Reverse Proxy Integration

unblu can be used with or without a reverse proxy but there are a number of general benefits to using a reverse proxy such as load balancing or security, and it allows you to remove the need for direct access to your servers.

The main benefit of integrating a reverse proxy, in the case of the unblu product, is that it allows you to use the SecureFlow Manager. The SecureFlow Manager can be used inside the filter chain of a reverse proxy to inject the snippet dynamically and accommodate co-browsing-specific communication automatically.

For maximum security we recommend SecureFlow Manager integration due to its ability to capture and secure resources (such as CSS, images, session-specific pdf).

architecture-with-secure-flow-manager-05122018.png

Avoid using Microsoft Browsers with your Web Server or use the Configuration below

Although unblu works with all current and popular browsers on the market, there can sometimes be problems specific to the combination of application server/browser/configuration that are out of unblu's control.

Such a problem can occur when using Microsoft Internet Explorer or Microsoft Edge with a web server. Note that here, for the sake of clarity, we use the example combination of a Microsoft browser and an Apache server. But while this seems to be the most common setup where this issue is reproduced be aware that it can happen with any modern web server communicating with a Microsoft browser. Also note that, at time of writing, Microsoft has closed the issue as they are apparently unable to reproduce it. This means that you must take action to fix the issue.

The default 'keep-alive' timeout interval for Apache Tomcat is 20 seconds. The default for Apache httpd is only 5 seconds. In order to ensure optimal performance this value must be increased to at least 75 seconds.

Most modern application servers have a timeout value either equal to or greater than 75 seconds (or a more sophisticated way of handling requests where the timeout is either longer or shorter according to load).

Note that this problem generates the following error code: "Network Error 0x2ef3, Could not complete the operation due to error 00002ef3."

WARNING! Apache Web Server / Internet Explorer 'Keep-Alive' setting

If you use an Apache web server with Internet Explorer you must increase the Default HTTP persistent connection idle timeout value to at least 75s. Failure to do so may cause a timeout. You may choose to do this using one of the following methods.

  1. Configure the involved HTTP infrastructure (including the application server, proxies, firewall and load balancer) to have KeepAliveTimeout set to 75 seconds.

  2. Configure the involved HTTP infrastructure (including the application server, proxies, firewall and load balancer) to have KeepAliveTimeoutset to 75 seconds depending on the user agent (only for Internet Explorer).

  3. Configure the involved HTTP infrastructure (including the application server, proxies, firewall and load balancer) to selectively turn off KeepAlivefor Internet Explorer.

  4. Set unblu heartbeat to 1 second. (com.unblu.nio.heartbeatInterval=1)

Caution: If workaround 4 is chosen: This MUST be removed if you use 4.2, or above. We recommend using one of the first three solutions, if possible.

Custom Proxies

If you have your own proxy setup in Apache, make sure that it is a non-caching reverse proxy that does not deliver its own (cached) content. Cached content is not processed by mod_unblufilter and cannot be co-browsed.

Note: Only symmetric mappings should be used. Do not use asymmetric mappings!

Examples of symmetric mappings:

map / to <unbluServer>/

or

/unblu/ to <unbluServer>/unblu)

System Path Information

unblu path mappings. Configure according to your unblu.properties setup

set static::${env_prefix}unblu_public_path "/unblu"
set static::${env_prefix}unblu_system_path "/sys-unblu"
set static::${env_prefix}unblu_restricted_path "/co-unblu"

Installing the SecureFlow Manager (Filter)

Filter Specification

SecureFlow Manager (Filter)

Managing Restricted Resources without the SecureFlow Manager (filter)

  • deployonprem

results matching ""

    No results matching ""