Set up a reverse proxy server with Workflow Manager

Available with Workflow Manager license.

A reverse proxy server is a computer that is usually deployed in a perimeter network (also known as a demilitarized zone [DMZ] or screened subnet) that handles requests from the internet and forwards them to the machines in your internal network. The reverse proxy masks the identity of the machines behind your organization's firewall by forwarding incoming requests to protect internal machines from direct attacks by internet users.

ArcGIS Workflow Manager Server can optionally be configured to use your organization's reverse proxy server. If your organization does not use a reverse proxy server, or you do not want to configure a reverse proxy with Workflow Manager Server, configure Workflow Manager with an ArcGIS Enterprise portal.

Add Workflow Manager Server to a reverse proxy server

Workflow Manager Server requires path-based request routing between two back-end ports: 6443 for ArcGIS Server connections and 13443 for Workflow Manager Server connections.

ArcGIS Web Adaptor performs routing as part of its default configuration, so a layer 3/4 or 7 reverse proxy can be placed in front of ArcGIS Web Adaptor in the network path for client access. If you choose not to use ArcGIS Web Adaptor in the network path, a layer 7 reverse proxy is required to route requests between clients and Workflow Manager Server.

Learn more about load balancer types

Layer 3/4 reverse proxy

Layer 3/4 reverse proxies pass websocket protocol traffic by default without additional configuration required. Layer 3/4 reverse proxies require an installation of ArcGIS Web Adaptor to properly route to the back-end targets.

Layer 7 reverse proxy

In the following examples, https://example.domain.com/server is used as the service URL and FQDN1 and FQDN2 are used as the back-end target host names. If you're using a single Workflow Manager Server machine, there is only one host in the target group.

Configure with ArcGIS Web Adaptor in the network path

In this example, the back-end hosts, FQDN1 and FQDN2, are hosting an ArcGIS Web Adaptor named server. Workflow Manager requires websocket traffic to be passed through the reverse proxy from connecting clients. Traffic can be balanced using a round robin algorithm with health checks configured on the back-end targets to ensure that the web server is passing traffic as expected.

The following is a configuration template for enabling the websocket protocol in an Apache httpd configuration:


RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteRule ^/server/workflow/(.*)? "balancer://wss_webadaptor_endpoint/$1" [P,L]

<Proxy balancer://wss_webadaptor_endpoint>
    BalancerMember wss://FQDN1/server
    BalancerMember wss://FQDN2/server
</Proxy>

The following uses https://example.domain.com/server as the services URL and FQDN as the machine host name for routing traffic to the web adaptor hosts:


ProxyPass /server balancer://webadaptor_endpoint/server
ProxyPassReverse /server balancer://webadaptor_endpoint/server

<Proxy balancer://webadaptor_endpoint>
    BalancerMember https://FQDN1/server
    BalancerMember https://FQDN2/server
</Proxy>

Configure without ArcGIS Web Adaptor in the network path

If you choose not to use ArcGIS Web Adaptor in the network path, a layer 7 reverse proxy is required to route requests between clients and Workflow Manager. The X-Forwarded-Host header must be set on the proxied requests with the value of the original client Host header value.

The following is a configuration template for enabling the websocket protocol in an Apache httpd configuration:


RewriteEngine On
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteRule ^/server/workflow/(.*)? "balancer://workflow_endpoint_wss/$1" [P,L]

<Proxy balancer://workflow_endpoint_wss>
    BalancerMember wss://FQDN1:13443
    BalancerMember wss://FQDN2:13443
</Proxy>

When setting up the back-end targets, path-based rules must be implemented on the load balancer to send traffic to the ArcGIS Server and Workflow Manager web servers.

The following uses https://example.domain.com/server as the services URL and FQDN as the machine host name in the example template for path-based routing rules. Client requests to https://example.domain.com/server/workflow/* must be directed to https://FQDN:13443/workflow, while requests to the top-level and other subpaths of https://example.domain.com/server/* must be directed to https://FQDN:6443/arcgis:

The following is a configuration template for adding path-based routing rules for forwarding client requests:


ProxyPass /server/workflow balancer://workflow_manager_endpoint/workflow
ProxyPassReverse /server/workflow balancer://workflow_manager_endpoint/workflow

ProxyPass /server balancer://server_endpoint/arcgis
ProxyPassReverse /server balancer://server_endpoint/arcgis

<Proxy balancer://server_endpoint>
    BalancerMember https://FQDN1:6443
    BalancerMember https://FQDN2:6443
</Proxy>

<Proxy balancer://workflow_manager_endpoint>
    BalancerMember https://FQDN1:13443
    BalancerMember https://FQDN2:13443
</Proxy>