How can I protect access to GRIA using Apache in a DMZ?

The most common way to set this up is to have your system administrator configure an existing public web-server in the DMZ to forward connections to a tomcat server on another machine running GRIA:

DMZ deployment scenario

Each arrow represents the establishment of a bi-directional TCP connection. The response message will be returned on the same connection. Note that GRIA acts as a client when invoking methods on other services. In this case, GRIA needs the ability to establish out-bound connections.

Your external firewall must be configured to allow connections to your web-server ("Apache" in the picture), which will have a static public address (no NAT). Your system administrator should configure Apache to forward all requests to the machine running Tomcat/GRIA on the internal network.

This can be done using the GRIA machine's internal address, but the firewall rules will need to be modified to allow the connection from Apache in the DMZ to the internal GRIA machine. GRIA comes with instructions for setting up Apache and Tomcat in this way.

Your system administrator can also configure Apache to trust only certain certificates, etc, if you want to limit who can access GRIA using the normal Apache mechanisms. This isn't strictly necessary, because GRIA implements its own access control system, but provides an additional layer of security.

the name of the machine actually running GRIA. This is the address that clients will be given when creating new resources. The GRIA server must also be able to access itself using this same address (going via the Apache machine).