Tuesday 3 June 2008

Having fun with Apache reverse proxy

Today I managed to configure an Apache reverse proxy. Why do I need a reverse proxy? Consider this scenario:
  1. I got 2 public IP: 192.0.2.1 and 192.0.2.2
  2. Firewall hold all the public IP via IP aliasing (eg. eth0:1 = 192.168.0.2.1, eth0:2 = 192.0.2.2)
  3. I'm running authoritative DNS on my firewall
  4. I initially have 2 webserver inside firewall, with IP address 172.16.0.1 (xavier) and 172.16.0.2 (magneto)
  5. My domain name is example.com
  6. Subdomain www.example.com is served by xavier, and webmail.example.com is served by magneto
  7. DNS was configured so that www.example.com will be resolved to public IP 192.0.2.1 and webmail.example.com will be resolved to public IP 192.0.2.2
  8. IPTables was used to redirect port 80 from public IP to its corresponding private IP (eg. 192.0.2.1 -> 172.16.0.1)
  9. All webserver must run on port 80 and is using Apache 2.x.
Now, I want to add another web server with IP address 172.16.0.3 (cyclops), that should serve the subdomain dev.example.com

How can I do that? I only have 2 public IP! I cannot use other non-standard port!

The solution?

It comes in the mixture of DNS and Apache reverse proxy.

On DNS:
- add subdomain dev.example.com to resolve to public IP 192.0.2.1
- restart DNS service

On Apache 2.x web server in xavier (172.16.0.1)
- make sure mod_proxy is enabled in /etc/httpd.conf
- create a new file in /etc/httpd/conf.d/ (eg. dev.example.com.conf)
- in the file, put the following directives


<VirtualHost 172.16.0.1>
ProxyPreserveHost On
ProxyPass / http://172.16.0.3/
ProxyPassReverse / http://172.16.0.3/
ServerName dev.example.com
ProxyRequests Off

<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost>


- restart Apache service

That's it. Try to surf the new subdomain http://dev.example.com using anonymous surfing site (eg. http://anonymouse.org/) and you should be presented with the content of cyclops web server.

How does it work?

- The subdomain dev.example.com will be resolved to public IP 192.0.2.1 by our DNS server.
- Request for port 80 to dev.example.com will be forwarded to the Apache web server running on xavier (172.16.0.1)
- On xavier, the VirtualHost directive is aware that it is serving for subdomain dev.example.com
- But that directive contains a ProxyPass instruction to pass all request (hence "/" or root directory) to the server cyclops (172.16.0.3)
- It also have the directive ProxyPassReverse to pass everything received from cyclops back to the client as if the root (/) is on the server
- Other directive is left as an exercise to the reader to find out

Other usage of Apache reverse proxy

- Reverse proxy can be used to mask/map port 80 to webserver hosted on non-standard port (eg. 8080) **I believe IPtables port manipulation can achieve the same result

- Shield not-so-secure I*S web server running on not-secure-at-all W*s host.
This will not protect against SQL injection or other web-based attacks. It can help to shield the server from OS related attacks because client will see that the webserver is Apache running on Linux, not I*S running on W*s. You might want to take a look at mod_security for added protection


Have fun :)

No comments:

Post a Comment

Please write your comment about this blog post. Thanks! :)