20 July 2011

Setting Up a Reverse Proxy (HTTP Gateway) using Apache

Problem/ Issue

I recently had the opportunity to look into the following issue:
  1. the organisation, like most others, have segregated the network into at least 2 zones (DMZ and internal)
  2. the DMZ hosts the web servers while the internal zone hosts the application and database servers
  3. a requirement is that an application in the internal zone needs to access a web service in the public internet
  4. allowing direct HTTP traffic from the internal zone to the public network is not an option

With the above constraints, a forward proxy could have been an option. However, the internal-zoned application may not be able to support a forward proxy. As such, a reverse proxy would be the solution.

Existing Solution

The existing in-place solution follows:
  1. host a custom-written web service (acting as a proxy) in the DMZ to connect to the public network.
  2. The application in the internal zone will connect to the DMZ-hosted web service
  3. This custom-written web service will then connect to the public network
This solution works but is not ideal as:
  1. any changes (especially schema changes) to the public web service will result in changes to the custom-written web service
  2. any new services in the future will incur writing more custom web services to be deployed in the DMZ
  3. performance is highly dependent on whether the custom-written web service was well-written or not

Forward or Reverse Proxy?

Take this scenario: Client –> Proxy –> Server

  Forward Proxy Reverse Proxy
Supportability requires web client to be configured (unless proxy is in transparent mode) transparent to web client
Client’s target end-point Server Proxy
Apache’s directive ProxyRequests ProxyPass
TLS/ SSL Transparent (pass-through) Terminates the connection to Server
Uses cases
  • Content filtering
  • NAT
  • Outgoing TCP connection from a corporate network
  • Anonymity
  • Load balancing (TCP multiplexing)
  • SSL acceleration (SSL multiplexing)
  • Caching/ compression
  • Content switching
  • Firewall to applications
  • SSO/ authentication
  • Incoming TCP connection from the internet
  • CDN


Proposed Solution

A more elegant solution is to create a web service gateway otherwise known as a reverse proxy:
  1. this can be a generic solution as a common gateway for all web services
  2. requests/ responses will not be manipulated but may be logged as necessary
  3. no development work is required; only configuration of the Apache server
I will be using Apache Web Server to serve as the reverse proxy.
  • We need to load mod_proxy & mod_proxy_http.
  • Both mod_proxy_connect & mod_ssl are required if SSL is required.
  • As I use virtual hosting, I’ve also included mod_vhost_alias.
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule vhost_alias_module modules/mod_vhost_alias.so
LoadModule ssl_module modules/mod_ssl.so
Include conf/extra/httpd-vhosts.conf
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
I run the proxy on port 8888 and mapping is as follows:

  • http://myproxy:8888/url_parturl_part always maps to https://webservice.end.pt/url_part

  • The request will then timeout in 30 seconds

  • in order to log the time taken for the proxied request, you need to add %D to the log parameter to capture the time in milliseconds

NameVirtualHost *:8888
<VirtualHost *:8888>
DocumentRoot "../htdocs"
ServerName myproxy
ErrorLog "logs/proxy-error.log"
CustomLog "logs/proxy-access.log" combinedio
<Directory />
Options None
AllowOverride None
<IfModule ssl_module>
SSLProxyEngine on
<IfModule proxy_module>
ProxyRequests Off
ProxyPassMatch  ^/(.*)$  https  ://webservice.end.pt/$1timeout=30 keepalive=On


Carly Fiorina said...

Hi all,

A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as though it originated from the reverse proxy itself. Thanks for sharing it.....

Data Extraction Tool

Antonio De Juan said...

Could you help me, I'm trying to configure a revert proxy without virtual host and I'm not able to call webservices, it only works for url on the browser.