Difference between revisions of "Apache 2 - proxy"
 
(One intermediate revision by the same user not shown)
Line 131: Line 131:
 
Adjust your V.Host configuration to:
 
Adjust your V.Host configuration to:
  
<syntaxhighlight lang="bash">
+
<syntaxhighlight lang="apache">
 
<VirtualHost *:80>
 
<VirtualHost *:80>
 
ServerName dev.daxiongmao.eu
 
ServerName dev.daxiongmao.eu
Line 171: Line 171:
 
         <Proxy *>
 
         <Proxy *>
 
             AddDefaultCharset off
 
             AddDefaultCharset off
             Order deny,allow
+
              
             Allow from all
+
            #### You must accept proxy from everywhere *
 +
            #### Access control is done in each directory ||  location
 +
 
 +
            ## Old Apache2 (before 2.4) syntax
 +
            #Order allow,deny
 +
            #allow from all
 +
 +
             ## Apache 2.4 syntax
 +
            Require all granted
 
             Satisfy Any
 
             Satisfy Any
 
         </Proxy>  
 
         </Proxy>  
Line 188: Line 196:
 
# PhpMyAdmin
 
# PhpMyAdmin
 
<Location /phpmyadmin>
 
<Location /phpmyadmin>
                Require all granted
 
 
                 ProxyPass !
 
                 ProxyPass !
Order allow,deny
+
 
Allow from 127.0.0.1 192.168.1.0/24
+
                # Apache 2.4 syntax
 +
                Require local
 +
                # LAN and VPN
 +
                require ip 172.16.50
 +
                require ip 172.16.60
 +
                # Specific hosts
 +
                require host dev.daxiongmao.eu
 
</Location>
 
</Location>
  
Line 198: Line 211:
 
         Alias  /phpsec  /var/www/phpsecinfo
 
         Alias  /phpsec  /var/www/phpsecinfo
 
         <Location /phpsec >
 
         <Location /phpsec >
                Require all granted
 
 
                 ProxyPass !
 
                 ProxyPass !
                order deny,allow
+
 
                # allow from 127.0.0.1 192.168.1.0/24
+
                # Apache 2.4 syntax
                allow from all
+
                Require all granted
 
         </Location>
 
         </Location>
  
Line 216: Line 228:
 
# Proxy to a Java application running over Tomcat, with IP filter
 
# Proxy to a Java application running over Tomcat, with IP filter
 
<Location /manager>
 
<Location /manager>
Order allow,deny
 
Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
 
 
ProxyPass ajp://localhost:8009/manager/
 
ProxyPass ajp://localhost:8009/manager/
 
ProxyPassReverse ajp://localhost:8009/manager/
 
ProxyPassReverse ajp://localhost:8009/manager/
 +
 +
                ### Apache < 2.4
 +
#Order allow,deny
 +
#Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
 +
 +
                ### Apache 2.4
 +
                Require local
 +
                Require ip 192.168.1
 +
                Require host 193.12.118.196
 
</Location>
 
</Location>
  
Line 225: Line 244:
 
         ProxyPass /jira http://192.168.1.12:8080/jira
 
         ProxyPass /jira http://192.168.1.12:8080/jira
 
         ProxyPassReverse /jira http://192.168.1.12:8080/jira
 
         ProxyPassReverse /jira http://192.168.1.12:8080/jira
 
  
 
         ## Proxy to webmin
 
         ## Proxy to webmin
Line 231: Line 249:
 
           ProxyPass http://localhost:10000/
 
           ProxyPass http://localhost:10000/
 
           ProxyPassReverse http://localhost:10000/
 
           ProxyPassReverse http://localhost:10000/
          Order deny,allow
+
 
          Deny from all
+
            # Apache 2.4 syntax
          Allow from 127.0.0.1 172.16.50.0/24 192.168.1.0/24
+
            Require local
 +
            # LAN and VPN
 +
            require ip 172.16.50
 +
            require ip 172.16.60
 
       </Location>
 
       </Location>
  
Line 240: Line 261:
 
         ProxyPass http://smartcard-mq:15672/
 
         ProxyPass http://smartcard-mq:15672/
 
         ProxyPassReverse http://smartcard-mq:15672/
 
         ProxyPassReverse http://smartcard-mq:15672/
         Order deny,allow
+
 
         Deny from all
+
         ### Apache < 2.4
         Allow from 127.0.0.1 172.16.50.0/24 192.168.1.0/24
+
        #Order deny,allow
 +
         #Deny from all
 +
     
 +
         ### Apache 2.4
 +
        Require all denied
 
       </Location>
 
       </Location>
  
Line 266: Line 291:
  
 
For example, Navigate to http://myServer/jira
 
For example, Navigate to http://myServer/jira
 +
 +
 +
 +
=Proxy all=
 +
 +
If you want to proxy a complete server root (/) using access restrictions [ACL] this is how you can do it:
 +
 +
 +
<syntaxhighlight lang="apache">
 +
<VirtualHost *:443>
 +
  ServerName dev.vehco.com
 +
 +
  SSLEngine on 
 +
  SSLCertificateFile /etc/apache2/ssl/codriver.com.crt
 +
  SSLCertificateKeyFile /etc/apache2/ssl/codriver.com.key
 +
  SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
 +
  SSLOptions +ExportCertData
 +
 
 +
  ##### VHost default directory ; required even if it's not used !
 +
  DocumentRoot /var/www/dev.vehco.com
 +
  <Directory />
 +
    Options FollowSymLinks
 +
    AllowOverride None
 +
  </Directory>
 +
 +
  ProxyRequests Off
 +
  ProxyPreserveHost Off
 +
 +
 +
  ##### Proxy access rights
 +
  <Proxy *>
 +
    Require local
 +
    # Swedish LAN
 +
    Require ip 192.168.1
 +
    # VEHCO VPN
 +
    Require ip 192.168.12
 +
    # French office
 +
    require ip 90.83.80.91
 +
    require ip 195.101.122.32/27
 +
    require ip 195.101.122.64/27
 +
  </Proxy>
 +
 +
  # Target server to redirect to
 +
  ProxyPass / http://dev.vehco.com/
 +
  ProxyPassReverse / http://dev.vehco.com/
 +
 +
</VirtualHost>
 +
 +
</syntaxhighlight>
 +
 +
 +
 +
 +
 +
  
  

Latest revision as of 15:58, 19 September 2014



Principle

The proxy module allow you to expose a resource that is not directly accessible.

For instance it can redirect remote user to a specific server that can be host on a different machine or port through a simple URL.


Proxy VS redirection

Header text Proxy Redirection
Main usage
  • Expose a resource that is not directly accessible
  • Provide a nicer URL through standard HTTP port instead of http://server:port/service
 Signal a change or redirect to the HTTPS web-site
Action Hidden to the user.
  • From user point of view this is just a standard URL / service
  • It's the server that performs the proxy actin
 Explicit
  • The server just serve the new URL
  • It's the client that will create a new connection - See Apache_2#Principle


Internet limits: why do we need a proxy?

Some application are not available from outside…

  • For security reasons [default URL is not allowed]
Proxy for security


  • Due to network issues
Proxy to improve network


How does Apache2 mod_proxy work?

The Apache2 proxy module allow you to provide access through transparent redirection.

It relies on:

  • Already open port (80 or 443)
  • Redirection rule
  • Each service URL must be unique
  • The target service must be reachable by the web server
Proxy role


As you can see on the previous example, the services will be accessible using some dedicated URL. Remote “http://myServer/myService” will redirect to “http://localhost:8081”


→ The mod_proxy is none intrusive. You don’t have to change anything in the original service configuration. Apache2 will handle all the transformations.


Proxy / redirect / rewrite - HTTP request processing

When Apache2 receive a request it will be process in the following order:

Proxy rewrite


The evaluation order is:

  1. Mod_proxy
  2. Mod_rewrite
  3. Other modules
  4. Serve requested resources if no rule should apply


So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy (because mod_proxy is the 1st to be evaluate).



Installation

Enable proxy module

a2enmod proxy proxy_http proxy_ajp 
a2enmod proxy_html xml2enc


Configure proxy redirections

You can configure the redirections in 2 ways:

  • Through your virtual host configuration
  • Through the module configuration file


Module configuration file

You have to edit / create the configuration file. 

vim /etc/apache2/mods-enabled/proxy.conf


Virtual host

Just edit again your previous V.Host: 

vim /etc/apache2/sites-available/myServer.conf


V.Host proxy declaration

Adjust your V.Host configuration to: 

<VirtualHost *:80>
	ServerName dev.daxiongmao.eu
	ServerAlias www.dev.daxiongmao.eu *.dev.daxiongmao.eu
	ServerAdmin guillaume@qin-diaz.com

	### LOG
	LogLevel warn
	ErrorLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/error.log
	CustomLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/access.log combined
	
        ### Redirect all traffic to HTTPS website
        RewriteEngine On
        RewriteCond %{HTTPS} off        
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} 
	redirect permanent / https://myServer/

	### No proxy here because I only want to use HTTPS
</VirtualHost>

<VirtualHost *:443>
...

        #############################
        # Proxy configuration
        #############################
        # Enable proxy
        ProxyVia On
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyErrorOverride Off

        ## SSL support (allow to redirect to other SSL sites)
        SSLProxyEngine On
        SSLProxyVerify none
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerName off

        <Proxy *>
             AddDefaultCharset off
             
             #### You must accept proxy from everywhere *
             #### Access control is done in each directory ||  location

             ## Old Apache2 (before 2.4) syntax
             #Order allow,deny
             #allow from all
 
             ## Apache 2.4 syntax
             Require all granted
             Satisfy Any
        </Proxy> 

	########################
	# Standard Web application - No proxy required
	########################

        #### Direct access without further configuration
	ProxyPass /maintenance !
	ProxyPass /menu !
	ProxyPass /ssl !

        #### Standard URL filters
	# PhpMyAdmin
	<Location /phpmyadmin>
                ProxyPass !

                # Apache 2.4 syntax
                Require local
                # LAN and VPN
                require ip 172.16.50
                require ip 172.16.60
                # Specific hosts
                require host dev.daxiongmao.eu
	</Location>

         #### Alias 
         # PHPSecInfo
         Alias   /phpsec   /var/www/phpsecinfo
         <Location /phpsec >
                 ProxyPass !

                # Apache 2.4 syntax
                Require all granted
         </Location>


	########################
	# Proxy redirections
	########################

	# Proxy to a Java application running over Tomcat
	ProxyPass /webdav ajp://localhost:8009/webdav/
	ProxyPassReverse /webdav ajp://localhost:8009/webdav 	

	# Proxy to a Java application running over Tomcat, with IP filter
	<Location /manager>
		ProxyPass ajp://localhost:8009/manager/
		ProxyPassReverse ajp://localhost:8009/manager/

                ### Apache < 2.4
		#Order allow,deny
		#Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196

                ### Apache 2.4
                Require local
                Require ip 192.168.1
                Require host 193.12.118.196
	</Location>

        # Proxy to another server
        ProxyPass /jira http://192.168.1.12:8080/jira
        ProxyPassReverse /jira http://192.168.1.12:8080/jira

        ## Proxy to webmin
        <Location /webmin/>
           ProxyPass http://localhost:10000/
           ProxyPassReverse http://localhost:10000/

            # Apache 2.4 syntax
            Require local
            # LAN and VPN
            require ip 172.16.50
            require ip 172.16.60
       </Location>

      ## Proxy to RabbitMQ
      <Location /rabbitmq/>
         ProxyPass http://smartcard-mq:15672/
         ProxyPassReverse http://smartcard-mq:15672/

         ### Apache < 2.4
         #Order deny,allow
         #Deny from all
      
         ### Apache 2.4
         Require all denied
      </Location>

</VirtualHost>


Some notes:

  • Do NOT put a / after the target URL
  • Do NOT use / as ProxyPass source, use the previous redirect permanent instead


Apply settings

Apply changes and test result 

service apache2 restart


For example, Navigate to http://myServer/jira


Proxy all

If you want to proxy a complete server root (/) using access restrictions [ACL] this is how you can do it: 


<VirtualHost *:443>
  ServerName dev.vehco.com

  SSLEngine on  
  SSLCertificateFile /etc/apache2/ssl/codriver.com.crt
  SSLCertificateKeyFile /etc/apache2/ssl/codriver.com.key
  SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt 
  SSLOptions +ExportCertData
  
  ##### VHost default directory ; required even if it's not used !
  DocumentRoot /var/www/dev.vehco.com
  <Directory />
    Options FollowSymLinks
    AllowOverride None
  </Directory>

  ProxyRequests Off
  ProxyPreserveHost Off


  ##### Proxy access rights
  <Proxy *>
    Require local
    # Swedish LAN
    Require ip 192.168.1
    # VEHCO VPN
    Require ip 192.168.12
    # French office
    require ip 90.83.80.91
    require ip 195.101.122.32/27
    require ip 195.101.122.64/27
  </Proxy>

  # Target server to redirect to
  ProxyPass / http://dev.vehco.com/
  ProxyPassReverse / http://dev.vehco.com/

</VirtualHost>






Thanks

Special thanks to Julien Rialland for his insight regarding this part!

Retrieved from "http://www.daxiongmao.eu/wiki/index.php?title=Apache_2_-_proxy&oldid=1487"