Setting up mod_proxy is becoming a more common task, especially with all the enhancements to the module of late such as mod_proxy_ajp. Setting up a Front End Apache server to proxy requests to say your Tomcat Application Server offers you a few things such as security and performance optimizations, however it is quite easy to make a small mistake and turn your web site into an open web proxy for the Internet to use anonymously.
Apache can be configured in both a forward and reverse proxy (also known as gateway) mode.
A typical usage of a forward proxy is to provide Internet access to internal clients that are otherwise restricted by a firewall. The forward proxy can also use caching (as provided by mod_cache) to reduce network usage.
The forward proxy is activated using the ProxyRequests directive. Because forward proxies allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.
A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.
A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall. Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.
Below is a sample configuration using Apache as a reverse proxy in front of a Tomcat Application Server using the Tomcat HTTP Connector.
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
The key here which is sometimes mistaken is ProxyRequests Off, some people think you need to turn this flag to use Mod Proxy at all. This is the mistake. By turning that flag on you are telling your Web Server to proxy requests from users to the resource they requested.
A reverse proxy is activated using the ProxyPass directive or the [P] flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy.
Want to test this, turn ProxyRequests On and restart your Apache Web Server. Now open your web browser and enable a proxy server using your website as the address and port 80. Now open http://blog.phyber.com as you can see the site loaded as expected. Check out your access logs on your Web Server for confirmation you are using your Web Server as a Proxy Server.
Other useful mod_proxy examples include load balancing to multiple backend hosts. In this example we will be proxying traffic to two backend servers using the cookie JSESSIONID for sticky sessions.
<Proxy balancer://mycluster>
BalancerMember ajp://server01:8009 stickysession=JSESSIONID
BalancerMember ajp://server02:8009 stickysession=JSESSIONID
</Proxy>
ProxyPass /webapp balancer://mycluster/webapp
Note in this configuration using mod_proxy_ajp a ProxyPassReverse is not needed as the AJP request includes the original host given to the proxy, and the application server can respond properly so no rewriting of the host request is required.
In the next example we will take use of mod_disk_cache to serve content and if it not found pass off to the request to a remote server behind the firewall with the exception of static content such as javascript, stylesheets and images which will be served locally from Apache itself.
<VirtualHost *:80>
ServerName www.phyber.com
DocumentRoot /opt/phyber/html
CacheEnable disk / CacheRoot /var/cache/phyber CacheDefaultExpire 60 CacheMaxExpire 3600 ProxyPass /images ! ProxyPass /stylesheets ! ProxyPass /javascripts ! ProxyPass / http://remote.phyber.com/ ProxyPassReverse / http://remote.phyber.com/</VirtualHost>
Note in this configuration we have ProxyPass /images ! the exclamation point tells mod_proxy not to proxy requests for that folder. So all requests for http://www.phyber.com/images/ will load directly from the local server from the folder /opt/phyber/html/images/. In this configuration mod_disk_cache is used first and if the requested object is not found in the cache the request is forwarded on to the server remote.phyber.com unless the object is from the static content directories excluded.
Look for furture articles on common mod_proxy usage and mod_cache here a http://blog.phyber.com
