Post

Setting up a reverse proxy for Windchill

Posted
By Stefan Eletzhofer 2 min read

Abstract

The “Windchill Advanced Deployment Guide” describes how to set up a reverse proxy for Windchill. Why would that be useful?

  • Security: Using a reverse proxy setup, clients won’t directly send requests to the Windchill system. This allows for tighter firewall settings.

  • Virtual Machine Setup w/o rehosting: When using VMs to manage multiple Windchill environments, e.g. development, testing and production, a reverse proxy allows for simple cloning w/o rehost work, as the proxy may have a completely different FQDN as the Windchill System

Example Use Case

For my local development machine I use for the a customer Project, I wanted to try to get OIDC authentication against Keycloak going. Unfortunately, the dev system runs Windows, for which the relevant Apache module is not available and the source code seems to be UNIX only. Additionally, PTC uses a custom built Apache 2.2 which is a bit ancient.

Example Setup

Task: set up a reverse proxy on my Mac which proxies requests to the Windows VM. The proxy FQDN I’ll use is proxy.ventum-dev.nexiles.cloud while the original FQDN of the WT VM is ventum-dev.nexiles.cloud.

Steps to do:

  • set two properties in Windchill to have Windchill render URLs for the proxy FQDN
  • set up a Apache reverse proxy on my mac

Windchill Configuration

I created a nexiles-reverse-proxy.xconf and hooked it into the nexiles.xconf as usual:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configuration SYSTEM "xconf.dtd">
<Configuration xmlns:xlink="<http://www.w3.org/1999/xlink">>
  <!-- nexiles-reverse-proxy.xconf -->
  <Property
      name="wt.server.codebase"
      value="<http://proxy.ventum-dev.nexiles.cloud/Windchill">
      targetFile="codebase/wt.properties"
      overridable="true" />
      

  <Property
      name="wt.httpgw.mapCodebase"
      value="<http://ventum-dev.nexiles.cloud/Windchill">
      targetFile="codebase/wt.properties"
      overridable="true" />

</Configuration>

Hook it up:

1
2
3
4
5
6
7
8
9
10
11

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE Configuration SYSTEM "xconf.dtd">
<Configuration xmlns:xlink="<http://www.w3.org/1999/xlink">>
  <!-- nexiles.xconf -->

    ... many lines omitted ...

	<!-- Reverse Proxy -->
    <ConfigurationRef xlink:href="nexiles-reverse-proxy.xconf"/>

</Configuration>

I did the usual xconfmanager -p dance and restarted Windchill.

That’s it for Windchill!

Apache 2.4 Setup

I installed Apache 2.4 using homebrew:

1

$ brew install apache2

Configuration files are in /usr/local/etc/httpd. I added the following changes:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43

--- httpd.conf.orig	2020-06-23 15:33:35.000000000 +0200
+++ httpd.conf	2020-06-23 17:38:05.000000000 +0200
@@ -49,7 +49,7 @@
 # prevent Apache from glomming onto all bound IP addresses.
 #
 #Listen 12.34.56.78:80
-Listen 8080
+Listen 127.0.0.1:80
 
 #
 # Dynamic Shared Object (DSO) Support
@@ -128,10 +128,10 @@
 LoadModule setenvif_module lib/httpd/modules/mod_setenvif.so
 LoadModule version_module lib/httpd/modules/mod_version.so
 #LoadModule remoteip_module lib/httpd/modules/mod_remoteip.so
-#LoadModule proxy_module lib/httpd/modules/mod_proxy.so
-#LoadModule proxy_connect_module lib/httpd/modules/mod_proxy_connect.so
+LoadModule proxy_module lib/httpd/modules/mod_proxy.so
+LoadModule proxy_connect_module lib/httpd/modules/mod_proxy_connect.so
 #LoadModule proxy_ftp_module lib/httpd/modules/mod_proxy_ftp.so
-#LoadModule proxy_http_module lib/httpd/modules/mod_proxy_http.so
+LoadModule proxy_http_module lib/httpd/modules/mod_proxy_http.so
 #LoadModule proxy_fcgi_module lib/httpd/modules/mod_proxy_fcgi.so
 #LoadModule proxy_scgi_module lib/httpd/modules/mod_proxy_scgi.so
 #LoadModule proxy_uwsgi_module lib/httpd/modules/mod_proxy_uwsgi.so
@@ -532,3 +532,30 @@
 SSLRandomSeed connect builtin
 </IfModule>
 
+
+# WT Proxy
+<VirtualHost *:80>
+    # ProxyPreserveHost On
+    Header set Access-Control-Allow-Origin "*"
+
+    ProxyPass         / <http://ventum-dev.nexiles.cloud/>
+    ProxyPassReverse  / <http://ventum-dev.nexiles.cloud/>
+
+    ErrorLog "/usr/local/var/log/httpd/proxy_error_log"
+    CustomLog "/usr/local/var/log/httpd/proxy_access_log" common
+
+    ServerName proxy.ventum-dev.nexiles.cloud
+</VirtualHost>

Results

We have “rehosted” Windchill without actually doing so:

nexiles windchill security keycloak
This post is licensed under CC BY 4.0 by the author.