auth-support="true"> <proxy:actions> <proxy:method>GET</proxy:method> <proxy:method>POST</proxy:method> <proxy:method>PUT</proxy:method> <proxy:method>DELETE</proxy:method> </proxy:actions> <proxy:headers> <proxy:header>content-type</proxy:header> <proxy:header>accept-encoding</proxy:header> <proxy:header>uit</proxy:header> <proxy:header>pst</proxy:header> <proxy:header>User-Agent</proxy:header> <proxy:header>Accept.*</proxy:header> <proxy:header>Content.*</proxy:header> <proxy:header>Authorization.*</proxy:header> <proxy:header>X-Method-Override</proxy:header> <proxy:header>If-.*</proxy:header> <proxy:header>Pragma</proxy:header> <proxy:header>Cache-Control</proxy:header> <proxy:header>X-Update-Nonce</proxy:header> </proxy:headers> <proxy:cookies> <proxy:cookie>DomAuthSessId</proxy:cookie> <proxy:cookie>LtpaToken</proxy:cookie> <proxy:cookie>LtpaToken2</proxy:cookie> <proxy:cookie>Shimmer</proxy:cookie> <proxy:cookie>ShimmerS</proxy:cookie> <proxy:cookie>iwaSSL</proxy:cookie> <proxy:cookie>iwaSSL2</proxy:cookie> <proxy:cookie>JSESSIONID</proxy:cookie> <proxy:cookie>has</proxy:cookie> <proxy:cookie>PD-H-SESSION-ID</proxy:cookie><!-- TAM --> <proxy:cookie>PD-S-SESSION-ID</proxy:cookie><!-- TAM --> <proxy:cookie>SMIDENTITY</proxy:cookie><!-- SiteMinder --> <proxy:cookie>SMSESSION</proxy:cookie><!-- SiteMinder --> </proxy:cookies> </proxy:policy>
- Allow GET requests to be passed to any web address.
To allow your users to have access to all web sites, remove the comments from around this policy. For example, users who add a feed to a community will see a 403 error where the feed results should be displayed unless you perform this step. Be sure the policy is listed as the last policy in the configuration file.
<!--proxy:policy url="*" acf="none"> <proxy:actions> <proxy:method>GET</proxy:method> </proxy:actions> <proxy:headers/> <proxy:cookies/> </proxy:policy-->Do not enable this policy on internet-facing deployments because it can allow unauthorized access to internal servers.
proxy:meta-data attributes...
circular_redirects Circular redirects are allowed. If "true", supports using a proxy for a site that redirects to the same URL, but with different parameters. Such a change is not recognized as a new URL. Default is true. connection-timeout Amount of time before an attempt to connect to a host times out. Milliseconds. Default is 60,000, which is 1 minute. max_circular_redirects Maximum number of times a circular redirect is allowed before the proxy rejects it. Integer. Default is 100. maxconnectionsperhost Maximum number of simultaneous connections between the proxy and a given host. Integer. Default is 5. maxtotalconnections Maximum number of simultaneous connections between the proxy and all of the hosts together. Integer. Default is 10. socket-timeout Amount of time before an attempt to use a socket times out. Milliseconds. Default is 60,000, which is 1 minute. unsigned_ssl_certificate_support Support self-signed SSL certificates. Boolean, true or false, in lower-case. Default is true. Change to false when the system is ready for production.
The purpose of the following three settings is to prevent the proxy from consuming all available container threads while it waits for a response from a target host that is slow or is not responding.
maxconcurrentconnections Limit the number of active threads in the proxy at any one time. When the limit is reached, all subsequent threads immediately return with a HTTP 504 Gateway Timeout error. If the value is 0, no limit is set. Default is 10. suspend-url-timeout-interval Minimum amount of time, in milliseconds, that a host is on the suspend list. A host is placed on the suspend list when the host times out. When a host is on the suspend list, the proxy rejects all requests to that host and returns a HTTP 504 Gateway Timeout error for that host. After the timeout interval expires, the host remains on the suspend list, but the next request is accepted. If the request succeeds, the host is removed from the suspend list. If the request does not succeed, the host remains on the suspend list and the timeout interval is renewed. The maximum value is 120000 (2 minutes). A value of 0 disables the timeout interval feature. Default is 2000, which is used if the value is missing or not valid. clean-url-timeout-interval Maximum amount of time, in milliseconds, that a host is on the suspend list. The minimum value is 180000 (30 minutes). Default is 14400000, which is used if the value is missing or not valid.
For example:
<proxy:meta-data> <proxy:name>maxconcurrentconnections</proxy:name> <proxy:value>20</proxy:value> </proxy:meta-data>
- Save and close the file.
- Check proxy-config.tpl back-in during the same session in which you checked it out
LCConfigService.checkInProxyConfig("temp_directory", "cell_name")
- Restart the application server hosting IBM Connections.
See
- Configure the AJAX proxy for a specific application
- Enable the AJAX proxy to forward user credentials
- Configure the AJAX proxy to work with a pass-through proxy
- Configure the library widget proxy
Parent topic:
Security
Related:
Administer the Widget container
Enable community feeds
http://www-10.lotus.com/ldd/lcwiki.nsf/xpDocViewer.xsp?lookupName=Integration+Plug-ins+Documentation+for+IBM+Connections+4.5#action=openDocument&content=catcontent&ct=prodDoc
Enable single sign-on for SiteMinder
Configuration error messages