Share, , Google Plus, Pinterest,

Print

Posted in:

Forward & Reverse Apache Proxy – CentOS 7

There are two possible configurations for Apache Proxy Server and we will present installation and configuration of both types this how to.

Forward Apache Proxy is a proxy configuration that is commonly used in companies and it enables users to access the internet. Users or clients must configure their browsers or operating system to use a proxy server (Forward Apache Proxy) to be able to access the internet. This means that requests from all clients go through this apache Forward Apache Proxy which then communicates with the destination servers, websites, … on the internet and responds back to the clients.

Reverse Apache Proxy is a proxy configuration that works the other way around from the Forward Apache Proxy. The Reverse Apache Proxy configuration is used to enable users or clients from the internet, to access websites or applications on the company internal network, based on the reverse apache proxy rules that are configured. Reverse Apache Proxy provides internet clients access to servers behind a firewall.

Apache Proxy Server
Apache Proxy Server

FORWARD APACHE PROXY

1. Install Required Packages

Firts we must install Apache (httpd) and mod_ssl package on our server. Please note that in CentOS 7 Apache 2.4.X is available (in CentOS 5 and 6 Apache 2.2.X).

[root@geekpeek ~]# yum install httpd mod_ssl

2. Basic Forward Apache Proxy Configuration

We need to add a forward proxy configuration file to “/etc/httpd/conf.d” location. We named if “forward-proxy.conf” and added the following content to it:

ProxyRequests On
ProxyVia On
ProxyTimeout 60

<Proxy *>
    Require local
    Require ip 192.168.1.0/255.255.255.0
</Proxy>

The “ProxyRequests” parameter and “ProxyVia” is needed to enable proxy on Apache. “ProxyTimeout” is optional, it just enables request to fail gracefully if the server does not respond in a reasobnale time. The “Require” parameters inside the “Proxy” directive are the client allowed settings.

You can add a specific IP address (as in my case) or whole subnet (with mask like 192.168.1.0/255.255.255.0). The “Require local” allows localhost requests. You could also use “Require host hostname” directive. There are many more parameters available – this is just basic configuration – read more about additional parameters HERE.

3. Block WebSites

We can block the desired websites using “ProxyBlock” parameter. “ProxyBlock” parameter specifies a list of words, hosts or domains separated by spaces (a wildcard * would block all sites!) as follows:

ProxyRequests On
ProxyVia On
ProxyTimeout 60

ProxyBlock facebook.com plus.google.com twitter.com

<Proxy *>
   Require local
   Require ip 192.168.1.0/255.255.255.0
</Proxy>

4. Configure Forwarding to Second Proxy

If you work in a big company (or in other situations) there is a possibility your proxy is not the “last in line” out to the open world. In this case you need to configure a second proxy. This is a proxy your proxy will forward requests to, to get to the internet. We can do this with “ProxyRemote” parameter. “ProxyRemote” parameters takes two two arguments, a scheme, partial URL or ‘*’ and a proxy server. Using wildcard ‘*’ will forward all requests to the second proxy.

ProxyRequests On
ProxyVia On
ProxyTimeout 60

ProxyBlock facebook.com plus.google.com twitter.com
ProxyRemote * http://second.proxy.com:8080

<Proxy *>
   Require local
   Require ip 192.168.1.0/255.255.255.0
</Proxy>

5. Configure NoProxy

If you configured a second proxy it is probably a good idea to use a “NoProxy” parameter. “NoProxy” parameter specifies a list of subnets, IP addresses, hosts and/or domains, separated by spaces which are always served directly without forwarding to the “ProxyRemote” address.

ProxyRequests On
ProxyVia On
ProxyTimeout 60

ProxyBlock facebook.com plus.google.com twitter.com
ProxyRemote * http://second.proxy.com:8080
NoProxy .geekpeek.net

<Proxy *>
   Require local
   Require ip 192.168.1.0/255.255.255.0
</Proxy>

REVERSE APACHE PROXY

1. Install Required Packages

At this stage we must install Apache (httpd) and mod_ssl package on our server. Please note that in CentOS 7 Apache 2.4.X is available (in CentOS 5 and 6 Apache 2.2.X).

[root@geekpeek ~]# yum install httpd mod_ssl

2. Basic Reverse Apache Proxy Configuration

We need to add a reverse proxy configuration file to “/etc/httpd/conf.d” location. We named if “reverse-proxy.conf” and added the following lines to it:

ProxyRequests Off

ProxyPass /test1 http://192.168.1.10:8080/test1
ProxyPassReverse /test1 http://192.168.1.10:8080/test1

ProxyRequests” parameter does not need to be turned on when configuring reverse proxy so turning it off. Next two lines are passing all requests, hitting the reverse proxy server IP/hostname with /test1 URL to the machine with IP address 192.168.1.10, port 8080 and /test1 URL and the other way around. For the communication to work both ways we need to add both lines “ProxyPass” and “ProxyPassReverse“.

3. Add Additional ProxyPasses

It is easy to add additional proxy passes simply by adding new two lines with “ProxyPass” and “ProxyPassReverse” parameters:

ProxyRequests Off

ProxyPass /test1 http://192.168.10.59:8080/test1
ProxyPassReverse /test1 http://192.168.10.59:8080/test1

ProxyPass /test2 http://192.168.10.59:8080/test2
ProxyPassReverse /test2 http://192.168.10.59:8080/test2

Please note that proxy pass can point to a different server, different hostname or IP address.

4. Configure Timeouts

It is wise to configure some sort of time limit on how long to wait if there is no response from backend. We can do this by appending a “connectiontimeout” and “timeout” value at the end of “ProxyPass” line. The “connectiontimeout” is the time it takes to create the connection to the backend and “timeout” is the time proxy waits for response from backend.

ProxyRequests Off
ProxyPass /test1 http://192.168.10.59:8080/test1 connectiontimeout=5 timeout=30
ProxyPassReverse /test1 http://192.168.10.59:8080/test1

ProxyPass /test2 http://192.168.10.59:8080/test2 connectiontimeout=5 timeout=30
ProxyPassReverse /test2 http://192.168.10.59:8080/test2

5. Rewrite HTML Links

Using reverse proxy and accessing internal networks and applications via it, cause specific HTML links (internal links with absolute paths) to fail – not work, since they are redirecting to internal addresses. This is why we need to call for help another Apache module called “mod_proxy_html” which enables rewriting of HTML links and making them work.

mod_proxy_html” does not come by default with httpd installation in CentOS 7so we need to install it first and then copy the configuration file to the right location. The example HTML links configuration file is quite sufficient for ordinary situations and is located at “/usr/share/doc/httpd-X.X.X/” where X.X.X is your apache version number.

What we have to do is:

[root@geekpeek ~]# yum install mod_proxy_html

..and then

[root@geekpeek ~]# cp /usr/share/doc/httpd-2.4.6/proxy-html.conf /etc/httpd/conf.d/

..to finish up we have to restart or reload apache and voila HTML links are working!

  • Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-09()

  • Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-10()

  • Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-11()

  • Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-12()

  • Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-13()

  • Pingback: simpleNewz - GeekPeek.Net RSS Feed for 2014-10-18()

  • Ramin

    hi. I have exchange server 2013. How can I publish it using apache reverse proxy?
    thanks for advanced.

    • Mitch

      Hi Ramin, i am not familiar with exchange configuration and i am not sure what you would like to do. I assume there is no problem enabling exchange webmail acces via apache proxy, just add a proxypass and reverse for the url exchange webmail is on. Regards, Mitch

  • Jeremy

    Hello, I am asking about the reverse proxy section of this tutorial

    Are we supposed to customize these lines to our specific server?

    ProxyRequests Off

    ProxyPass /test1 http://192.168.1.10:8080/test1
    ProxyPassReverse /test1 http://192.168.1.10:8080/test1

    and if so, how? I know obviously the IP address needs to be changed. But my project is being deployed at 5000. So I should change 8080 to 5000, right? Mainly, I’m not sure what to do with the path: /test1? Do I just leave that even if my project doesn’t have that path? Or I guess I’m asking why is it there?

    Also, How do we check if it is working?

    Thanks in advance

    • Mitch

      Hi jeremy. What you need to customize is the /test1 and where it is pointing of course. Usually if you are deploying using tomcat or some other app server the application is deployed on certain /something URL context not just /. The first /test1 is a URL on the proxy that the application will be available on and the second part http://192.168.1.10:8080/test1 is the URL to the application server and the application. Regards,

      Mitch

  • ahiya

    Hi Mitch

    Thank
    you for this great article

    I am looking for a forward/transparent proxy that requires no
    configuration from client’s side.

    The http sessions will redirect toward the proxy internal ip
    with dns redirection.

    So the destination ip will be of the proxy.

    And the proxy will resolve the uris to the real ip address and
    redirect the requests.

    Can the apache proxy preform that? Do I need
    “mod_proxy_html” aswell?

    Thanks

    ahiya

  • truthhurts

    I’ve run the yum command and created my .conf file but when I try to restart apache I get “Invalid command ‘ProxyRequests’, perhaps misspelled or defined by a module not included in the server configuration”

    • Mitch

      Hi Truthhurts, the error you are o getting suggests you are missing a proxy module in your Apache config. Please check if following modules are uncommented in httpd.conf file – proxy_module, proxy_connect_module, proxy_http_module. If you still have problems let me know. Regards,Mitch

      • truthhurts

        Thanks that helped.

        Is there a way to configure this file without having to use the specific hostname or ip address of the webserver? I’m trying it with localhost but that doesn’t seemt to be working. I’d like a file that I can deploy to multiple web servers.

        • Mitch

          Hi, im not sure what you are trying accomplish. You can run apache webserver on different ports with just one instance of the apache service or run more virtualhosts on same port without apache proxy configuration. Regards, Mitch

          • truthhurts

            I’m trying to have one reverse-proxy.conf file that can be deployed onto different web servers (in this case, different vagrant virtual boxes) – so I wanted to be able to put ‘localhost’ in the file instead of the server’s own IP address, if possible. Other places I’ve looked at make it seem like that should be okay but I’m getting a “503 Service Temporarily Unavailable” error – something wrong with my apache settings?

          • truthhurts
          • truthhurts

            Thanks again!

          • Mitch

            Hi, so this was a SELinux problem – thanks for sharing the solution with us, this might help somebody else too! regards, Mitch

  • admin user

    thanks for this article.

    PS – your site’s SSL cert has expired. check out Let’s Encrypt as replacement for StartSSL

  • Eugene Lupashko

    Thanks a lot, quite comprehensive guide.