Configure Push notifications proxy for MobileFirst Server

There are cases where security guidelines / restrictions in the datacenter mandate that servers inside the datacenter cannot open outbound connections to the internet. The MobileFirst server needs to open outbound connections to the platform specific cloud push notification services like Apple Push Notification service (APNS), Google Cloud Messaging (GCM) or the Windows Notification service (WNS). In such cases, communicating via a proxy is a preferred option. A Proxy can be configured to contact the Push mediators and send out notifications, masking MFPF server identity.

This article discusses how to configure and send Push notifications (to the mediator) via proxy and quickly test the feature.Currently, MFPF server supports push notification through proxy only for Android or iOS push.

This blog post merely demonstrates how to use the feature. IBM does not recommend any specific proxy or approach.

Google Cloud Messaging (GCM)

Push notifications proxy for GCM requires only an HTTP/TCP proxy. A normal Forward Proxy configuration is sufficient to get GCM Push proxy working.You can use any HTTP/TCP proxy to configure this. For testing and illustration, we have used Apache Web server in Forward Proxy configuration. You can obtain Apache Webserver here.

Once you have downloaded and installed Apache webserver, navigate to httpd.conf file under "conf" folder. In httpd.conf, load and enable proxy modules :

1
2
3
4
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so
LoadModule proxy_http_module modules/mod_proxy_http.so

In httpd.conf find the section on Proxy server directives .Configure Forward Proxy by making the following changes:

1
2
3
4
5
6
7
8
9
10
11
12
# Proxy Server directives. Uncomment the following lines to enable the proxy server:
<IfModule mod_proxy.c>
#Enable the forward proxy server. Note: Do not use the ProxyRequests directive if
#all you require is reverse proxy.
ProxyRequests On
<Proxy *>
    Order deny,allow
#    Deny from all
    Allow from all
</Proxy>
...
</IfModule>

Start/restart your Apache Web server.

In the MFPF project ,edit your worklight.properties file to configure GCM notifications to be routed through the proxy:

1
2
3
4
5
6
7
8
9
10
11
12
#########################################
#	Push GCM proxy settings
#########################################
push.gcm.proxy.enabled=true
# protocol may be either HTTPS or HTTPS
push.gcm.proxy.protocol=HTTP
push.gcm.proxy.host=<proxy host>
# negative value means default port
push.gcm.proxy.port=<proxy port>
# empty user means no authentication
#push.gcm.proxy.user=
#push.gcm.proxy.password=

Deploy the runtime war file to the application server.

With this, the notifications send out from MFPF server to GCM servers are routed through the proxy and not send directly.You can verify the notifications are indeed being dispatched through the proxy by observing the access logs or monitoring the interface at the proxy server machine-

Stopping the proxy will prevent the notifications from reaching GCM.

Apple Push Notification Service (APNs)

In case of APNs notifications, MFPF server supports only SOCKS proxy. Both SOCK4 and SOCK5 protocol versions are supported. SOCKS5 comes with enhancements to SOCKS4 , including authentication support. As of version 7.1, SOCKS5 proxy with authentication is not supported by MFPF server.

The use of ssh tunneling to create a SOCKS proxy may not be suitable for production use. Use it with due diligence after reviews with relevant IT or network teams, at the user’s end, have been carried out.

Create a SOCK5 proxy:

Commonly available SOCKS 4/5 proxies can be used. For illustration, we have used a SOCKS5 proxy created using ssh. This is essentially a ssh tunneling proxy. Enabling ssh tunneling proxy creates a simple SOCKS5 proxy (or SOCKS4 depending on the version of the ssh client & server). This does not require any additional software installation. On Windows systems "putty" tool can be used to configure a SOCKS proxy.

On the system where MFPF server is installed, execute the following command. This creates a tunnelling proxy to the ssh server.

Verify the proxy server is listening for traffic at the specified port :

Go to MFPF project and edit your worklight.properties file to configure APNs notifications to be routed through the SOCKS proxy:

1
2
3
4
5
6
7
8
#############################################
#	Push APNS proxy settings
#############################################
push.apns.proxy.enabled=true
# only SOCKS proxy is supported at the moment
push.apns.proxy.type=SOCKS
push.apns.proxy.host=127.0.0.1
push.apns.proxy.port=1080

Verify if the proxy server has established a connection with APNS servers. Simple netstat command should show:

Stop the SOCKS proxy to verify if the notifications can be sent. MFPF server log will show :

We have seen how MobileFirst server can be configured to route notifications to APNs through a proxy. Commonly available HTTP/TCP proxies can be configured and used for GCM and SOCKS proxy for connecting to APNs