httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Tony Karakashian" <tony...@monstertruck.cc>
Subject [users@httpd] Reverse Proxying Questions
Date Sun, 03 Aug 2003 16:04:42 GMT
I have a few questions about using Apache as a reverse proxy.  I've dug
through the docs and mailing lists and have picked up "snippets" of how to
do this, but it's still not working for me.  I'm hoping with everyone's help
I can a) get it working b) create a howto for others who might be trying to
do what I am.    As I realize this is probably a very isolated need, I
didn't expect to find and step-by-steps.  However, I'm sure others will want
to do this, so if I can help 'em out, so much the better!

So, let's get to the nitty gritty.  Apache is setup on my Linux firewall
which has a dynamic IP provided by my cable modem.  I have a few web
services that run on different machines, and different ports, and I would
like to be able to access them all through a single port.  This is mainly
because our corporate IT guys at work block all outgoing traffic except for
"approved ports" and also because I don't want to punch many, many holes
through the firewall.  The final reason would be to provide SSL for services
that don't support it, if possible.  I've read on the lists that this last
one doesn't seem to work too well, so I'm willing to use stunnel
(www.stunnel.org) if it'll be better.  I'd still need Apache to proxy the
requests, though.

Here's the machines we're talking about:

1.  Firewall.  Running Linux, external IP is dynamic, internal is 10.0.0.1.
It also runs webmin on port 10000, but that's currently only accessible
interally.  I'd like it to be accessible externally, on a different
hostname, and using SSL.
2.  Webserver. Running W2K and IIS.  My primary webserver, its interal IP is
10.0.0.2.  On top of being "www.mydomain.com", it also redirects to virtual
hosts based on host headers.  For example, I have admin.mydomain.com where
lives Squirrelmail, myPHPAdmin, and a few other admin scripts.   This
machine also runs some home automation software which has its own built-in
webserver running on port 8000.
3.  Linux box.  Running Apache, mostly used for testing PHP stuff.  Its IP
is 10.0.0.58.
4.  Media server.  Lives in my living room, runs Windows & Showshifter
(www.showshifter.com).  I run a program called WebShifter on port 9000 that
allows me to schedule Showshifter to record TV programs.  Its IP is
10.0.0.4.

I have a domain name that I use (we'll call it mydomain.com) and have
dynamic DNS services provided by TZO.  The goal is the following: to provide
access to all of those machines by changing the hostname.  So:


Connecting to www.mydomain.com:80 will give me the main pages off the
webserver.
Connecting to webmin.mydomain.com:443 will give me the webmin pages on the
firewall, but over SSL.
Connecting to homeauto.mydomain.com:443 will give me the home automation
pages running on machine #2, port 8000.  Again, over SSL as this webserver
doesn't support it.
Connecting to admin.mydomain.com:443 will give me SSL access to each of the
web services provided by machine #2 on the alternate hostname.  These are
subdivided by directory...admin.mydomain.com/squirrelmail,
admin.mydomain.com/myphpadmin, etc.
Connecting to redbox.mydomain.com:80 will take me to the Linux box.


What I've done is pulled all the relevent portions of my httpd.conf, and
will ask specific questions:

Below is the list of modules that are in the auto-generated httpd.conf.
Notice I've added the mod_proxy stuff at the end.  Since this apache is
going to act as a reverse proxy only, which of the others do I really need?

LoadModule access_module modules/mod_access.so
LoadModule auth_module modules/mod_auth.so
LoadModule auth_anon_module modules/mod_auth_anon.so
LoadModule auth_dbm_module modules/mod_auth_dbm.so
LoadModule auth_digest_module modules/mod_auth_digest.so
LoadModule ext_filter_module modules/mod_ext_filter.so
LoadModule include_module modules/mod_include.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule env_module modules/mod_env.so
LoadModule mime_magic_module modules/mod_mime_magic.so
LoadModule cern_meta_module modules/mod_cern_meta.so
LoadModule expires_module modules/mod_expires.so
LoadModule headers_module modules/mod_headers.so
LoadModule usertrack_module modules/mod_usertrack.so
LoadModule unique_id_module modules/mod_unique_id.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule mime_module modules/mod_mime.so
LoadModule dav_module modules/mod_dav.so
LoadModule status_module modules/mod_status.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule asis_module modules/mod_asis.so
LoadModule info_module modules/mod_info.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dav_fs_module modules/mod_dav_fs.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule dir_module modules/mod_dir.so
LoadModule imap_module modules/mod_imap.so
LoadModule actions_module modules/mod_actions.so
LoadModule speling_module modules/mod_speling.so
LoadModule userdir_module modules/mod_userdir.so
LoadModule alias_module modules/mod_alias.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so


Do I add only the "main" server name (probably www.mydomain.com), or do I
add a line for each (admin. webmin., etc)?

ServerName www.mydomain.com:80


Similar question to above.  Does this stay as off?  I'm assuming it would.

UseCanonicalName Off


Virtual Hosts, I've seen some indication in the forums that I should be
using virtual hosts to describe each hostname I want to proxy.  Is this
correct, or does it apply only when Apache's serving all the pages?  Such
as:

NameVirtualHost *

<VirtualHost *>
    ServerAdmin tonyk69@monstertruck.cc
    DocumentRoot /opt/apache/docs/dummy-www.mydomain.com
    ServerName dummy-www.mydomain.com
    ErrorLog logs/dummy-www.mydomain.com-error_log
    CustomLog logs/dummy-www.mydomain.com-access_log common
</VirtualHost>

<VirtualHost *>
    ServerAdmin tonyk69@monstertruck.cc
    DocumentRoot /opt/apache/docs/dummy-webmin.mydomain.com
    ServerName dummy-webmin.mydomain.com
    ErrorLog logs/dummy-webmin.mydomain.com-error_log
    CustomLog logs/dummy-webmin.mydomain.com-access_log common
</VirtualHost>

etc.


Finally, the proxy stuff.  My firewall uses its own internal DNS, so
redirecting to the below hostnames resolves to their internal IPs. I wanted
to put the real hostnames in, since for some of the sites, it's host-header
dependant.  I assume Apache will pass those to the proxied server.  For
those that it isn't necessary (the home automation server doesn't care about
host-headers, for example), I  just put in the IP.


ProxyRequests Off

<Proxy *>

Order deny,allow
Allow from all

</Proxy>

ProxyPass http://www.mydomain.com http://www.mydomain.com
ProxyPassReverse http://www.mydomain.com http://www.mydomain.com
ProxyPass http://webmin.mydomain.com:443 http://10.0.0.1:10000
ProxyPassReverse http://webmin.mydomain.com:443 http://10.0.0.1:10000
ProxyPass http://homeauto.mydomain.com:443 http://10.0.0.2:8000
ProxyPassReverse http://homeauto.mydomain.com:443 http://10.0.0.2:8000
ProxyPass http://redbox.mydomain.com http://redbox.mydomain.com
ProxyPassReverse http://redbox.mydomain.com http://redbox.mydomain.com
ProxyPass http://webshift.mydomain.com:443 http://10.0.0.4:9000
ProxyPassReverse http://webshift.mydomain.com:443 http://10.0.0.4:9000

I hope this all made sense.   I'm relatively new to this setup, but it's
what I've been looking for for YEARS! :)

Thanks in advance for any help.

-T



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message