Apache reverse Proxy

In many environments it is necessary to mask the internal servers and ensure the web traffic does not reach the internal servers directly even though there is a firewall in between the server and the internet. In such scenarios, it is prudent to add an additional layer of security and protect all the web servers in the production environment.

A reverse proxy is essentially a stand alone application (read as simple configuration using apache web server) that masks the actual internal servers. All communication between the the client on the internet and an application server happens through a proxy server. The proxy server does all the hard work of re-writing the urls and ensuring the communication between the client on the internet and the internal application server is working well. This can also double up a load balancer if you have multiple application or web servers.

A simple reverse proxy configuration using apache web server is shown below. I will be using my most favorite OS – Ubuntu server. This time I will however use the latest and the greatest Ubuntu 14.04.01 LTS, 64 bit server edition. There is nothing wrong with the 12.04.05, but since 14.04.01 is a LTS and is faster as compared to 2.04, I will be using it. You are free to use any linux distribution of your choice.

  1. Install Ubuntu 14.04.01 – 64 bit edition if you have 4 GB RAM or more, else a 32 bit version is ok
  2. Update and upgrade if required
    1. sudo apt install update
    2. sudo apt install upgrade
    3. Reboot – not necessary, but since I spent my childhood in a windows environment, reboot and restart is a habbit more than a necessity.
  3. Install apache2 ( sudo apt install apache2)
  4. Configuration of apache2 – creating a virtual host
    1. cd /etc/apache2/sites-available
    2. cp 000-default reversep (reversep is a virtual host. you can name it per your convenience)
    3. sudo a2dissite 000-default
    4. sudo a2enmod rewrite
    5. sudo nano reversep
    6. Copy paste the below content – tweak as per your requirement                                                                               <VirtualHost *:443>
      #FQDN for application – Public DNS should point the A record to the NATed public IP of the reverse proxy
      ServerName <Complete FQDN>
      #change the name in below line “http://<your Lan web server name>”
      ProxyPreserveHost On
      ProxyRequests off
      ProxyPass / http://<name of the server on your local lan>/
      ProxyPassReverse / http://<name of the server on your local lan>/
      #
      </VirtualHost>
      #
    7. sudo a2ensite reversep
  5. Nat the apache reverse proxy internal IP address to a public ip address on the firewall and open only the required ports for the application. For E.g: 80, 443, 965, 567 etc.
  6. Remember to make the necessary A record changes to the Public DNS
  7. Done !!!!!

You can add more servers by adding similar code blocks in the reversep file one below the other and remebering to restart the apache2 service everytime

Some basic necessities to ensure this works

  1. Whichever FQDNs you want to be accessible through the internet, the respective ‘A Records’ in the public DNS have to point to the Nated IP address on the firewall
  2. Nat the apache reverse proxy on the firewall with a public IP Address
  3. Ensure only necessary ports are opened
  4. Enable Firewall on the apache server as well (refer to UFW – one of my blogs)

 One popular software company sold a reverse proxy for US $ 2,000. They have discontinued the product now. But they sold the product for US 2,000 having a nice GUI but essentially having only the above 8 to 9 lines of code. The license obviously needed a licensed operating system 🙂

Hope you have fun hiding your servers from the internet !!!

Advertisements

4 thoughts on “Apache reverse Proxy

  1. This article is good. Can this be used as a reverse proxy for Microsoft Lync and Microsoft Exchange? We have a setup where we are trying to use a reverse proxy as squid. But somehow it is giving us problems.

    • Yes – this setup will work for any of the solutions – Microsoft or Non-Micrsoft solutions as well. Infact I know of a company that is using Microsoft Sharepoint behind an Apache Reverse Proxy and it is working great. So I don’t think, it will create any issues for any other solution. However, one must know which ports need to be opened for particular solution on the firewall and on the proxy server if you are using P Tables or UFW.

      Also if you are going to be having several applications behind this proxy, a HA setup could be considered.

      Cheers.

  2. Do you have anything for the HA setup? I have tried using the apache reverse proxy and it is working…but before I commit to this setup and let the team know, I want to be sure that the HA setup works and without giving any problems. Do you have any notes on that?

    • I will try and put something together for this though I am not sure when 😦 But, I am glad that the setup worked for you. And thanks for the offer. I do this stuff free. I do it for the love of Linux and for Ubuntu. If you need help, buzz me. I am happy to help you out…

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s