Protect Your Ports with a Reverse Proxy

Creating a Virtual Host

As in the previous section of this article, it's important to note that the Apache configuration file layout will vary with distributions. In Ubuntu, there are two folders: sites-available and sites-enabled. The first has text files with snippets of code defining the individual virtual hosts, and the second has symbolic links to the files located in the sites-available folder. This seems complicated to be sure, but it's actually for convenience sake. You can define as many virtual hosts as you want in the sites-available folder, but until they're symbolically linked into the sites-enabled folder, they're not parsed by Apache.

Let's create a virtual host, but instead of making a traditional virtual host that defines a directory to look for files, let's define reverse proxy rules. Here is the file I created in sites-available (I explain each line next):



root@server:/etc/apache2# cat sites-available/reverseprox 
<VirtualHost *:80>
        LoadModule proxy_module modules/mod_proxy.so
        LoadModule proxy_http_module modules/mod_proxy_http.so
        ServerName sab.mydomain.com
        ServerAlias sab
        ProxyRequests Off 
        ProxyPass / http://192.168.1.11:8080/
        ProxyPassReverse / http://192.168.1.11:8080/
</VirtualHost>

First off, if it's not clear, the name of the file I created is "reverseprox", and I created it in the /etc/apache2/sites-available folder. If you are using a different distribution, you may not have this sort of folder setup. You actually can add the VirtualHost directives directly to the apache.conf or httpd.conf file. Ubuntu just uses the folder structure for clarity and convenience.

Here's the line-by-line breakdown:

  • <VirtualHost *:80> — this opens the stanza, and it means "listen on all IP addresses on port 80 for anyone requesting my server name".

  • LoadModule proxy_module modules/mod_proxy.so and LoadModule proxy_http_module modules/mod_proxy_http.so — these lines load two separate modules. Note that although the module names look similar, they actually are two modules: mod_proxy and mod_proxy_http. Sometimes modules are loaded globally in another configuration file. That's okay to do, but this is just a way to make sure the required modules are loaded for your virtual host. (Note: if you get an error about "file not found" during startup, you might need to make a symbolic link to your system's modules folder. On my Ubuntu system, that means sudo ln -s /usr/lib/apache2/modules /etc/apache2/.)

  • ServerName sab.mydomain.com — this is the domain name the virtual host should listen for. If a request comes into Apache for "sab.mydomain.com", it knows to use this virtual host declaration to respond. Of course, "sab.mydomain.com" is a generic example; you should use your actual domain name.

  • ServerAlias sab — it's possible to have multiple ServerAlias statements, but in this case, there's only one. I've added "sab" all by itself as an alias for Apache to listen for. It will use a request for "sab" the same way it uses a request for "sab.mydomain.com"—this is simply an alias.

  • ProxyRequests Off — this is actually the default setting for the ProxyRequests directive. I always add it to my VirtualHost stanza anyway to make sure I'm not inadvertently allowing someone to use my server as an anonymous proxy. ProxyRequests On would allow others with access to your server to use it as a proxy, effectively hiding themselves from the Internet and making you responsible for their surfing! Hopefully, it's clear why I specify "Off", even though it's the default setting.

  • ProxyPass / http://192.168.1.11:8080/ — this tells Apache that when someone requests the root-level folder of this virtual host to "serve" them the address listed. From end users' prospectives, the alternate port, and possibly the alternate server address, will be hidden. They'll see only the URL they entered to get to the virtual host. You can have multiple ProxyPass directives if you want a specific subfolder to be directed elsewhere. Apache is very flexible with what you can specify in a reverse proxy situation.

  • ProxyPassReverse / http://192.168.1.11:8080/ — this rule is what makes the reverse proxy work. It rewrites the response from the proxied server so that end users never see any information apart from the virtual hostname they've surfed to. Any responses from the underlying server (in this case, the server listening on port 8080) are rewritten on the fly so that it appears that the responses are coming directly from the virtual host server.

  • </VirtualHost> — this closes the stanza, or the section defining the virtual host. In Ubuntu, this is a single file in the sites-available folder. It also could just be something tacked onto the end of the apache.conf file in another distribution.

Making It All Work

Once you've created the virtual host declaration for the reverse proxy site, you need to reload Apache. Remember, if you're using Ubuntu, you need to create a symbolic link so that Apache reads your configuration from the sites-enabled folder. To do that, go into the sites-enabled folder, and type:


ln -s ../sites-available/reverseprox .

This will create a symbolic link from the reverseprox file you created to the sites-available folder. If you're using another distribution and just tacked that stanza to the end of the apache.conf file, you don't need to make any symbolic links.

Next, reload Apache. I actually prefer to restart Apache to make sure it loads up everything correctly, but a reload should do the trick. In Ubuntu, I do this:


sudo service apache2 restart

And, the reverse proxy should be ready to go. You just need to make sure your DNS points correctly to the server. The quickest way to do that, and make sure stuff is working, is to add a simple line to your workstation's /etc/hosts file. I added this:


192.168.1.11     sab sab.mydomain.com

And, then I saved it. Next, I opened a browser, and surfed to "sab" instead of 192.168.1.11:8080, and Figure 3 shows the results. Success!

Figure 3. Now I can access that Web application without entering any port number at all! Plus, it gets its own domain name!

Now What?

The great thing about using Apache's reverse proxy technique is that you're not limited to redirecting only to the same server on a different port. You can make a reverse proxy so that google.yourdomain.com returns the actual Google search engine. You'll just create a virtual host for google.yourdomain.com, and set the ProxyPass and ProxyPassReverse directives to point to http://www.google.com/. It's truly simple. In fact, a reverse proxy on your local network might be a way to provide access to an otherwise blocked Web site for your users. What if your Web-filtering policies blocked a particular news site, but your server had access? You could create a reverse proxy on your server that your users could connect to and get to the site without being filtered by your Web filter! (Another word of caution: this is why it's important to set ProxyRequests to Off, so they don't use your reverse proxy to circumvent all Web filtering!)

With reverse proxies, it's possible to make your Web infrastructure much less confusing for your end users. It also allows you to make changes to your underlying Web apps without affecting your users at all. If a service changes IP addresses or ports, you simply can adjust your reverse proxy definitions, and end users never will know the difference. Reverse proxies are easy to configure and simple to maintain. They will help keep your URLs clean and your systems easy to manage!

______________________

Shawn Powers is an Associate Editor for Linux Journal. You might find him chatting on the IRC channel, or Twitter

Comments

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

CANADA WEB PROXY?

canada web proxy's picture

Our internet site delivers web-based proxies that can be used to be able

to unblock websites such as Vimeo by skipping system filtration systems

made because of your business.

With laptop or computer communities, a proxy server is really a server
that will functions as an intermediary with regard to asks through

customers seeking methods through various other hosting space. Litigant

links towards the proxy server, asking for several program, for instance a

report, connection, web page, as well as various other learning resource

offered from a different server and the proxy server measures this demand

as a way to simplify and command the difficulty. Proxies were being

created to include construction and encapsulation to help spread devices.

Today, the majority of proxies are world wide web proxies, facilitating

access to information in online.

The Design The Lamborghini

sollen's picture

The Design The Lamborghini Veneno brings the aerodynamic efficiency of a racing prototype to the road. Every detail of its form pursues a clear function Off-road Vehicle Work Lights exceptional dynamics, optimum downforce with minimal drag and perfect cooling of the high-performance engine.

Excellent article Shawn! We

Nicky Helmkamp's picture

Excellent article Shawn! We just wanted to let you know we included it in our Monthly Resource Roundup http://www.interworx.com/community/the-monthly-round-up-decembers-best-s...

Cheers!

Domains By Proxy

Anonymous's picture

nice and good comment from you and i have good site and there is useful for all most student and some place ,

http://domainsby-proxy.blogspot.com/

Thanks Shawn

Carbonsink's picture

Good post Shawn. I have used Squid in the past as a reverse proxy but your method is simpler, and better if your needs are simple and have Apache installed already. Thanks!

BTW, how about designating a small number of readers as moderators to have the power to remove comment spam from the site? I'd volunteer to do it. It would be less work to delete the spam afterwards than to review it before it got posted (even through the latter method would be more effective).

debian way

dns's picture

A few points for debian / ubuntu that you should use the debian tools to manage the config instead of creating some of the config yourself.
These tools set up the symlinks to manage modules and sites.

Instead of creating the symlinks yourself the best way is to use a2ensite and a2dissite.

sudo a2ensite reverseprox
sudo a2dissite reverseproxy

Likewise you should not include the load module statements with your site, instead you should use a2enmod and a2dismod to include the modules
sudo a2enmod proxy_http

If you do it this way the module is loaded once.

You do not need to restart Apache to update the configuration.
sudo a2enmod proxy_http

Re: debian way

boltronics's picture

This. The article should be changed to use those tools. I cringed with every ln command I read. :)

Reply to comment | Linux Journal

Jens's picture

Nice post. I learn something new and challenging on sites I stumbleupon on a daily basis.

It will always be interesting to read articles from other writers and use a
little something from other sites.

White Paper
Linux Management with Red Hat Satellite: Measuring Business Impact and ROI

Linux has become a key foundation for supporting today's rapidly growing IT environments. Linux is being used to deploy business applications and databases, trading on its reputation as a low-cost operating environment. For many IT organizations, Linux is a mainstay for deploying Web servers and has evolved from handling basic file, print, and utility workloads to running mission-critical applications and databases, physically, virtually, and in the cloud. As Linux grows in importance in terms of value to the business, managing Linux environments to high standards of service quality — availability, security, and performance — becomes an essential requirement for business success.

Learn More

Sponsored by Red Hat

White Paper
Private PaaS for the Agile Enterprise

If you already use virtualized infrastructure, you are well on your way to leveraging the power of the cloud. Virtualization offers the promise of limitless resources, but how do you manage that scalability when your DevOps team doesn’t scale? In today’s hypercompetitive markets, fast results can make a difference between leading the pack vs. obsolescence. Organizations need more benefits from cloud computing than just raw resources. They need agility, flexibility, convenience, ROI, and control.

Stackato private Platform-as-a-Service technology from ActiveState extends your private cloud infrastructure by creating a private PaaS to provide on-demand availability, flexibility, control, and ultimately, faster time-to-market for your enterprise.

Learn More

Sponsored by ActiveState