Difference between revisions of "Apache 2 - proxy"
(Created page with "Category:Linux =Proxy= Special thanks to Julien Rialland for his insight regarding this part! ==Principle== The proxy module allow you to expose a resource that i...") |
|||
| (2 intermediate revisions by the same user not shown) | |||
| Line 3: | Line 3: | ||
| − | + | =Principle= | |
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
| − | |||
The proxy module allow you to expose a resource that is not directly accessible. | The proxy module allow you to expose a resource that is not directly accessible. | ||
| Line 18: | Line 11: | ||
| − | + | ==Proxy VS redirection== | |
{| class="wikitable" | {| class="wikitable" | ||
| Line 40: | Line 33: | ||
| − | + | ==Internet limits: why do we need a proxy?== | |
Some application are not available from outside… | Some application are not available from outside… | ||
| Line 55: | Line 48: | ||
| − | + | ==How does Apache2 mod_proxy work?== | |
The Apache2 proxy module allow you to provide access through transparent redirection. | The Apache2 proxy module allow you to provide access through transparent redirection. | ||
| Line 77: | Line 70: | ||
| − | + | ==Proxy / redirect / rewrite - HTTP request processing== | |
When Apache2 receive a request it will be process in the following order: | When Apache2 receive a request it will be process in the following order: | ||
| Line 96: | Line 89: | ||
| − | + | =Installation= | |
| Line 112: | Line 105: | ||
* Through your virtual host configuration | * Through your virtual host configuration | ||
* Through the module configuration file | * Through the module configuration file | ||
| + | |||
| Line 132: | Line 126: | ||
| − | + | ||
| + | ==V.Host proxy declaration== | ||
Adjust your V.Host configuration to: | Adjust your V.Host configuration to: | ||
| − | <syntaxhighlight lang=" | + | <syntaxhighlight lang="apache"> |
<VirtualHost *:80> | <VirtualHost *:80> | ||
ServerName dev.daxiongmao.eu | ServerName dev.daxiongmao.eu | ||
| Line 176: | Line 171: | ||
<Proxy *> | <Proxy *> | ||
AddDefaultCharset off | AddDefaultCharset off | ||
| − | Order deny | + | |
| − | + | #### You must accept proxy from everywhere * | |
| + | #### Access control is done in each directory || location | ||
| + | |||
| + | ## Old Apache2 (before 2.4) syntax | ||
| + | #Order allow,deny | ||
| + | #allow from all | ||
| + | |||
| + | ## Apache 2.4 syntax | ||
| + | Require all granted | ||
Satisfy Any | Satisfy Any | ||
</Proxy> | </Proxy> | ||
| Line 193: | Line 196: | ||
# PhpMyAdmin | # PhpMyAdmin | ||
<Location /phpmyadmin> | <Location /phpmyadmin> | ||
| − | |||
ProxyPass ! | ProxyPass ! | ||
| − | + | ||
| − | + | # Apache 2.4 syntax | |
| + | Require local | ||
| + | # LAN and VPN | ||
| + | require ip 172.16.50 | ||
| + | require ip 172.16.60 | ||
| + | # Specific hosts | ||
| + | require host dev.daxiongmao.eu | ||
</Location> | </Location> | ||
| Line 203: | Line 211: | ||
Alias /phpsec /var/www/phpsecinfo | Alias /phpsec /var/www/phpsecinfo | ||
<Location /phpsec > | <Location /phpsec > | ||
| − | |||
ProxyPass ! | ProxyPass ! | ||
| − | + | ||
| − | + | # Apache 2.4 syntax | |
| − | + | Require all granted | |
</Location> | </Location> | ||
| Line 221: | Line 228: | ||
# Proxy to a Java application running over Tomcat, with IP filter | # Proxy to a Java application running over Tomcat, with IP filter | ||
<Location /manager> | <Location /manager> | ||
| − | |||
| − | |||
ProxyPass ajp://localhost:8009/manager/ | ProxyPass ajp://localhost:8009/manager/ | ||
ProxyPassReverse ajp://localhost:8009/manager/ | ProxyPassReverse ajp://localhost:8009/manager/ | ||
| + | |||
| + | ### Apache < 2.4 | ||
| + | #Order allow,deny | ||
| + | #Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196 | ||
| + | |||
| + | ### Apache 2.4 | ||
| + | Require local | ||
| + | Require ip 192.168.1 | ||
| + | Require host 193.12.118.196 | ||
</Location> | </Location> | ||
| Line 230: | Line 244: | ||
ProxyPass /jira http://192.168.1.12:8080/jira | ProxyPass /jira http://192.168.1.12:8080/jira | ||
ProxyPassReverse /jira http://192.168.1.12:8080/jira | ProxyPassReverse /jira http://192.168.1.12:8080/jira | ||
| − | |||
## Proxy to webmin | ## Proxy to webmin | ||
| Line 236: | Line 249: | ||
ProxyPass http://localhost:10000/ | ProxyPass http://localhost:10000/ | ||
ProxyPassReverse http://localhost:10000/ | ProxyPassReverse http://localhost:10000/ | ||
| − | + | ||
| − | + | # Apache 2.4 syntax | |
| − | + | Require local | |
| + | # LAN and VPN | ||
| + | require ip 172.16.50 | ||
| + | require ip 172.16.60 | ||
</Location> | </Location> | ||
| Line 245: | Line 261: | ||
ProxyPass http://smartcard-mq:15672/ | ProxyPass http://smartcard-mq:15672/ | ||
ProxyPassReverse http://smartcard-mq:15672/ | ProxyPassReverse http://smartcard-mq:15672/ | ||
| − | Order deny,allow | + | |
| − | Deny from all | + | ### Apache < 2.4 |
| − | + | #Order deny,allow | |
| + | #Deny from all | ||
| + | |||
| + | ### Apache 2.4 | ||
| + | Require all denied | ||
</Location> | </Location> | ||
| Line 259: | Line 279: | ||
| + | |||
| + | ==Apply settings== | ||
Apply changes and test result | Apply changes and test result | ||
| Line 269: | Line 291: | ||
For example, Navigate to http://myServer/jira | For example, Navigate to http://myServer/jira | ||
| + | |||
| + | |||
| + | |||
| + | =Proxy all= | ||
| + | |||
| + | If you want to proxy a complete server root (/) using access restrictions [ACL] this is how you can do it: | ||
| + | |||
| + | |||
| + | <syntaxhighlight lang="apache"> | ||
| + | <VirtualHost *:443> | ||
| + | ServerName dev.vehco.com | ||
| + | |||
| + | SSLEngine on | ||
| + | SSLCertificateFile /etc/apache2/ssl/codriver.com.crt | ||
| + | SSLCertificateKeyFile /etc/apache2/ssl/codriver.com.key | ||
| + | SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt | ||
| + | SSLOptions +ExportCertData | ||
| + | |||
| + | ##### VHost default directory ; required even if it's not used ! | ||
| + | DocumentRoot /var/www/dev.vehco.com | ||
| + | <Directory /> | ||
| + | Options FollowSymLinks | ||
| + | AllowOverride None | ||
| + | </Directory> | ||
| + | |||
| + | ProxyRequests Off | ||
| + | ProxyPreserveHost Off | ||
| + | |||
| + | |||
| + | ##### Proxy access rights | ||
| + | <Proxy *> | ||
| + | Require local | ||
| + | # Swedish LAN | ||
| + | Require ip 192.168.1 | ||
| + | # VEHCO VPN | ||
| + | Require ip 192.168.12 | ||
| + | # French office | ||
| + | require ip 90.83.80.91 | ||
| + | require ip 195.101.122.32/27 | ||
| + | require ip 195.101.122.64/27 | ||
| + | </Proxy> | ||
| + | |||
| + | # Target server to redirect to | ||
| + | ProxyPass / http://dev.vehco.com/ | ||
| + | ProxyPassReverse / http://dev.vehco.com/ | ||
| + | |||
| + | </VirtualHost> | ||
| + | |||
| + | </syntaxhighlight> | ||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | |||
| + | =Thanks= | ||
| + | |||
| + | Special thanks to Julien Rialland for his insight regarding this part! | ||
| + | |||
| + | * Julien's blog: http://jrialland.wordpress.com/ | ||
| + | * Julien's LinkedIn: http://fr.linkedin.com/in/julienrialland | ||
Latest revision as of 16:58, 19 September 2014
Contents
Principle
The proxy module allow you to expose a resource that is not directly accessible.
For instance it can redirect remote user to a specific server that can be host on a different machine or port through a simple URL.
Proxy VS redirection
| Header text | Proxy | Redirection |
|---|---|---|
| Main usage |
|
Signal a change or redirect to the HTTPS web-site |
| Action | Hidden to the user.
|
Explicit
|
Internet limits: why do we need a proxy?
Some application are not available from outside…
- For security reasons [default URL is not allowed]
- Due to network issues
How does Apache2 mod_proxy work?
The Apache2 proxy module allow you to provide access through transparent redirection.
It relies on:
- Already open port (80 or 443)
- Redirection rule
- Each service URL must be unique
- The target service must be reachable by the web server
As you can see on the previous example, the services will be accessible using some dedicated URL.
Remote “http://myServer/myService” will redirect to “http://localhost:8081”
→ The mod_proxy is none intrusive.
You don’t have to change anything in the original service configuration. Apache2 will handle all the transformations.
Proxy / redirect / rewrite - HTTP request processing
When Apache2 receive a request it will be process in the following order:
The evaluation order is:
- Mod_proxy
- Mod_rewrite
- Other modules
- Serve requested resources if no rule should apply
So, even if you enable a full redirection to HTTPS you can still use some HTTP service through mod_proxy (because mod_proxy is the 1st to be evaluate).
Installation
Enable proxy module
a2enmod proxy proxy_http proxy_ajp
a2enmod proxy_html xml2enc
Configure proxy redirections
You can configure the redirections in 2 ways:
- Through your virtual host configuration
- Through the module configuration file
Module configuration file
You have to edit / create the configuration file.
vim /etc/apache2/mods-enabled/proxy.conf
Virtual host
Just edit again your previous V.Host:
vim /etc/apache2/sites-available/myServer.conf
V.Host proxy declaration
Adjust your V.Host configuration to:
<VirtualHost *:80>
ServerName dev.daxiongmao.eu
ServerAlias www.dev.daxiongmao.eu *.dev.daxiongmao.eu
ServerAdmin guillaume@qin-diaz.com
### LOG
LogLevel warn
ErrorLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/error.log
CustomLog ${APACHE_LOG_DIR}/dev.daxiongmao.eu/access.log combined
### Redirect all traffic to HTTPS website
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
redirect permanent / https://myServer/
### No proxy here because I only want to use HTTPS
</VirtualHost>
<VirtualHost *:443>
...
#############################
# Proxy configuration
#############################
# Enable proxy
ProxyVia On
ProxyPreserveHost On
ProxyRequests Off
ProxyErrorOverride Off
## SSL support (allow to redirect to other SSL sites)
SSLProxyEngine On
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
<Proxy *>
AddDefaultCharset off
#### You must accept proxy from everywhere *
#### Access control is done in each directory || location
## Old Apache2 (before 2.4) syntax
#Order allow,deny
#allow from all
## Apache 2.4 syntax
Require all granted
Satisfy Any
</Proxy>
########################
# Standard Web application - No proxy required
########################
#### Direct access without further configuration
ProxyPass /maintenance !
ProxyPass /menu !
ProxyPass /ssl !
#### Standard URL filters
# PhpMyAdmin
<Location /phpmyadmin>
ProxyPass !
# Apache 2.4 syntax
Require local
# LAN and VPN
require ip 172.16.50
require ip 172.16.60
# Specific hosts
require host dev.daxiongmao.eu
</Location>
#### Alias
# PHPSecInfo
Alias /phpsec /var/www/phpsecinfo
<Location /phpsec >
ProxyPass !
# Apache 2.4 syntax
Require all granted
</Location>
########################
# Proxy redirections
########################
# Proxy to a Java application running over Tomcat
ProxyPass /webdav ajp://localhost:8009/webdav/
ProxyPassReverse /webdav ajp://localhost:8009/webdav
# Proxy to a Java application running over Tomcat, with IP filter
<Location /manager>
ProxyPass ajp://localhost:8009/manager/
ProxyPassReverse ajp://localhost:8009/manager/
### Apache < 2.4
#Order allow,deny
#Allow from 127.0.0.1 192.168.1.0/24 193.12.118.196
### Apache 2.4
Require local
Require ip 192.168.1
Require host 193.12.118.196
</Location>
# Proxy to another server
ProxyPass /jira http://192.168.1.12:8080/jira
ProxyPassReverse /jira http://192.168.1.12:8080/jira
## Proxy to webmin
<Location /webmin/>
ProxyPass http://localhost:10000/
ProxyPassReverse http://localhost:10000/
# Apache 2.4 syntax
Require local
# LAN and VPN
require ip 172.16.50
require ip 172.16.60
</Location>
## Proxy to RabbitMQ
<Location /rabbitmq/>
ProxyPass http://smartcard-mq:15672/
ProxyPassReverse http://smartcard-mq:15672/
### Apache < 2.4
#Order deny,allow
#Deny from all
### Apache 2.4
Require all denied
</Location>
</VirtualHost>
Some notes:
- Do NOT put a / after the target URL
- Do NOT use / as ProxyPass source, use the previous redirect permanent instead
Apply settings
Apply changes and test result
service apache2 restart
For example, Navigate to http://myServer/jira
Proxy all
If you want to proxy a complete server root (/) using access restrictions [ACL] this is how you can do it:
<VirtualHost *:443>
ServerName dev.vehco.com
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/codriver.com.crt
SSLCertificateKeyFile /etc/apache2/ssl/codriver.com.key
SSLCertificateChainFile /etc/apache2/ssl/gd_bundle.crt
SSLOptions +ExportCertData
##### VHost default directory ; required even if it's not used !
DocumentRoot /var/www/dev.vehco.com
<Directory />
Options FollowSymLinks
AllowOverride None
</Directory>
ProxyRequests Off
ProxyPreserveHost Off
##### Proxy access rights
<Proxy *>
Require local
# Swedish LAN
Require ip 192.168.1
# VEHCO VPN
Require ip 192.168.12
# French office
require ip 90.83.80.91
require ip 195.101.122.32/27
require ip 195.101.122.64/27
</Proxy>
# Target server to redirect to
ProxyPass / http://dev.vehco.com/
ProxyPassReverse / http://dev.vehco.com/
</VirtualHost>
Thanks
Special thanks to Julien Rialland for his insight regarding this part!
- Julien's blog: http://jrialland.wordpress.com/
- Julien's LinkedIn: http://fr.linkedin.com/in/julienrialland
