Forward Apache Proxy is a proxy configuration that is commonly used in companies and it enables users to access the internet. Users or clients must configure their browsers or operating system to use a proxy server (Forward Apache Proxy) to be able to access the internet. This means that requests from all clients go through this apache Forward Apache Proxy which then communicates with the destination servers, websites, \u2026 on the internet and responds back to the clients.<\/p>\n
Reverse Apache Proxy is a proxy configuration that works the other way around from the Forward Apache Proxy. The Reverse Apache Proxy configuration is used to enable users or clients from the internet, to access websites or applications on the company internal network, based on the reverse apache proxy rules that are configured. Reverse Apache Proxy provides internet clients access to servers behind a firewall.<\/p>\n
FORWARD APACHE PROXY<\/p>\n
1. Install Required Packages<\/p>\n
Firts we must install Apache (httpd) and mod_ssl package on our server. Please note that in CentOS 7 Apache 2.4.X is available<\/p>\n
[root@cluster1\u00a0 ~]# yum install httpd mod_ssl
\n2. Basic Forward Apache Proxy Configuration<\/p>\n
We need to add a forward proxy configuration file to \u201c\/etc\/httpd\/conf.d\u201d location. We named if \u201cforward-proxy.conf\u201d and added the following content to it:<\/p>\n
ProxyRequests On
\nProxyVia On
\nProxyTimeout 60<\/p>\n
<Proxy *>
\nRequire local
\nRequire ip 192.168.1.0\/255.255.255.0
\n<\/Proxy>
\nThe \u201cProxyRequests\u201d parameter and \u201cProxyVia\u201d is needed to enable proxy on Apache. \u201cProxyTimeout\u201d is optional, it just enables request to fail gracefully if the server does not respond in a reasobnale time. The \u201cRequire\u201d parameters inside the \u201cProxy\u201d directive are the client allowed settings.<\/p>\n
You can add a specific IP address (as in my case) or whole subnet (with mask like 192.168.1.0\/255.255.255.0). The \u201cRequire local\u201d allows localhost requests. You could also use \u201cRequire host hostname\u201d directive. There are many more parameters available \u2013 this is just basic configuration \u2013 read more about additional parameters HERE.<\/p>\n
3. Block WebSites<\/p>\n
We can block the desired websites using \u201cProxyBlock\u201d parameter. \u201cProxyBlock\u201d parameter specifies a list of words, hosts or domains separated by spaces (a wildcard * would block all sites!) as follows:<\/p>\n
ProxyRequests On
\nProxyVia On
\nProxyTimeout 60<\/p>\n
ProxyBlock facebook.com plus.google.com twitter.com<\/p>\n
<Proxy *>
\nRequire local
\nRequire ip 192.168.1.0\/255.255.255.0
\n<\/Proxy>
\n4. Configure Forwarding to Second Proxy<\/p>\n
If you work in a big company (or in other situations) there is a possibility your proxy is not the \u201clast in line\u201d out to the open world. In this case you need to configure a second proxy. This is a proxy your proxy will forward requests to, to get to the internet. We can do this with \u201cProxyRemote\u201d parameter. \u201cProxyRemote\u201d parameters takes two two arguments, a scheme, partial URL or \u2018*\u2019 and a proxy server. Using wildcard \u2018*\u2019 will forward all requests to the second proxy.<\/p>\n
ProxyRequests On
\nProxyVia On
\nProxyTimeout 60<\/p>\n
ProxyBlock facebook.com plus.google.com twitter.com
\nProxyRemote * http:\/\/second.proxy.com:8080<\/p>\n
<Proxy *>
\nRequire local
\nRequire ip 192.168.1.0\/255.255.255.0
\n<\/Proxy>
\n5. Configure NoProxy<\/p>\n
If you configured a second proxy it is probably a good idea to use a \u201cNoProxy\u201d parameter. \u201cNoProxy\u201d parameter specifies a list of subnets, IP addresses, hosts and\/or domains, separated by spaces which are always served directly without forwarding to the \u201cProxyRemote\u201d address.<\/p>\n
ProxyRequests On
\nProxyVia On
\nProxyTimeout 60<\/p>\n
ProxyBlock facebook.com plus.google.com twitter.com
\nProxyRemote * http:\/\/second.proxy.com:8080
\nNoProxy .geekpeek.net<\/p>\n
<Proxy *>
\nRequire local
\nRequire ip 192.168.1.0\/255.255.255.0
\n<\/Proxy>
\nREVERSE APACHE PROXY<\/p>\n
1. Install Required Packages<\/p>\n
At this stage we must install Apache (httpd) and mod_ssl package on our server. Please note that in CentOS 7 Apache 2.4.X is available (in CentOS 5 and 6 Apache 2.2.X).<\/p>\n
[root@cluster1\u00a0 ~]# yum install httpd mod_ssl
\n2. Basic Reverse Apache Proxy Configuration<\/p>\n
We need to add a reverse proxy configuration file to \u201c\/etc\/httpd\/conf.d\u201d location. We named if \u201creverse-proxy.conf\u201d and added the following lines to it:<\/p>\n
ProxyRequests Off<\/p>\n
ProxyPass \/test1 http:\/\/192.168.1.10:8080\/test1
\nProxyPassReverse \/test1 http:\/\/192.168.1.10:8080\/test1
\n\u201cProxyRequests\u201d parameter does not need to be turned on when configuring reverse proxy so turning it off. Next two lines are passing all requests, hitting the reverse proxy server IP\/hostname with \/test1 URL to the machine with IP address 192.168.1.10, port 8080 and \/test1 URL and the other way around. For the communication to work both ways we need to add both lines \u201cProxyPass\u201d and \u201cProxyPassReverse\u201c.<\/p>\n
3. Add Additional ProxyPasses<\/p>\n
It is easy to add additional proxy passes simply by adding new two lines with \u201cProxyPass\u201d and \u201cProxyPassReverse\u201d parameters:<\/p>\n
ProxyRequests Off<\/p>\n
ProxyPass \/test1 http:\/\/192.168.1.59:8080\/test1
\nProxyPassReverse \/test1 http:\/\/192.168.1.59:8080\/test1<\/p>\n
ProxyPass \/test2 http:\/\/192.168.1.60:8080\/test2
\nProxyPassReverse \/test2 http:\/\/192.168.1.60:8080\/test2
\nPlease note that proxy pass can point to a different server, different hostname or IP address.<\/p>\n
4. Configure Timeouts<\/p>\n
It is wise to configure some sort of time limit on how long to wait if there is no response from backend. We can do this by appending a \u201cconnectiontimeout\u201d and \u201ctimeout\u201d value at the end of \u201cProxyPass\u201d line. The \u201cconnectiontimeout\u201d is the time it takes to create the connection to the backend and \u201ctimeout\u201d is the time proxy waits for response from backend.<\/p>\n
ProxyRequests Off
\nProxyPass \/test1 http:\/\/192.168.1.59:8080\/test1 connectiontimeout=5 timeout=30
\nProxyPassReverse \/test1\u00a0 http:\/\/192.168.1.59:8080\/test1<\/p>\n
ProxyPass \/test2 http:\/\/192.168.1.60:8080\/test2 connectiontimeout=5 timeout=30
\nProxyPassReverse \/test2 http:\/\/192.168.1.60:8080\/test2
\n5. Rewrite HTML Links<\/p>\n
Using reverse proxy and accessing internal networks and applications via it, cause specific HTML links (internal links with absolute paths) to fail \u2013 not work, since they are redirecting to internal addresses. This is why we need to call for help another Apache module called \u201cmod_proxy_html\u201d which enables rewriting of HTML links and making them work.<\/p>\n
\u201cmod_proxy_html\u201d does not come by default with httpd installation in CentOS 7so we need to install it first and then copy the configuration file to the right location. The example HTML links configuration file is quite sufficient for ordinary situations and is located at \u201c\/usr\/share\/doc\/httpd-X.X.X\/\u201d where X.X.X is your apache version number.<\/p>\n
What we have to do is:<\/p>\n
[root@cluster1\u00a0 ~]# yum install mod_proxy_html
\n..and then<\/p>\n
[root@cluster1\u00a0 ~]# cp \/usr\/share\/doc\/httpd-2.4.6\/proxy-html.conf \/etc\/httpd\/conf.d\/<\/p>\n","protected":false},"excerpt":{"rendered":"
Forward Apache Proxy is a proxy configuration that is commonly used in companies and it enables users to access the internet. Users or clients must configure their browsers or operating system to use a proxy server (Forward Apache Proxy) to be able to access the internet. This means that requests from all clients go through […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[73],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4751"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4751"}],"version-history":[{"count":3,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4751\/revisions"}],"predecessor-version":[{"id":4754,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/4751\/revisions\/4754"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}