Domino SSL and Reverse Proxies
Aug 18, 2014, 10:11 AM
Domino's SSL stack has been long-in-the-tooth and awkward to deal with for a while. Until recently, this has mostly just resulted in the sort of stilted way you have to set up SSL keychains, using the Server Certificate Admin database initially and then "IKeyMan" more and more (specifically, an old version you need 32-bit Windows XP for, like a barbarian), but the job eventually got done.
However, as a post from Steve Pitcher points out, this is becoming rapidly impractical. While I generally second his point that Domino's SSL stack needs a revamp, I believe that the primary importance of that will be for the "secondary" protocols - SMTP, IMAP, LDAP - that require SSL for responsible use. For HTTP, however, I'm on board with the spirit of IBM's proposed workaround - IBM HTTP Server - though not the unsuitable reality of a Windows-only implementation.
The reason for this is my general infatuation with reverse proxying over the last few years. It started, actually, with the amazing article PHP: a fractal of bad design, which is required reading on its own, but the pertinent part is in the section on deployment. In it, the author dings PHP for its traditional deployment method of "just jam it directly into the web server" and instead proposes the "reverse proxy in front of an app server" scenario as generally preferable and easy to do. Having seen just that sort of setup with recommended Ruby on Rails deployments - where the Rails app has a small, local-only HTTP server that a "real" server proxies to - that percolated in my mind for a while. Domino is, after all, primarily an app server, and so this criticism of PHP applies just as much to it. A little while later, I had a reason to try that setup in order to host two distinct app types on the same server (ironically - or irresponsibly - deploying that very type of bad PHP setup in the process).
Over time, I improved my setup by using the WebSphere connector headers to cause Domino to view proxied requests as if they were coming directly, using SNI to allow multiple distinct SSL certificates on a single host, adding GeoIP headers at the nginx level, and setting up a sticky-session load balancer to share access between multiple servers and silently fail over when one goes down.
I'm now at the point where I pretty much consider it irresponsible to not use a reverse proxy in front of a production Domino deployment.
Is setting this up as easy as just giving ports 80 and 443 to Domino? Nope, not at all. Is it difficult, though? Not really. I managed to set it up readily, and I'm no admin. Other than a few rough edges IBM should shave off of Domino (such as using the faux-SSL header switching to the crummy single-Internet-Site behavior), I've had the stated benefits and more of an IHS deployment for a long time and without having to use Windows in production. I strongly recommend that everyone view Domino as not a web server - instead, it's a back-end HTTP app server that can serve as a makeshift web server for development, but is best deployed behind a proper front end.
And totally coincidentally, I'll be giving a session on this very topic at MWLUG later this month (in the Open Source track). I'll specifically be discussing nginx, but the same principles would apply with other viable choices like Apache, IHS, or IIS.
Jesper Kiaer - Aug 18, 2014, 4:40 PM
Wish I could be at the session. since I am about to move my things to a Nginx reverse proxy soon. Maybe there will be some slides available afterwards?
Jesse Gallagher - Aug 18, 2014, 4:43 PM
Yep, I'll be posting the slides some time after the conference (gotta actually make them first!). If I'm really productive about it, I'll likely also write a tutorial blog post or series at some point.
Richard Moy - Aug 18, 2014, 7:01 PM
Jesper,
Sorry you will not be able to make it to MWLUG 2014. It is one my defined session for the conference to attend and I am looking forward to it. Everyone don't create any emergencies for me on Friday afternoon. So I can attend.
Stephan H. Wissel - Aug 19, 2014, 12:36 AM
Nice one, looking forward to that deck (also won't make it to MWLUG). Did you play with nginx mod_pagespeed? Makes some very interesting behaviors. To see how it works with classic Domino and XPages might be interesting. Ping if you want to discuss.
Lars Berntrop-Bos - Aug 19, 2014, 10:49 AM
Does nginx run on IBM i?
Jesse Gallagher - Aug 20, 2014, 10:19 AM
I don't know if it runs on IBM i... I'd sort of doubt it, but it looks like Apache is on there, and that (or IHS) would do the job nicely as well, as long as it's up-to-date.
Steve Pitcher - Aug 20, 2014, 4:54 PM
Lars, I'd say it would work on IBM i. Haven't tried it, but it runs on AIX...so it should run on IBM i by way of PASE since PASE is AIX.
Sumit SN - May 1, 2015, 4:14 AM
Pls forward documents for configuring nginx on windows server