Tuesday 3 June 2008

Having fun with Apache reverse proxy

Today I managed to configure an Apache reverse proxy. Why do I need a reverse proxy? Consider this scenario:
  1. I got 2 public IP: 192.0.2.1 and 192.0.2.2
  2. Firewall hold all the public IP via IP aliasing (eg. eth0:1 = 192.168.0.2.1, eth0:2 = 192.0.2.2)
  3. I'm running authoritative DNS on my firewall
  4. I initially have 2 webserver inside firewall, with IP address 172.16.0.1 (xavier) and 172.16.0.2 (magneto)
  5. My domain name is example.com
  6. Subdomain www.example.com is served by xavier, and webmail.example.com is served by magneto
  7. DNS was configured so that www.example.com will be resolved to public IP 192.0.2.1 and webmail.example.com will be resolved to public IP 192.0.2.2
  8. IPTables was used to redirect port 80 from public IP to its corresponding private IP (eg. 192.0.2.1 -> 172.16.0.1)
  9. All webserver must run on port 80 and is using Apache 2.x.
Now, I want to add another web server with IP address 172.16.0.3 (cyclops), that should serve the subdomain dev.example.com

How can I do that? I only have 2 public IP! I cannot use other non-standard port!

The solution?

It comes in the mixture of DNS and Apache reverse proxy.

On DNS:
- add subdomain dev.example.com to resolve to public IP 192.0.2.1
- restart DNS service

On Apache 2.x web server in xavier (172.16.0.1)
- make sure mod_proxy is enabled in /etc/httpd.conf
- create a new file in /etc/httpd/conf.d/ (eg. dev.example.com.conf)
- in the file, put the following directives


<VirtualHost 172.16.0.1>
ProxyPreserveHost On
ProxyPass / http://172.16.0.3/
ProxyPassReverse / http://172.16.0.3/
ServerName dev.example.com
ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>


- restart Apache service

That's it. Try to surf the new subdomain http://dev.example.com using anonymous surfing site (eg. http://anonymouse.org/) and you should be presented with the content of cyclops web server.

How does it work?

- The subdomain dev.example.com will be resolved to public IP 192.0.2.1 by our DNS server.
- Request for port 80 to dev.example.com will be forwarded to the Apache web server running on xavier (172.16.0.1)
- On xavier, the VirtualHost directive is aware that it is serving for subdomain dev.example.com
- But that directive contains a ProxyPass instruction to pass all request (hence "/" or root directory) to the server cyclops (172.16.0.3)
- It also have the directive ProxyPassReverse to pass everything received from cyclops back to the client as if the root (/) is on the server
- Other directive is left as an exercise to the reader to find out

Other usage of Apache reverse proxy

- Reverse proxy can be used to mask/map port 80 to webserver hosted on non-standard port (eg. 8080) **I believe IPtables port manipulation can achieve the same result

- Shield not-so-secure I*S web server running on not-secure-at-all W*s host.
This will not protect against SQL injection or other web-based attacks. It can help to shield the server from OS related attacks because client will see that the webserver is Apache running on Linux, not I*S running on W*s. You might want to take a look at mod_security for added protection


Have fun :)

Friday 9 May 2008

Using shell script to solve problem

I'm translating KDE4 to Malay language, but when I'm in the kdebase folder, I cannot determine which files that should be translated, and also have been neglected for some time. While I can check each file manually to determine its translation status, I'm really lazy to do the same thing again and again.

By using shell script, I can automate the task and become more lazier :P

Requirement:
List all po files according to date, older to newer, and only contain fuzzy or untranslated message.

Solution:

sharuzzaman@debian:/kde4-stable/kdebase$ cat -n list.sh
1 #!/bin/bash
2
3 for file in `ls -tr *.po`
4 do
5 output=`msgfmt -o /dev/null --statistics $file 2>&1`
6 fuzzyuntranslate=`echo $output | grep -e "fuzzy\|untranslated"`
7 if [ "$fuzzyuntranslate" != "" ]
8 then
9 echo $file
10 fi
11 done


Let's take a look at the solution, line by line.

Line 1: Declare the script as a Bash script

Line 2: Blank space for clarity

Line 3: This is the starting point of the "for" loop. The command "ls -tr *.po" will list all po files according to date and reversed, which means older to newer. We quote the command in backtick `` because we want the command to be executed, and the output to become the array of file name for variable "file"

Line 4: The "do" is the part in the "for" loop that we process our list of files.

Line 5: Execute the command "msgfmt -o /dev/null --statistics $file 2>&1" and put the result in variable "output". The 2>&1 redirection is required because the output for msgfmt is printed on stderr, not stdout, so we redirect it to stdout in order to capture it.

Line 6: Echo back the variable "output" and check if it contain the word "fuzzy" or "untranslated" using grep. Put the result in variable "fuzzyuntranslated". If the variable "output" did not contain the word that we search for, the variable "fuzzyuntranslated" will be blank. We use "grep -e" because we have regular expression "|" that carry the meaning "or" on the command

Line 7: Check if the variable "fuzzyuntranslated" is not blank (which means either contain fuzzy, untranslated, or both fuzzy and untranslated)

Line 8: Then

Line 9: Print out the file name that match our requirement.

Line 10: Close the if block with fi

Line 11: Close the do block with done


That's it. We have completed our requirement.

The output should be a long list of filename. I can pipe it to "head" to get only the first 10 line of the filename.

sharuzzaman@debian:/kde4-stable/kdebase$ ./list.sh |head
kdmgreet.po
nsplugin.po
kdialog.po
kdebugdialog.po
kcmkwindecoration.po
kcmusb.po
kcmstyle.po
kdmconfig.po
kcmscreensaver.po
khtmlkttsd.po


Happy scripting :)