Configure a reverse proxy with ArcGIS Mission Server

A reverse proxy server is a computer that is deployed in a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet) that handles requests from the internet and forwards them to the machines in your internal network. By forwarding requests, the reverse proxy server masks the identity of the machines behind your organization's firewall, which protects internal machines from being attacked directly by internet users. Additional security functions can be implemented in the reverse proxy server to further protect your internal network from outside users.

If your reverse proxy server supports a health check function, you can use the ArcGIS Mission Server health check endpoint to determine if the site is available to receive requests. This is useful to quickly determine if there's a software or hardware failure in the site. To do this, browse to https://machine.domain.com:20443/arcgis/rest/info/healthcheck, for example.

Note:

Starting at the 10.9 Enterprise release, administrators are able to configure Apache HTTPD with ArcGIS Mission Server more seamlessly. Administrators can now generate an Apache proxy configuration file via the admin API's Generate Proxy Configuration endpoint.

Generate a proxy configuration

Administrators are now able to configure Apache HTTPD through the ArcGIS Mission Server admin API.

  1. Sign in to the ArcGIS Mission Server Administrator Directory at https://machine.domain.com:20443/arcgis/admin/proxyGen as a user with administrator privileges.
  2. Enter the Top Context value of your reverse proxy; for example, entering topcontext will result in proxy directives that will route requests to https://my.reverse.proxy/topcontext. This context will be used to write the proxy directives and route requests appropriately based on the requests' protocol and context.
  3. Check the Set Context URLs check box to automatically set the appropriate ArcGIS Mission Server WebContextURL and WebSocketContextURL system properties when the request is submitted.
  4. For Proxy FQDN, enter the fully qualified domain name (FQDN) of your reverse proxy server; for example, my.reverse.proxy will result in proxy directives that will route requests to https://my.reverse.proxy/topcontext.
  5. For Format, choose an output.
  6. The default output format is html; however, you can choose to output the configuration file as json or file.
  7. Click Submit.

    You've successfully generated an Apache HTTPD configuration file and set the proper ContextURL system properties. Next, you will need to read the information displayed in this file and apply it to your Apache HTTPD proxy as necessary. Refer to your respective distribution's documentation to do this.

Add ArcGIS Mission Server to your reverse proxy server manually

You can configure your organization's reverse proxy server to communicate directly with ArcGIS Mission Server by adding the corresponding URLs to the proxy directives.

To configure an Apache HTTP server as a reverse proxy, enable Apache modules mod_ssl, mod_proxy, mod_proxy_http, and mod_proxy_wstunnel. To enable Apache modules, see the Apache documentation for the platform-specific configuration locations, for example:


LoadModule ssl_module modules/mod_ssl.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

To complete the configuration of an Apache HTTP server as a reverse proxy, you'll need to set a combination of ProxyPass and ProxyPassMatch directives, and set the correct SSL settings. ArcGIS Mission Server uses HTTPS; as a result, you will need to configure Apache HTTP server SSL to use the same certificate uploaded to ArcGIS Mission Server as well:


##
## SSL Virtual Host Context
##
<VirtualHost _default_:443>
 
## Enable Proxy for SSL
SSLProxyEngine on
 
## If using a self-signed certificate on ArcGIS Mission Server, disable strict
## certificate verification
SSLProxyVerify none
 
## Proxy ArcGIS Mission Server URLs to the proper backend ports
## The order of these directives are important.

ProxyPass /topcontext/missions/ wss://machine.domain.com:20301/arcgis/missions/ disablereuse=On

ProxyPass /topcontext/ https://machine.domain.com:20443/arcgis/
ProxyPassReverse /topcontext/ https://machine.domain.com:20443/arcgis/
 
## Use the same SSL Certificate and Key as ArcGIS Mission Server
## (adjust path to your specific certificate locations)
SSLCertificateFile    /path/to/arcgis/mission/<server_cert>.pem
SSLCertificateKeyFile /path/to/arcgis/mission/<private_key>.pem
 
## End of ArcGIS Mission Server reverse proxy config                         https://machine.domain.com:20443/arcgis/

For ArcGIS Mission Server to appropriately create WebSocket communications to clients, it is required that you set the ArcGIS Mission Server WebContextURL and WebSocketContextURL system properties. This helps ArcGIS Mission Server construct the correct URLs on all resources it sends to the end user. Do the following to change the WebContextURL and WebSocketContextURL properties:

  1. Sign in to the ArcGIS Mission Server Administrator Directory at https://machine.domain.com:20443/arcgis/admin as a user with administrator privileges.
  2. Click system > properties > update.
  3. In the Properties text box, insert the following JSON, substituting your own ArcGIS Mission Server URL as seen by users outside your organization's firewall.
    {
       "WebContextURL": "https://machine.domain.com/mygis",
    "WebSocketContextURL":"wss://machine.domain.com/mygis"
    }
  4. Click Update.