Drop me a message !
english french

SME : Using Apache Server as a reverse HTTP proxy

Type How To
Version 0.1.1
Tested on SME 6.0 and 6.0.1

Subject
How does it work ?
Now, Do it !
And after ?
Change Log

Subject

It's sometime desirable that a HTTP request received by the SME server is silently forwarded to another WEB server. There's differents use for that :

Very important information :

Before going further, it's very important to note that this change of configuration can greatly reduce the security level of your Network. SME Server is build with security needs as one of it's primary goals, and, in most cases, setting a SME server as gateway between your network and Internet give you a good level of security. Starting to forward some part of the external flow in your internal network (using Apache Proxy or using the port Forwarding rules) is a potential breach of your network security. The overall security is equal to the security level of the weakest part, never forget. You must be totally confident of the security level of the destination WEB server, and all parts of the WEB system (database servers ...) before starting this kind of configuration.
You'll have been warned...

How does it work ?

One of the Apache WEB Server Module is a proxy module, allowing reverse proxy operations. This means that Apache can be seen as a WEB server, but in fact, it forward the query to another server doing some modifications 'in flow' if needed (change of the URL to be compatible with the 'proxy' view).
It then send back the answer to the original client, doing the reverses 'in flow' modifications. This permit to 'fool' the client, who really thinks that the server is the Apache Server.

Just for information, I remember the two 'global' commands that must be presents in the httpd.conf file to enable the proxy module :
LoadModule proxy_module modules/libproxy.so
AddModule mod_proxy.c

You don't need to care about, because on a SME server theses commands are already activated, as they are used to access the http-admin server, for instance to access the server-manager.

Kind of forwarding

there's three kind of forwarding :

URL forwarding

Please note that this doesn't need any supplemental IP addresses.

Your Apache server is set on a SME Box and answers HTTP queries sent to www.bar.foo.

Your DNS (and the public DNS, if needed) is set-up to associate www.bar.foo to your SME IP Address. The DNS are also set-up to associate www2.bar.foo on the same address as www.bar.foo (In a perfect world, www2.bar.foo should be an DNS alias of www.bar.foo, but unfortunately the SME DNS configuration tools doesn't allow aliases creation)

You want that all WEB traffic send to www2.bar.foo is forwarded to and treated by the server intranet.bar.foo

This kind of selection can be done because in a HTTP query the client give the hostname that it effectively wants to query. This is the selection system used on mutualized web servers. The Apache Web Server use this host information to do its switching.

If you understood me, and if this suits your need see in the let's do it section, the part URL Forwarding.

Forwarding based upon server IP address

Let's suppose your ISP give you more than one IP address, you can set up your SME server with two or more IP address, and the Apache server can set its switching rules on the IP address.
Since I cannot do theses tests, I don't speak more, but the case is almost the same as the first one.

Forwarding a subpart of the main WEB site (like a subdir).

Your main site is hosted on your SME server, on URL www.bar.foo. But you have a E-Business Software installed on sales.bar.inside.

You want that any URL request send to your SME Server and beginning by : www.bar.foo/orders are forwarded on sales.bar.inside.

If you need that, go in the let's do it section, part Forwarding a subpart of the main WEB site (like a subdir)

Variations

Several variations are possible :

In fact, the only combinations that we cannot do (as far as I know) are combination needing forwarding to a HTTPS server. That's because to do this, the proxy module of Apache should need to be a HTTPS client, witch in turn would bring some SSL certificate trouble.

Let's do it !

URL Forwarding

We need to create a file named /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/99reverseproxysite :

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/
vi 99reverseproxysite
(I spoke about vi as a text editor, but please translate to pico, mc or whatever better suits your habits)

Following our sample, you want that a request sent to your SME server for the web site www2.bar.foo is in fact forwarded to intranet.bar.foo.
A prerequisite is of course that the SME server can resolve the name intranet.bar.foo !
You can also put an IP address in place of the internal server name.

Put in your 99reverseproxysite file the following lines :

<VirtualHost 0.0.0.0:80>
    ServerName www2.bar.foo
    ServerAlias www2

    ProxyPass / http://intranet.bar.foo/
    ProxyPassReverse / http://intranet.bar.foo/

</VirtualHost>

<VirtualHost 0.0.0.0:443>
    ServerName www2.bar.foo
    ServerAlias www2

    ProxyPass / http://intranet.bar.foo/
    ProxyPassReverse / http://intranet.bar.foo/

</VirtualHost>

With theses two sections in the file, incoming HTTP and HTTPS requests are forwarded in HTTP to the web server intranet.bar.foo.
If you only want one protocol, put only the relevant file part.
You could eventually use a RevriteRule instruction allowing a HTTP request to be forwarded to the relevant HHTPS page or vice versa.

The field ServerAlias allow the use of different name for the web site. In this sample, I use it for allowing access to the site without giving the FQDN. (Only useful on the local network).

You can also forward on a sub directory of your internal web server. Don't forget the final /. For example :

<VirtualHost 0.0.0.0:80>
    ServerName www2.bar.foo
    ServerAlias www2

    ProxyPass / http://intranet.bar.foo/sub/directory/
    ProxyPassReverse / http://intranet.bar.foo/sub/directory/

</VirtualHost>

To activate theses changes, just launch theses two commands :

server-# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
server-# service httpd graceful
/usr/sbin/apachectl graceful: httpd gracefully restarted

Forwarding a subpart of the main WEB site (like a subdir)

You must create a file named /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/26reverseproxydir :

mkdir -p /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/
cd /etc/e-smith/templates-custom/etc/httpd/conf/httpd.conf/VirtualHosts/
vi 26reverseproxydir
(I spoke about vi as a text editor, but please translate to pico, mc or whatever better suits your habits)

Following our sample, you want that web requests sent to your SME server and beginning by www.bar.foo/orders are forwarded to sales.bar.inside.
A prerequisite is of course that the SME server can resolve the name sales.bar.inside !
You can also put an IP address in place of the internal server name.

Put in the file 26reverseproxydir the following lines :

If you want that the forwarded sit is reachable in HTTP and HTTPS :

{
    if ( $virtualHost eq "bar.foo" ) {
        $OUT .= "    # theses dirs are reverse proxyed to an internal server\n" ;
        $OUT .= "    ProxyPass /orders http://sales.bar.inside/\n" ;
        $OUT .= "    ProxyPassReverse /orders http://sales.bar.inside/\n" ;
        $OUT .= "\n" ;
        }
}

If you only want that the forwarded site is reachable in HTTPS (replace 443 by 80 if you only want HTTP) :

{
    if ( $virtualHost eq "bar.foo" && $port eq "443" ) {
        $OUT .= "    # theses dirs are reverse proxyed to an internal server\n" ;
        $OUT .= "    ProxyPass /orders http://sales.bar.inside/\n" ;
        $OUT .= "    ProxyPassReverse /orders http://sales.bar.inside/\n" ;
        $OUT .= "\n" ;
        }
}

Again, you can forward to a subpart of your internal server, adding sub directories after the server name without forgetting the last / just before \n. For example :

{
    if ( $virtualHost eq "bar.foo" ) {
        $OUT .= "    # theses dirs are reverse proxyed to an internal server\n" ;
        $OUT .= "    ProxyPass /orders http://sales.bar.inside/my/wonderful/sales/application/\n" ;
        $OUT .= "    ProxyPassReverse /orders http://sales.bar.inside/my/wonderful/sales/application/\n" ;
        $OUT .= "\n" ;
        }
}

To activate theses changes, just launch theses two commands :

server-# /sbin/e-smith/expand-template /etc/httpd/conf/httpd.conf
server-# service httpd graceful
/usr/sbin/apachectl graceful: httpd gracefully restarted

You can easily combine theses two forwarding modes, and use then simultaneously. And you can imagine others combinations as well.

Using the "proxypass" contrib from Darell May and Abe Loveless

Some people told me that a contrib was designed to manage theses forwarding rules from server-manager
This package can be found here : proxypass.

This package works roughly like my explanations :

After some tests, this contrib seems to works well on SME 6.0 even if it's given for SME only up to 5.6

Now, you have to choose the solution who most suits your needs !

And after ?

Afterwards? Your Proxy reverse is operational and you dedicate me or Darell and Abe a recognition until the twelfth generation ;-)

Change Log

march 18, 2004 Initial Version
march 20, 2004 Add a link to the proxypass contrib on Abe Loveless site.