httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Axel-Stéphane SMORGRAV <Axel-Stephane.SMORG...@europe.adp.com>
Subject RE: [users@httpd] reverse proxy configuration.
Date Mon, 21 Mar 2005 10:15:06 GMT
Vincent,

You say your configuration does not work, but you do not specify WHAT does not work.

>From your configuration I understand you are trying to use the front-end Apache as a combined
proxy and reverse proxy.

Try setting the LogLevel to debug. The output to your error log file may give you a clue.

Otherwise the article http://www.apacheweek.com/features/reverseproxies is a good source of
information.

-ascs 


-----Message d'origine-----
De : Vincent Blondel [mailto:vincent@xtra-net.org] 
Envoyé : mardi 15 mars 2005 11:30
À : users@httpd.apache.org
Objet : [users@httpd] reverse proxy configuration.

Hi all,

We recently decided to set up a dmz in our infrastructure and I have chosen to use openbsd
3.6 with built in apache 1.3.29 ( compiled and hardened by the OpenBSD team ) with mod_proxy
/ mod_security and mod_rewrite.

So before setting up all this in a real life world, I currently spend my time to let this
configuration work in our developement lan.

So let's immagine I get next infrastructure :

  reverse proxy                     real internal web server
rproxy1.example.net    ----->   iweb1.example.net ( example.org )
  192.168.1.25:80                      192.168.1.19:80

So, as you can see it, we just would like to forward all internet incoming traffic ( port
80 ) from our external web server ( rproxy1.example.net ) to our internal web server ( iweb1.example.net
).

iweb1.example.net hosts example.net and example.org ( configured by VirtualHost ). iweb1 runs
with FreeBSD 4.10 and apache 1.3.33. A last detail, we do not use any firewall in this configuration.
This is just to make the configuration more easy.

So I am trying a configuration but it doesn't work. Please find below the configuration

### Begin httpd.conf ########################################

# $Id$
#

### Section 1: Global Environment
ServerType standalone

# Do NOT add a slash at the end of the directory path.
ServerRoot "/var/www"

#LockFile logs/accept.lock
PidFile logs/httpd.pid
ScoreBoardFile logs/apache_runtime_status

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
BindAddress rproxy1

# Dynamic Shared Object (DSO) Support
# Note: The order is which modules are loaded is important. Don't change # the order below
without expert advice.
LoadModule proxy_module /usr/lib/apache/modules/libproxy.so

#ExtendedStatus On


### Section 2: 'Main' server configuration Port 80

## SSL Support
<IfDefine SSL>
  Listen 80
  Listen 443
</IfDefine>

# If you wish httpd to run as a different user or group, you must run # httpd as root initially
and it will switch.
User www
Group www

ServerAdmin webmaster@example.net
ServerName rproxy1.example.net
DocumentRoot "/var/www/htdocs"

# First, we configure the "default" to be a very restrictive set of # permissions.

<Directory />
  Options FollowSymLinks
  AllowOverride None
  Order deny,allow
  Deny from all
</Directory>

#CacheNegotiatedDocs
UseCanonicalName On

TypesConfig conf/mime.types
DefaultType text/plain

<IfModule mod_mime_magic.c>
  MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User- Agent}i\"" combined LogFormat
"%h %l %u %t \"%r\" %>s %b" common LogFormat "%{Referer}i -> %U" referer LogFormat "%{User-agent}i"
agent

#CustomLog logs/access_log common
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
CustomLog logs/access_log combined

ServerSignature Off

###
# Proxy Server directives. Uncomment the following lines to # enable the proxy server:
#
<IfModule mod_proxy.c>
  ProxyRequests On

  <Directory proxy:*>
    Order deny,allow
    Deny from all
    # Allow from .your_domain.com
  </Directory>

  <Directory proxy:http://www.example.net/>
    Order deny,allow
    Allow from all
  </Directory>

  <Directory proxy:http://www.example.org/>
    Order deny,allow
    Allow from all
  </Directory>

  # Enable/disable the handling of HTTP/1.1 "Via:" headers.
  # ("Full" adds the server version; "Block" removes all outgoing
Via:headers)
  # Set to one of: Off | On | Full | Block
  ProxyVia On

  #
  # To enable the cache as well, edit and uncomment the following lines:
  # (no cacheing without CacheRoot)
  #
  #CacheRoot "/var/www/proxy/cache"
  #CacheSize 5
  #CacheGcInterval 4
  #CacheMaxExpire 24
  #CacheLastModifiedFactor 0.1
  #CacheDefaultExpire 1
  #NoCache a_domain.com another_domain.edu joes.garage_sale.com </IfModule> # End of
proxy directives.


###
# IndexIgnore is a set of filenames which directory indexing should ignore # and not include
in the listing. Shell-style wildcarding is permitted.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t #

# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+) uncompress # information
on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing # to do with the
FancyIndexing customization directives above.
#
AddEncoding x-compress Z
AddEncoding x-gzip gz

#
# Customizable error response (Apache style) # these come in three flavors # # 1) plain text
#ErrorDocument 500 "The server made a boo boo.
# n.b. the (") marks it as text, it does not get output # # 2) local redirects #ErrorDocument
404 /missing.html # to redirect to local URL /missing.html #ErrorDocument 404 /cgi-bin/missing_handler.pl
# N.B.: You can redirect to a script or a document using server-sideincludes.
#
# 3) external redirects
#ErrorDocument 402 http://some.other_server.com/subscription_info.html
# N.B.: Many of the environment variables associated with the original # request will *not*
be available to such a script.

# Built-in Broken Browser Tweaks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0 BrowserMatch "RealPlayer
4\.0" force-response-1.0 BrowserMatch "Java/1\.0" force-response-1.0 BrowserMatch "JDK/1\.0"
force-response-1.0


### Section 3: Virtual Hosts
# If you want to use name-based virtual hosts you need to define at # least one IP address
(and port number) for them.

NameVirtualHost rproxy1

<VirtualHost rproxy1>
  ServerName www.example.net
  ProxyPass / http://iweb1/
  ProxyPassReverse / http://iweb1/
  # CustomLog logs/iweb1.access_log combined
  <Location />
    Order allow,deny
    Allow from all
  </Location>
</VirtualHost>

<VirtualHost rproxy1>
  ServerName www.example.org
  ProxyPass / http://iweb1/
  ProxyPassReverse / http://iweb1/
  # CustomLog logs/iweb1.access_log combined
  <Location />
    Order allow,deny
    Allow from all
  </Location>
</VirtualHost>

## SSL Global Context
## All SSL configuration in this context applies both to ## the main server and all SSL-enabled
virtual hosts.
# Some MIME-types for downloading Certificates and CRLs <IfDefine SSL>
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
</IfDefine>

<IfModule mod_ssl.c>
  SSLPassPhraseDialog builtin
  SSLSessionCache dbm:logs/ssl_scache
  SSLSessionCacheTimeout 300
  SSLMutex sem

  # Pseudo Random Number Generator (PRNG):
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  #SSLRandomSeed startup file:/dev/random 512
  #SSLRandomSeed startup file:/dev/urandom 512
  #SSLRandomSeed connect file:/dev/random 512
  #SSLRandomSeed connect file:/dev/urandom 512
  SSLRandomSeed startup file:/dev/arandom 512

  # Logging:
  SSLLog logs/ssl_engine_log
  SSLLogLevel info
</IfModule>

### End httpd.conf ########################################

Thanks to help me.

Vincent.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message