Monday, April 20, 2015

Configure Apache http as Forward & Reverse Proxy

There are two possible configurations for Apache Proxy Server and we will present installation and configuration of both types this how to.

Apache Proxy Server
  1. Forward Apache Proxy is a proxy configuration that is commonly used in companies and it enables users to access the internet. Users or clients must configure their browsers or operating system to use a proxy server (Forward Apache Proxy) to be able to access the internet. This means that requests from all clients go through this apache Forward Apache Proxy which then communicates with the destination servers, websites, … on the internet and responds back to the clients.
  2. Reverse Apache Proxy is a proxy configuration that works the other way around from the Forward Apache Proxy. The Reverse Apache Proxy configuration is used to enable users or clients from the internet, to access websites or applications on the company internal network, based on the reverse apache proxy rules that are configured. Reverse Apache Proxy provides internet clients access to servers behind a firewall.

FORWARD APACHE PROXY

1. Install Required Packages

Firts we must install Apache (httpd) and mod_ssl package on our server. Please note that in CentOS 7 Apache 2.4.X is available (in CentOS 5 and 6 Apache 2.2.X).
[root@geekpeek ~]# yum install httpd mod_ssl

2. Basic Forward Apache Proxy Configuration

We need to add a forward proxy configuration file to “/etc/httpd/conf.d” location. We named if “forward-proxy.conf” and added the following content to it:

ProxyRequests On
ProxyVia On
ProxyTimeout 60

<Proxy *>
    Require local
    Require ip 192.168.1.0/255.255.255.0
</Proxy>

The “ProxyRequests” parameter and “ProxyVia” is needed to enable proxy on Apache. “ProxyTimeout” is optional, it just enables request to fail gracefully if the server does not respond in a reasobnale time. The “Require” parameters inside the “Proxy” directive are the client allowed settings.

You can add a specific IP address (as in my case) or whole subnet (with mask like 192.168.1.0/255.255.255.0). The “Require local” allows localhost requests. You could also use “Require host hostname” directive. There are many more parameters available – this is just basic configuration – read more about additional parameters HERE.

3. Block WebSites

We can block the desired websites using “ProxyBlock” parameter. “ProxyBlock” parameter specifies a list of words, hosts or domains separated by spaces (a wildcard * would block all sites!) as follows:

ProxyRequests On
ProxyVia On
ProxyTimeout 60

ProxyBlock facebook.com plus.google.com twitter.com

<Proxy *>
   Require local
   Require ip 192.168.1.0/255.255.255.0
</Proxy>

4. Configure Forwarding to Second Proxy

If you work in a big company (or in other situations) there is a possibility your proxy is not the “last in line” out to the open world. In this case you need to configure a second proxy. This is a proxy your proxy will forward requests to, to get to the internet. We can do this with “ProxyRemote” parameter. “ProxyRemote” parameters takes two two arguments, a scheme, partial URL or ‘*’ and a proxy server. Using wildcard ‘*’ will forward all requests to the second proxy.

ProxyRequests On
ProxyVia On
ProxyTimeout 60

ProxyBlock facebook.com plus.google.com twitter.com
ProxyRemote * http://second.proxy.com:8080

<Proxy *>
   Require local
   Require ip 192.168.1.0/255.255.255.0
</Proxy>

5. Configure NoProxy

If you configured a second proxy it is probably a good idea to use a “NoProxy” parameter. “NoProxy” parameter specifies a list of subnets, IP addresses, hosts and/or domains, separated by spaces which are always served directly without forwarding to the “ProxyRemote” address.

ProxyRequests On
ProxyVia On
ProxyTimeout 60

ProxyBlock facebook.com plus.google.com twitter.com
ProxyRemote * http://second.proxy.com:8080
NoProxy .geekpeek.net

<Proxy *>
   Require local
   Require ip 192.168.1.0/255.255.255.0
</Proxy>

REVERSE APACHE PROXY

1. Install Required Packages

At this stage we must install Apache (httpd) and mod_ssl package on our server. Please note that in CentOS 7 Apache 2.4.X is available (in CentOS 5 and 6 Apache 2.2.X).
[root@geekpeek ~]# yum install httpd mod_ssl

2. Basic Reverse Apache Proxy Configuration

We need to add a reverse proxy configuration file to “/etc/httpd/conf.d” location. We named if “reverse-proxy.conf” and added the following lines to it:

ProxyRequests Off

ProxyPass /test1 http://192.168.1.10:8080/test1
ProxyPassReverse /test1 http://192.168.1.10:8080/test1

ProxyRequests” parameter does not need to be turned on when configuring reverse proxy so turning it off. Next two lines are passing all requests, hitting the reverse proxy server IP/hostname with /test1 URL to the machine with IP address 192.168.1.10, port 8080 and /test1 URL and the other way around. For the communication to work both ways we need to add both lines “ProxyPass” and “ProxyPassReverse“.

3. Add Additional ProxyPasses

It is easy to add additional proxy passes simply by adding new two lines with “ProxyPass” and “ProxyPassReverse” parameters:
ProxyRequests Off

ProxyPass /test1 http://192.168.10.59:8080/test1
ProxyPassReverse /test1 http://192.168.10.59:8080/test1

ProxyPass /test2 http://192.168.10.59:8080/test2
ProxyPassReverse /test2 http://192.168.10.59:8080/test2

Please note that proxy pass can point to a different server, different hostname or IP address.

4. Configure Timeouts

It is wise to configure some sort of time limit on how long to wait if there is no response from backend. We can do this by appending a “connectiontimeout” and “timeout” value at the end of “ProxyPass” line. The “connectiontimeout” is the time it takes to create the connection to the backend and “timeout” is the time proxy waits for response from backend.

ProxyRequests Off
ProxyPass /test1 http://192.168.10.59:8080/test1 connectiontimeout=5 timeout=30
ProxyPassReverse /test1 http://192.168.10.59:8080/test1

ProxyPass /test2 http://192.168.10.59:8080/test2 connectiontimeout=5 timeout=30
ProxyPassReverse /test2 http://192.168.10.59:8080/test2

5. Rewrite HTML Links

Using reverse proxy and accessing internal networks and applications via it, cause specific HTML links (internal links with absolute paths) to fail – not work, since they are redirecting to internal addresses. This is why we need to call for help another Apache module called “mod_proxy_html” which enables rewriting of HTML links and making them work.

mod_proxy_html” does not come by default with httpd installation in CentOS 7so we need to install it first and then copy the configuration file to the right location. The example HTML links configuration file is quite sufficient for ordinary situations and is located at “/usr/share/doc/httpd-X.X.X/” where X.X.X is your apache version number.
What we have to do is:

[root@geekpeek ~]# yum install mod_proxy_html
..and then
[root@geekpeek ~]# cp /usr/share/doc/httpd-2.4.6/proxy-html.conf /etc/httpd/conf.d/
..to finish up we have to restart or reload apache and voila HTML links are working

Souce : http://geekpeek.net

No comments:

Post a Comment