In many environments it is necessary to mask the internal servers and ensure the web traffic does not reach the internal servers directly even though there is a firewall in between the server and the internet. In such scenarios, it is prudent to add an additional layer of security and protect all the web servers in the production environment.
A reverse proxy is essentially a stand alone application (read as simple configuration using apache web server) that masks the actual internal servers. All communication between the the client on the internet and an application server happens through a proxy server. The proxy server does all the hard work of re-writing the urls and ensuring the communication between the client on the internet and the internal application server is working well. This can also double up a load balancer if you have multiple application or web servers.
A simple reverse proxy configuration using apache web server is shown below. I will be using my most favorite OS – Ubuntu server. This time I will however use the latest and the greatest Ubuntu 14.04.01 LTS, 64 bit server edition. There is nothing wrong with the 12.04.05, but since 14.04.01 is a LTS and is faster as compared to 2.04, I will be using it. You are free to use any linux distribution of your choice.
- Install Ubuntu 14.04.01 – 64 bit edition if you have 4 GB RAM or more, else a 32 bit version is ok
- Update and upgrade if required
- sudo apt install update
- sudo apt install upgrade
- Reboot – not necessary, but since I spent my childhood in a windows environment, reboot and restart is a habbit more than a necessity.
- Install apache2 ( sudo apt install apache2)
- Configuration of apache2 – creating a virtual host
- cd /etc/apache2/sites-available
- cp 000-default reversep (reversep is a virtual host. you can name it per your convenience)
- sudo a2dissite 000-default
- sudo a2enmod rewrite
- sudo nano reversep
- Copy paste the below content – tweak as per your requirement <VirtualHost *:443>
#FQDN for application – Public DNS should point the A record to the NATed public IP of the reverse proxy
ServerName <Complete FQDN>
#change the name in below line “http://<your Lan web server name>”
ProxyPass / http://<name of the server on your local lan>/
ProxyPassReverse / http://<name of the server on your local lan>/
- sudo a2ensite reversep
- Nat the apache reverse proxy internal IP address to a public ip address on the firewall and open only the required ports for the application. For E.g: 80, 443, 965, 567 etc.
- Remember to make the necessary A record changes to the Public DNS
- Done !!!!!
You can add more servers by adding similar code blocks in the reversep file one below the other and remebering to restart the apache2 service everytime
Some basic necessities to ensure this works
- Whichever FQDNs you want to be accessible through the internet, the respective ‘A Records’ in the public DNS have to point to the Nated IP address on the firewall
- Nat the apache reverse proxy on the firewall with a public IP Address
- Ensure only necessary ports are opened
- Enable Firewall on the apache server as well (refer to UFW – one of my blogs)
One popular software company sold a reverse proxy for US $ 2,000. They have discontinued the product now. But they sold the product for US 2,000 having a nice GUI but essentially having only the above 8 to 9 lines of code. The license obviously needed a licensed operating system 🙂
Hope you have fun hiding your servers from the internet !!!