mod_proxy: Quick and dirty
Goal: Set up (external) web-access to a internal dev-server behind a firewall using a proper domain-name and mod_proxy on the regular web-server.
Scenario: We have a normal web-server (Berta) behind a firewall (NAT, port 80 forwarded) and we want to add ‘normal’ web-access to our dev-server (Cindy) which is residing in a VM for convenience behind our firewall as well. We will assign a subdomain-name to Cindy so we can access it just like any other web-server on the Net. We also have the option to allow external (outside the firewall) web-access to Cindy if we would like dev cooperation on projects.
Problem: You can only forward port 80 to one server behind the firewall. That makes it hard to have several web-servers internally (behind the firewall) and reach them externally (outside the firewall). The solution is to use a reverse proxy, in this case Apache’s mod_proxy module, which will re-direct queries made to a specific subdomain-name to the proper web-server.
Scope: We’re bluntly assuming you’re using a late version of Ubuntu and have a working Apache web-server running today serving files to the Internet. We assume you’re using the 192.168.0.0/24 network. We also assume that the IP of the VM containing the dev web-server is 192.168.0.228. The assumption is also that you have a working VM with a default installation of Apache that’s going to be the dev-server. We assume you have set up your own subdomain-name for the dev-server to use and have let it propagate around the world enough to be usable (in this example dev.example.com).
Notes: This is the third installment in my ‘quick and dirty’ series. The articles are deep enough to get the stuff going, which most of us looks for. There will be other articles explaining in detail what I’ve purposely left out.
Everything is done as the root-user unless explicitly said otherwise.
(Berta) Install the necessary packages.
|
1 2 3 4 |
apt-get update apt-get install nano libapache2-mod-proxy-html |
(Berta) Enable the Apache modules we need.
|
1 2 3 4 5 |
a2enmod proxy a2enmod proxy_html a2enmod proxy_http |
(Berta) Create a vhost-file for the dev-server
|
1 2 3 |
nano /etc/apache2/sites-available/dev.example.com |
(Berta) Put the below into the file. Don’t forget to alter the Allow-line to allow your own external IP access.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
<VirtualHost *:80> ServerAdmin webmaster@example.com ServerName dev.example.com ProxyRequests off ProxyPreserveHost on ProxyPass / http://192.168.0.228/ ProxyPassReverse / http://192.168.0.228/ <Proxy *> Order allow,deny # Allow from all Allow from <put your own external IP here> </Proxy> ErrorLog ${APACHE_LOG_DIR}/dev_error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/dev_access.log combined </VirtualHost> |
(Berta) Enable the new vhost.
|
1 2 3 4 |
a2ensite dev.example.com service apache2 restart |
(Cindy) For the sake of ease we will just use the default vhost on the dev-server.
|
1 2 3 |
nano /etc/apache2/sites-available/default |
(Cindy) The file should look something like this:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 |
VirtualHost *:80> ServerAdmin webmaster@example.com DocumentRoot /var/www/default <Directory /var/www/default/> Options -Indexes +FollowSymLinks AllowOverride All Order allow,deny allow from all </Directory> ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, # alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined </VirtualHost> |
(Cindy) Restart Apache to enable the changes.
|
1 2 3 |
service apache2 restart |
(Cindy) Let’s add something simple so we know it works.
|
1 2 3 |
echo "Oh, man! I'm the king, baby!" > /var/www/default/index.html |
Now you should be able to access dev.example.com in your browser.
Additional notes: If you want external access (outside the firewall) to the dev-server you just uncomment the line with ‘Allow from all’ in the file /etc/apache2/sites-available/dev.example.com on Berta and restart Apache.
Another way to proxy is with rewrite rules.
Somehow, I’m more comfortable with this method.
@shastry,
Yes, you can do it with rewrites as well, even though you need to have mod_proxy installed to pull that off. It’s definitely a method you can use. However, mod_rewrites for this purpose effectively negates any persistent connections to/from the web-servers.