Upstream (reverse) proxy with encryption for user connections
Use the Apache server to handle SSL encryption from users to PolicyCenter and thus reduce the processing burden of SSL encryption in Java on the PolicyCenter server. Use the following configuration building block.
#Encrypted Reverse Proxy
<VirtualHost *:portnumber>
#Allow from the authorized remote sites only
<Proxy *>
Order Deny,Allow
Allow from all
</Proxy>
# Access to the root directory of the application server is not allowed
<Directory />
Order Deny,Allow
Deny from all
</Directory>
#Access is allowed to the pc directory and its subdirectories for the authorized sites only
<Directory /pc>
Order Deny,Allow
Allow from all
# Never allow communications to be not encrypted
SSLRequireSSL
#The Cipher strength must be 128 (maximal cipher size authorized
#all communication secured
SSLRequire %{SSL_CIPHER_USEKEYSIZE} >= 128 and %{HTTPS} eq "true"
</Directory>
#Classic command to take into account an Internet Explorer issue
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
#Encryption secures the Internet to Encrypted Reverse Proxy communication
#Listing of available encryption levels available to Apache
SSLEngine on
SSLCipherSuite ALL:!ADH:!EXPORT56:RC4+RSA:+HIGH:+MEDIUM:+LOW:+SSLv2:+EXP:+eNULL
#The Virtual Host authenticates to the user providing its certificate
SSLCertificateFile conf/<certificate_filename>.crt
#The communication security is achieved using the PrivateKey, which is secured through
#a pass-phrase script.
SSLCertificateKeyFile conf/<certificate_filename>-secured.pem
#The Virtual Host associates the request to the internal Guidewire product instance
ProxyPass /<product>400 <url of the product server>
ProxyPassReverse /<product>400 <url of the product server>
#Logs redirected to appropriate location
ErrorLog logs/encrypted_<product>.log
</VirtualHost>