Introduction
Proxy, In general terms it means "a person who is authorized to act for another". In Server infrastructure, a Proxy Server do the same thing, It stands in for some other server, which should be kept away and hidden for so many reasons.
Proxy servers are used for both legal and illegal purposes. In the enterprise, a proxy server is used to facilitate security, administrative control or caching services, among other purposes. In a personal computing context, proxy servers are used to enable user privacy and anonymous surfing.
Forward proxies or just Proxy servers send the requests of a client onward to a web server. Users access forward proxies by directly surfing to a web proxy address or by configuring their Internet settings. Forward proxies apply various rules that have been instructed (or) implied by the organization's code of conduct or policy, they also act like firewalls and increase the privacy and security for an end user while he is surfing the web.
Some of the uses of Forward Proxies:
- Content Filtering ( Parental (or) Organization Controls)
- eMail security
- Compliance Reporting
What is Reverse Proxy
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as if they originated from the proxy server itself.
Why Reverse Proxy
Popular web sites utilize reverse-proxying functionality, acting as shields for application frameworks with weaker HTTP capabilities. Reverse proxies can hide the existence and characteristics of an origin server or servers, So the user will be in the perception of receiving content from one website when he is actually NOT.
Some of the Uses of reverse proxies
- Reverse proxies can hide the existence and characteristics of an origin server or servers.
- Application firewall features can protect against common web-based attacks, such as DoS or DDoS. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
- In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware. (See SSL termination proxy.)
- A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.
- A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content - also known as web acceleration. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin server(s).
- A reverse proxy can optimize content by compressing it in order to speed up loading times.
- Reverse proxies can operate wherever multiple web-servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming request and delivers it to the right server within the local area network.
- A reverse proxy can add basic HTTP access authentication to a web server that does not have any authentication.
Our Requirement
Our Requirement for this post is simple https://www.mwinventory.in/blog should be retrieving and displaying the content from https://blog.mwinventory.in
Points to Remember:
- The Origin URL/Server is HTTPS, Connection should be encrypted all the way to Origin Server ( SSL Offloading in other hand will terminate the SSL at apache level and send unencrypted connection to Origin Server)
- This Reverse proxy is based on URI. Reverse Proxy should work only when the www.mwinventory.in/blog - HTTP:PATH and HTTP:URI matches /blog . In other words, reverse proxy should not happen when www.mwinventory.in/any-thing-else or just www.mwinventory.in
- Query String in the URL will be preserved when reaching the Origin Server i.e: www.mwnventory.in/blog/index.htm?action=update would retrieve contents from https://blog.mwinventory.in/index.htm?action=update
How to Achieve this in Apache webserver
Method 1: Reverse proxy using Rewrite
Have this configuration under your Secure virtual host directive, on the HTTPD.conf ( or your own website.conf file )
<VirtualHost *:443> #Load the SSL module that is needed to terminate SSL on Apache LoadModule ssl_module modules/mod_ssl.so #This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. Without this you cannot use HTTPS URL as your Origin Server SSLProxyEngine on # To prevent SSL Offloading # Set the X-Forwarded-Proto to be https for your Origin Server to understand that this request is made over HTTPS #https://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader. RequestHeader set X-Forwarded-Proto “https” RequestHeader set X-Forwarded-Port “443” # This is a two step conditional reverse proxy, First line indicates the condition that should be met before the call getting reverse proxied # Here the condition is, Apply the Reverseproxy if the domain name, http_host name matches www.mwinventory.in, This will help if you name based virtual # hosting and hosted different websites on the same configuration # NC = No case (or) Case insensitive # P = this flag distinguish the normal rewrite from Reverse Proxy Rewrite [P] RewriteCond %{HTTP_HOST} ^(www.mwinventory.in)$ [NC] RewriteRule “/blog(.*)” “http://blog.mwinventory.in/$1” [P] # The CacheDisable directive instructs mod_cache to not cache urls CacheDisable * </VirtualHost>
Method2: Reverse Proxy using mod_Proxy
<VirtualHost *:443> #This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. Without this you cannot use HTTPS URL as your Origin Server SSLProxyEngine on # To prevent SSL Offloading # Set the X-Forwarded-Proto to be https for your Origin Server to understand that this request is made over HTTPS #https://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader. RequestHeader set X-Forwarded-Proto “https” RequestHeader set X-Forwarded-Port “443” # The ProxyPass directive specifies the mapping of incoming requests to the backend server (or a cluster of servers known as a Balancer group). # It proxies the requests only with matching URI “/blog” ProxyPass /blog https://blog.mwinventory.in/ #To ensure that and Location: headers generated from the backend are modified to point to the reverse proxy, instead of back to itself, #the ProxyPassReverse directive is most often required: ProxyPassReverse /blog https://blog.mwinventory.in/ # The CacheDisable directive instructs mod_cache to not cache urls CacheDisable * </VirtualHost>
Method3: Load Balancing with Two Origin Servers
What If I want to have two origin servers for a reverse proxy and wanted to load balance all the incoming requests ?
<VirtualHost *:443> #This directive toggles the usage of the SSL/TLS Protocol Engine for proxy. Without this you cannot use HTTPS URL as your Origin Server SSLProxyEngine on # To prevent SSL Offloading # Set the X-Forwarded-Proto to be https for your Origin Server to understand that this request is made over HTTPS #https://httpd.apache.org/docs/2.2/mod/mod_headers.html#requestheader. RequestHeader set X-Forwarded-Proto “https” RequestHeader set X-Forwarded-Port “443” #The balancer:// scheme is what tells httpd that we are creating a balancer set, with the name myset. It includes 2 backend servers, which httpd #calls BalancerMembers. In this case, any requests for /images will be proxied to one of the 2 backends. The ProxySet directive specifies that #the myset Balancer use a load balancing algorithm that balances based on I/O bytes. <Proxy balancer://myset> BalancerMember https://blog1.mwinventory.in BalancerMember https://blog2.mwinventory.in ProxySet lbmethod=bytraffic </Proxy> # The ProxyPass directive specifies the mapping of incoming requests to the backend server (or a cluster of servers known as a Balancer group). # It proxies the requests only with matching URI “/blog” ProxyPass /blog “balancer://myset/” #To ensure that and Location: headers generated from the backend are modified to point to the reverse proxy, instead of back to itself, #the ProxyPassReverse directive is most often required: ProxyPassReverse /blog “balancer://myset/” # The CacheDisable directive instructs mod_cache to not cache urls CacheDisable * </VirtualHost>
There are many other useful directives you should consider while setting up reverse proxy, For further reference please read the below article
https://httpd.apache.org/docs/2.4/howto/reverse_proxy.html
Rate this article [ratings]
Hope it helps.
Thanks,
Sarav
Follow me on Linkedin My Profile Follow DevopsJunction onFacebook orTwitter For more practical videos and tutorials. Subscribe to our channel
Signup for Exclusive "Subscriber-only" Content