[users@httpd] reverse proxy configuration.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi all,

We recently decided to set up a dmz in our infrastructure and I have
chosen to use openbsd 3.6 with built in apache 1.3.29 ( compiled and
hardened by the OpenBSD team ) with mod_proxy / mod_security and
mod_rewrite.

So before setting up all this in a real life world, I currently spend my
time to let this configuration work in our developement lan.

So let's immagine I get next infrastructure :

  reverse proxy                     real internal web server
rproxy1.example.net    ----->   iweb1.example.net ( example.org )
  192.168.1.25:80                      192.168.1.19:80

So, as you can see it, we just would like to forward all internet incoming
traffic ( port 80 ) from our external web server ( rproxy1.example.net )
to our internal web server ( iweb1.example.net ).

iweb1.example.net hosts example.net and example.org ( configured by
VirtualHost ). iweb1 runs with FreeBSD 4.10 and apache 1.3.33. A last
detail, we do not use any firewall in this configuration. This is just to
make the configuration more easy.

So I am trying a configuration but it doesn't work. Please find below the
configuration

### Begin httpd.conf ########################################

# $Id$
#

### Section 1: Global Environment
ServerType standalone

# Do NOT add a slash at the end of the directory path.
ServerRoot "/var/www"

#LockFile logs/accept.lock
PidFile logs/httpd.pid
ScoreBoardFile logs/apache_runtime_status

Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15

MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
BindAddress rproxy1

# Dynamic Shared Object (DSO) Support
# Note: The order is which modules are loaded is important. Don't change
# the order below without expert advice.
LoadModule proxy_module /usr/lib/apache/modules/libproxy.so

#ExtendedStatus On


### Section 2: 'Main' server configuration
Port 80

## SSL Support
<IfDefine SSL>
  Listen 80
  Listen 443
</IfDefine>

# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
User www
Group www

ServerAdmin webmaster@xxxxxxxxxxx
ServerName rproxy1.example.net
DocumentRoot "/var/www/htdocs"

# First, we configure the "default" to be a very restrictive set of
# permissions.

<Directory />
  Options FollowSymLinks
  AllowOverride None
  Order deny,allow
  Deny from all
</Directory>

#CacheNegotiatedDocs
UseCanonicalName On

TypesConfig conf/mime.types
DefaultType text/plain

<IfModule mod_mime_magic.c>
  MIMEMagicFile conf/magic
</IfModule>

HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn

LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

#CustomLog logs/access_log common
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
CustomLog logs/access_log combined

ServerSignature Off

###
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
  ProxyRequests On

  <Directory proxy:*>
    Order deny,allow
    Deny from all
    # Allow from .your_domain.com
  </Directory>

  <Directory proxy:http://www.example.net/>
    Order deny,allow
    Allow from all
  </Directory>

  <Directory proxy:http://www.example.org/>
    Order deny,allow
    Allow from all
  </Directory>

  # Enable/disable the handling of HTTP/1.1 "Via:" headers.
  # ("Full" adds the server version; "Block" removes all outgoing
Via:headers)
  # Set to one of: Off | On | Full | Block
  ProxyVia On

  #
  # To enable the cache as well, edit and uncomment the following lines:
  # (no cacheing without CacheRoot)
  #
  #CacheRoot "/var/www/proxy/cache"
  #CacheSize 5
  #CacheGcInterval 4
  #CacheMaxExpire 24
  #CacheLastModifiedFactor 0.1
  #CacheDefaultExpire 1
  #NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>
# End of proxy directives.


###
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
#

# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+)
uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
AddEncoding x-compress Z
AddEncoding x-gzip gz

#
# Customizable error response (Apache style)
# these come in three flavors
#
# 1) plain text
#ErrorDocument 500 "The server made a boo boo.
# n.b. the (") marks it as text, it does not get output
#
# 2) local redirects
#ErrorDocument 404 /missing.html
# to redirect to local URL /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
# N.B.: You can redirect to a script or a document using server-sideincludes.
#
# 3) external redirects
#ErrorDocument 402 http://some.other_server.com/subscription_info.html
# N.B.: Many of the environment variables associated with the original
# request will *not* be available to such a script.

# Built-in Broken Browser Tweaks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0


### Section 3: Virtual Hosts
# If you want to use name-based virtual hosts you need to define at
# least one IP address (and port number) for them.

NameVirtualHost rproxy1

<VirtualHost rproxy1>
  ServerName www.example.net
  ProxyPass / http://iweb1/
  ProxyPassReverse / http://iweb1/
  # CustomLog logs/iweb1.access_log combined
  <Location />
    Order allow,deny
    Allow from all
  </Location>
</VirtualHost>

<VirtualHost rproxy1>
  ServerName www.example.org
  ProxyPass / http://iweb1/
  ProxyPassReverse / http://iweb1/
  # CustomLog logs/iweb1.access_log combined
  <Location />
    Order allow,deny
    Allow from all
  </Location>
</VirtualHost>

## SSL Global Context
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
# Some MIME-types for downloading Certificates and CRLs
<IfDefine SSL>
  AddType application/x-x509-ca-cert .crt
  AddType application/x-pkcs7-crl .crl
</IfDefine>

<IfModule mod_ssl.c>
  SSLPassPhraseDialog builtin
  SSLSessionCache dbm:logs/ssl_scache
  SSLSessionCacheTimeout 300
  SSLMutex sem

  # Pseudo Random Number Generator (PRNG):
  SSLRandomSeed startup builtin
  SSLRandomSeed connect builtin
  #SSLRandomSeed startup file:/dev/random 512
  #SSLRandomSeed startup file:/dev/urandom 512
  #SSLRandomSeed connect file:/dev/random 512
  #SSLRandomSeed connect file:/dev/urandom 512
  SSLRandomSeed startup file:/dev/arandom 512

  # Logging:
  SSLLog logs/ssl_engine_log
  SSLLogLevel info
</IfModule>

### End httpd.conf ########################################

Thanks to help me.

Vincent.



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
   "   from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
[Index of Archives]     [Open SSH Users]     [Linux ACPI]     [Linux Kernel]     [Linux Laptop]     [Kernel Newbies]     [Security]     [Netfilter]     [Bugtraq]     [Squid]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux RAID]     [Samba]     [Video 4 Linux]     [Device Mapper]

  Powered by Linux