Apache Http Reverse Proxy

Posted on  by admin

Reverse Proxy and HTTP Redirects¶

As a reverse proxy cache, Traffic Server serves requests on behalf oforigin servers. Traffic Server is configured in such a way that itappears to clients like a normal origin server.

Reverse Proxy is a gateway and it's appears to the client like an ordinary web server. In this article, i will show quick steps to setup and configure Apache Reverse Proxy server. We need to add reverse proxy configuration into configuration to tell apache where it should be redirecting. Reverse proxy is when a proxy server (in this case, Apache2 HTTP) accepts all traffic and forwards it to a specific resource, like a backend server or container. The backend server can be either another Apache2 or open source HTTP server like Nginx Apache2 HTTP server is one of the most popular open source web servers that is in use today. So I switched ports and below is the configuration that eventually got my reverse proxy to https into apache and http to my Nexus repo. Nexus returns a webpage with http links that break getting the content for that page but I only need the SSL for a docker daemon which won't be asking for webpages. Reverse Proxy and HTTP Redirects ¶ As a reverse proxy cache, Traffic Server serves requests on behalf of origin servers. Traffic Server is configured in such a way that it appears to clients like a normal origin server. Understanding Reverse Proxy Caching ¶.

You can configure Apache HTTP Server as a reverse proxy for Rational DOORS Web Access. A reverse proxy server provides another layer of security, protects HTTP servers in the network, and improves the performance of Secure Sockets Layer (SSL) requests. With a reverse proxy, you can change your deployment topology later.

Understanding Reverse Proxy Caching¶

With forward proxy caching, Traffic Server handles web requests to originservers on behalf of the clients requesting the content. Reverse proxycaching (also known as server acceleration) is different because TrafficServer acts as a proxy cache on behalf of the origin servers that store thecontent. Traffic Server is configured to behave outwardly as origin serverwhich the client is trying to connect to. In a typical scenario the advertisedhostname of the origin server resolves to Traffic Server, which serves clientrequests directly, fetching content from the true origin server when necessary.

Reverse Proxy Solutions¶

There are many ways to use Traffic Server as a reverse proxy. Below area few example scenarios.

  • Offload heavily-used origin servers.

  • Deliver content efficiently in geographically distant areas.

  • Provide security for origin servers that contain sensitive information.

Offloading Heavily-Used Origin Servers¶

Traffic Server can accept requests on behalf of the origin server and improvethe speed and quality of web serving by reducing load and hot spots onbackup origin servers. For example, a web host can maintain a scalableTraffic Server system with a set of low-cost, low-performance,less-reliable PC origin servers as backup servers. In fact, a singleTraffic Server can act as the virtual origin server for multiple backuporigin servers, as shown in the figure below.

Traffic Server as reverse proxy for a pair of origin servers

Delivering Content in Geographically-Dispersed Areas¶

Traffic Server can be used in reverse proxy mode to accelerate originservers that provide content to areas not located within closegeographical proximity. Caches are typically easier to manage and aremore cost-effective than replicating data. For example, Traffic Servercan be used as a mirror site on the far side of a trans-Atlantic link toserve users without having to fetch the request and content acrossexpensive, or higher latency, international connections. Unlike replication,for which hardware must be configured to replicate all data and to handle peakcapacity, Traffic Server dynamically adjusts to optimally use theserving and storing capacity of the hardware. Traffic Server is alsodesigned to keep content fresh automatically, thereby eliminating thecomplexity of updating remote origin servers.

Providing Security for an Origin Server¶

Traffic Server can be used in reverse proxy mode to provide security foran origin server. If an origin server contains sensitive informationthat you want to keep secure inside your firewall, then you can use aTraffic Server outside the firewall as a reverse proxy for that originserver. When outside clients try to access the origin server, therequests instead go to Traffic Server. If the desired content is notsensitive, then it can be served from the cache. If the content issensitive and not cacheable, then Traffic Server obtains the contentfrom the origin server (the firewall allows only Traffic Server accessto the origin server). The sensitive content resides on the originserver, safely inside the firewall.

How Does Reverse Proxy Work?¶

When a browser makes a request, it normally sends that request directlyto the origin server. When Traffic Server is in reverse proxy mode, itintercepts the request before it reaches the origin server. Typically,this is done by setting up the DNS entry for the origin server (i.e.,the origin server’s advertised hostname) so it resolves to the TrafficServer IP address. When Traffic Server is configured as the originserver, the browser connects to Traffic Server rather than the originserver. For additional information, see HTTP Reverse Proxy.

Note

To avoid a DNS conflict, the origin server’s hostname and its advertisedhostname must not be the same.

HTTP Reverse Proxy¶

In reverse proxy mode, Traffic Server serves HTTP requests on behalf ofa web server. The figure below illustrates how Traffic Server in reverseproxy mode serves an HTTP request from a client browser.

The figure above demonstrates the following steps:

  1. A client browser sends an HTTP request addressed to a host calledwww.host.com on port 80. Traffic Server receives the requestbecause it is acting as the origin server (the origin server’sadvertised hostname resolves to Traffic Server).

  2. Traffic Server locates a map rule in the remap.config file andremaps the request to the specified origin server (realhost.com).

  3. If the request cannot be served from cache, Traffic Server opens aconnection to the origin server (or more likely, uses an existingconnection it has pre-established), retrieves the content, and optionallycaches it for future use.

  4. If the request was a cache hit and the content is still fresh in the cache,or the content is now available through Traffic Server because of step 3,Traffic Server sends the requested object to the client from the cachedirectly.

Note

Traffic Server, when updating its own cache from the origin server, willsimultaneously deliver that content to the client while updating itscache database. The response to the client containing the requested objectwill begin as soon as Traffic Server has received and processed the fullresponse headers from the origin server.

To configure HTTP reverse proxy, you must perform the following tasks:

  • Create mapping rules in the remap.config file (refer to CreatingMapping Rules for HTTP Requests).

  • Enable the reverse proxy option (refer to Enabling HTTP Reverse Proxy).

In addition to the tasks above, you can also Setting Optional HTTP Reverse Proxy Options.

Handling Origin Server Redirect Responses¶

Origin servers often send redirect responses back to browsersredirecting them to different pages. For example, if an origin server isoverloaded, then it might redirect browsers to a less loaded server.Origin servers also redirect when web pages have moved to differentlocations. When Traffic Server is configured as a reverse proxy, it mustreaddress redirects from origin servers so that browsers are redirectedto Traffic Server and not to another origin server.

To readdress redirects, Traffic Server uses reverse-map rules. Unlessyou have proxy.config.url_remap.pristine_host_hdr enabled(the default) you should generally set up a reverse-map rule foreach map rule. To create reverse-map rules, refer to Using MappingRules for HTTP Requests.

Using Mapping Rules for HTTP Requests¶

Traffic Server uses two types of mapping rules for HTTP reverse proxy.

map rule¶

A map rule translates the URL in client requests into the URL wherethe content is located. When Traffic Server is in reverse proxy mode andreceives an HTTP client request, it first constructs a complete requestURL from the relative URL and its headers. Traffic Server then looks fora match by comparing the complete request URL with its list of targetURLs in remap.config. For the request URL to match a target URL, thefollowing conditions must be true:

  • The scheme of both URLs must be the same.

  • The host in both URLs must be the same. If the request URL containsan unqualified hostname, then it will never match a target URL with afully-qualified hostname.

  • The ports in both URLs must be the same. If no port is specified in aURL, then the default port for the scheme of the URL is used.

  • The path portion of the target URL must match a prefix of the requestURL path.

If Traffic Server finds a match, then it translates the request URL intothe replacement URL listed in the map rule: it sets the host and path ofthe request URL to match the replacement URL. If the URL contains pathprefixes, then Traffic Server removes the prefix of the path thatmatches the target URL path and substitutes it with the path from thereplacement URL. If two mappings match a request URL, then TrafficServer applies the first mapping listed in remap.config.

reverse-map rule¶

A reverse-map rule translates the URL in origin server redirectresponses to point to Traffic Server so that clients are redirectedto Traffic Server instead of accessing an origin server directly. Forexample, if there is a directory /pub on an origin server atwww.molasses.com and a client sends a request to that origin serverfor /pub, then the origin server might reply with a redirect bysending the Header Location:http://realhost.com/pub/ to let theclient know that it was a directory it had requested, not a document (acommon use of redirects is to normalize URLs so that clients canbookmark documents properly).

Traffic Server uses reverse_map rules to prevent clients (thatreceive redirects from origin servers) from bypassing Traffic Server anddirectly accessing the origin servers. In many cases the client would behitting a wall because realhost.com actually does not resolve forthe client. (E.g.: Because it’s running on a port shielded by afirewall, or because it’s running on a non-routable LAN IP)

Both map and reverse-map rules consist of a target (origin) URL anda replacement (destination) URL. In a map rule, the target URLpoints to Traffic Server and the replacement URL specifies where theoriginal content is located. In a reverse-map rule, the target URLspecifies where the original content is located and the replacement URLpoints to Traffic Server. Traffic Server stores mapping rules inremap.config located in the Traffic Server config directory.

Creating Mapping Rules for HTTP Requests¶

To create mapping rules:

  1. Enter the map and reverse-map rules into remap.config.

  2. Run the command traffic_ctlconfigreload to apply the configuration changes.

Enabling HTTP Reverse Proxy¶

To enable HTTP reverse proxy:

  1. Edit proxy.config.reverse_proxy.enabled in records.config.

  2. Run the command traffic_ctlconfigreload to apply the configuration changes.

Setting Optional HTTP Reverse Proxy Options¶

Traffic Server provides several reverse proxy configuration options inrecords.config that enable you to:

  • Configure Traffic Server to retain the client host header informationin a request during translation.See proxy.config.url_remap.pristine_host_hdr.

  • Configure Traffic Server to serve requests only to the origin serverslisted in the mapping rules. As a result, requests to origin serversnot listed in the mapping rules are not served.See proxy.config.url_remap.remap_required.

  • Specify an alternate URL to which incoming requests from older clients ,suchas ones that do not provide Host headers, are directed.See proxy.config.header.parse.no_host_url_redirect.

Run the command traffic_ctlconfigreload to apply any of these configurationchanges.

Redirecting HTTP Requests¶

You can configure Traffic Server to redirect HTTP requests withouthaving to contact any origin servers. For example, if you redirect allrequests for http://www.ultraseek.com tohttp://www.server1.com/products/portal/search/, then all HTTPrequests for www.ultraseek.com go directly towww.server1.com/products/portal/search.

You can configure Traffic Server to perform permanent or temporaryredirects. Permanent redirects notify the browser of the URL change(by returning the HTTP status code 301) so that the browser canupdate bookmarks. Temporary redirects notify the browser of the URLchange for the current request only (by returning the HTTP status code307 ).

To set redirect rules:

  1. For each redirect you want to set enter a mapping rule in remap.config.

  2. Run the command traffic_ctlconfigreload to apply the configuration changes.

Example¶

The following permanently redirects all HTTP requests forwww.server1.com to www.server2.com:

This tutorial will help you to setup Apache web server as Reverse Proxy for the Tomcat hosted applications.

Setup Scenario

Tomcat is running on port 8080 and I have configured two sample applications running with following urls.

Apache2 Reverse Proxy Ssl

Reverse
  • http://localhost:8080/sample
  • http://localhost:8080/calendar

Now I have installed Apache server on same host running on port 80. I will use Apache server to get users requests and transfer these requests to corresponding applications running on back-end Tomcat server on port 8080. I need to configure Apache to transfer requests to tomcat like below:

  • http://example.com >> http://localhost:8080/demo1/
  • http://example.net >> http://localhost:8080/demo2/
  • http://domain.com/demo1/ >> http://localhost:8080/demo1/
  • http://domain.com/demo2/ >> http://localhost:8080/demo2/

Let’s start the configuration

1. Enable Mod Proxy Apache Module

By default this module is enabled in Apache for users who installed using rpm packages. If you don’t have enabled edit your Apache configuration /etc/httpd/conf/httpd.conf or for Apache 2.4 /etc/httpd/conf.modules.d/00-proxy.conf file and uncomment following lines or put in file.

For the Debian based systems use the following command to enable the Proxy module with Apache.

2. Configure Apache Virtual Hosts

Now will start working with virtual host. We are creating three virtual hosts as below. You create only which is required with needed modifications. Edit Apache main configuration file and start with the configuration.

VirtualHost Example 1 :-

To forward all requests sent to example.com to backend tomcat server corresponding application like:

  • http://example.com >> http://localhost:8080/demo1/

Configure virtual host like this.

VirtualHost Example 2 :-

To forward all requests sent to example.net to backend tomcat server corresponding application like:

Apache Http Reverse Proxy Ssl

  • http://example.net >> http://localhost:8080/demo2/

Configure virtual host like this.

VirtualHost Example 3 :-

To forward all requests sent to sub directory /demo1/ or /demo2 on http://domain.com to back-end tomcat corresponding applications like:

  • http://domain.com/demo1/ >> http://localhost:8080/demo1/
  • http://domain.com/demo2/ >> http://localhost:8080/demo2/

Configure virtual host like this.

3. Restart Apache and Test

After making all necessary changes restart Apache service using the following command and access your sites in a web browser. Make sure you are getting proper pages from tomcat.