Forums - Adobe Connect User Community

My findings and work-around limitations of Adobe Connect when reverse-proxying it
- external and internal server name of the Connect service must be the same. Otherwise the client (SWF or Add-In) learns from the server what the server calls itself, and it tries to talk to the server under that (internal) name.
--- When I've tried to have different external and internal names, I also replaced all references to the internal server name from URI of HTTP requests (at least the references I could see). I've done it by Apache RewriteRules. But even then the client learned about the internal name and used it.
- it's OK to SSL-ize on the reverse proxy, i.e. use https for external protocol and http for internal protocol. The client works fine.

About single-signing via Novell iChain
If you use Novell iChain (reverse proxy, SSLizer and a single sign-on manager) and you turn on passing authorization header, then beware
- for users with Connect login and password, it's OK to pass iChain Authorize headers to the Connect server. The header is ignored.
- when a guest accesses a meeting, then do not pass iChain Authorize headers to the Connect server. Otherwise you'll get a HTTP authentication form mentioning 'Durin'. That's after I logged the guest in using /system/login-guest API call and the guest already has BREEZESESSION cookie. (This happens only while testing guest access via a fully password-protected iChain; my real guests don't have iChain passwords).

My solution with Novell iChain

Requirements:
iChain-based single-sign on for employees
nice guest form for external guests

Solution: A proxy with business logic that single-signs on and redirects employee meeting links.

Use Apache2 with mod_rewrite, mod_proxy, mod_headers and mod_setenvif, mod_php and PHP5. Note that Connect URIs get very long, and Apache2 core/rewrite logs truncate the log lines after c.a. 1240 letters! Ethereal/tcpdump/wireshark is very handy to check both long URIs and HTTP headers.

Have 2-3 iChain rules:
/internal/* is password-protected
You may want to password-protect /admin. Anything else is public.

Employees use links like connect.myhappycompany.com/meeting-name. Guests use links like connect.myhappycompany.com/guest/meeting-name.

Then I have several Apache rules in a vhost config:

#outside <Directory> - otherwise RewriteRules work differently
RewriteEngine on
browser-redirect to /internal/meeting-name

# Capture requests coming from the Windows Or Mac (or any) Connect Add-in
RewriteCond %{HTTP_REFERER} ^.*connectaddin.*$ [nocase]
RewriteRule (.*) http://connect.myhappycompany.com$1 [P,L]

# Following is only when testing guess access via fully password-protected iChain accelerator:
           # Following RewriteRule doesn't change any URL. I just use it for its side effect - to set
           # HAS_BREEZE_SESSION.
           # We need to set HAS_BREEZE_SESSION to control the following RequestHeader. But
           # we can't set HAS_BREEZE_SESSION in SetEnvIf, because we can't use cookies
           # in condition part of SetEnvIf. Therefore we use RewriteRule
           # only for its side effect - to set an environment variable based on Cookie.
           RewriteCond %{HTTP_COOKIE} BREEZESESSION [nocase]
           RewriteRule .* - [env=HAS_BREEZE_SESSION:TRUE]
          
           RequestHeader unset Authorization env=HAS_BREEZE_SESSION

           # We need to rewrite this to itself and also to actually have favicon.ico under webroot.
           # If we didn't rewrite it then it was handled by another rule that rewrote it to /internal/favicon.ico.
           # If we rewrite /favicon.ico to itself but there was no favicon.ico under webroot, then
           # Apache tried to invoke /error/HTTP_NOT_FOUND.html.var which later on redirected to
           # http(s)://connect.myhappycompany.com/internal/error/HTTP_NOT_FOUND.html.var - before I used ErrorDocument
           # That made things very confusing when testing without iChain
              RewriteRule ^/favicon.ico$ /favicon.ico [QSA,L]
          
           # Redirect / to /internal/admin/home so that admin interface is iChain-protected
           # and single-signed on. Must not have trailing / - Connect requirement.
           RewriteRule ^/?$ https://connect.myhappycompany.com/internal/admin/home [R,L]

           # /internal/.* request - already authorized by iChain - but no cookie.
           # We call set_breeze_cookie.php which logs
           # the user on to Connect via its API and passes the cookie to the browser. Then it redirects them
           # to the page they requested - /meeting-name.
           RewriteRule ^/internal/(.*) /internal/set_breeze_cookie.php?/$1 [L]

           # Similar to how we handle /internal/* just above
           RewriteCond %{HTTP_COOKIE} !BREEZESESSION [nocase]
           RewriteRule ^/admin/(.*) /internal/set_breeze_cookie.php?/admin/$1 [L]

            # Some rules to handle special URLs under /guest

           # When a guest visits /guest/meeting-name for the 1st time - with no cookie, then the above
           # mechanism kicks in and it redirects to /meeting-name which works fine.
           # But if the guests visits /guest/meeting-name again and with a cookie, then the above does
           # not activate. If we didn't have the following rule then it would proxy to
           # http://connect.myhappycompany.com/guest/meeting-name which would not work!
           # Therefore here we client-redirect the guest to /meeting-name
           RewriteCond %{HTTP_COOKIE} BREEZESESSION [nocase]
           RewriteRule ^/guest/(.*) https://connect.myhappycompany.com/$1 [R,L]
          
           RewriteCond %{HTTP_COOKIE} !BREEZESESSION [nocase]
           RewriteRule ^/guest/(.*) /guest/login_form.php?room=$1 [QSA,L]
          
           RewriteCond %{HTTP_COOKIE} !BREEZESESSION [nocase]
           # Request with no cookie and other than /internal or /guest or /admin - so it
           # must be /meeting-name, therefore let's client-redirect
           # them to /internal/meeting-name. Here we specify https, because if we
           # just redirected to /internal$1 Apache would generate the redirection
           # link as http!
           RewriteRule (.*) https://connect.myhappycompany.com/internal$1 [R,L]
          
           # Any other requests have the cookie set already - so just pass to the Connect server
           RewriteRule (.*) http://connect.myhappycompany.com$1 [P,L]

Last edited by Peter.Kehl (2008-12-10 06:28:53)