Tuncay Sahin

ICT Engineer | Docent ICT & Trainer

Apache can be configured in reverse proxy (gateway) mode. Then Apache is acting to clients just like an ordinary web server. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.

Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.

 

Enable the proxy module

To get the ability of reverse proxy  support, some modules are required:

LoadModule proxy_module mod_proxy.so
LoadModule proxy_http_module mod_proxy_http.so

Please don’t forget to load mod_proxy_http, because you wouldn’t get any error messages if it’s not loaded.

Disable Proxy

Because mod_proxy makes Apache also become an (open) proxy server, prevent Apache from functioning as a forward proxy server by setting ProxyRequests to Off.

ProxyRequests Off
<Proxy \*>
Order deny,allow
Deny from all
</Proxy>

In a typical reverse proxy or gateway configuration, this option should always be set to Off.
This does not disable the use of the ProxyPass directive.

Add Gateway Configuration

The following example allows a front-end machine to proxy a virtual host through to a server running on another machine.

<VirtualHost *:80>

ProxyPreserveHost On

ProxyPass / http://OriginServer/

ProxyPassReverse / http://OriginServer/

ServerName www.host.com

</VirtualHost>

 

The ProxyPreserveHost On directive will pass the Host: line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line. This is required in case we are proxying multiple hostnames to a single machine.

The figure below demonstrates how it works:

apache_gateway.png

  1. A client browser sends an HTTP request addressed to a host called www.host.com on port 80. The Gateway (front-end)receives the request because it is acting as the origin server (the origin server’s advertised hostname resolves to the Gateway).
  2. Gateway locates a rule in the configuration  and forward the request to the specified origin server (realhost.com).
  3. The Gateway opens an HTTP connection to the origin server. (If the request is not able to be served from cache)
  4. If the request is a cache hit and the content is fresh, then Gateway sends the requested object to the client from the cache. Otherwise, Gateway obtains the requested object from the origin server, sends the object to the client, and saves a copy in its cache if caching is enabled.

Caching

By caching frequently-accessed information at the edge of the network, you can improve network efficiency and performance. This brings content physically closer to end users, while enabling faster delivery and reduced bandwidth use.

# Sample Cache Configuration

LoadModule cache_module modules/mod_cache.so

 

<IfModule mod_cache.c>

#LoadModule disk_cache_module modules/mod_disk_cache.so

# If you want to use mod_disk_cache instead of mod_mem_cache,

# uncomment the line above and comment out the LoadModule line below.

<IfModule mod_disk_cache.c>

CacheRoot c:/cacheroot

CacheEnable disk /

CacheDirLevels 5

CacheDirLength 3

</IfModule>

 

LoadModule mem_cache_module modules/mod_mem_cache.so

<IfModule mod_mem_cache.c>

CacheEnable mem /

MCacheSize 4096

MCacheMaxObjectCount 100

MCacheMinObjectSize 1

MCacheMaxObjectSize 2048

</IfModule>

 

# When acting as a proxy, don’t cache the list of security updates

CacheDisable http://security.update.server/update-list/

</IfModule>

 

SSL Reverse-Proxy

The ability to contact remote servers using the SSL/TLS protocol is provided by the SSLProxyEngine directive of mod_ssl.

LoadModule ssl_module modules/mod_ssl.so

<VirtualHost *:443>

#  Path to Server Certificate:

SSLCertificateFile /etc/pki/tls/certs/server.cer

#  Path to Server Private Key:

SSLCertificateKeyFile /etc/pki/tls/certs/private.key

 

SSLEngine on

ServerName ssl.domain.com

SSLProxyEngine On

ProxyPreserveHost On

ProxyPass / https://172.168.10.51/

ProxyPassReverse / https://172.168.10.51/

 

# To offload SSL (The request is forwarded by http)

#ProxyPass / http://172.168.10.51/

#ProxyPassReverse / http://172.168.10.51/

</VirtualHost>

 

Reverse Proxy Request Headers

When acting in a reverse-proxy mode, mod_proxy_http adds several request headers in order to pass information to the origin server. These headers are:

X-Forwarded-For            The IP address of the client.

X-Forwarded-Host         The original host requested by the client in the Host HTTP request header.

X-Forwarded-Server     The hostname of the proxy server.

Be careful when using these headers on the origin server, since they will contain more than one (comma-separated) value if the original request already contained one of these headers. For example, you can use %{X-Forwarded-For}i in the log format string of the origin server to log the original clients IP address, but you may get more than one address if the request passes through several proxies.

Custom 503 Error Document

When the back-end server is not reachable, Apache generates a 503 Service Unavailable message. That means that the server is currently unavailable (because it is overloaded or down for maintenance). Change this ugly message page into a user friendly one to inform the visitors that the website will be up soon again by creating a custom error page. To personalize your users’ experience even when they are experiencing problems, also include links to locations where they can go to get help or more information.

Then configure Apache to be utilize the custom error page whenever this error occur by adding the directive below to your VirtualHost.

 

ErrorDocument 503 /error-documents/503.html

Meer informatie

Voor meer informatie of voor een persoonlijk adviesgesprek kunt u altijd vrijblijvend contact met mij opnemen.

E-Mail

info@tuncaysahin.nl