Apache + mod_proxy + mod_ssl - A good, secure reverse proxy
Having several offices in the company and one of our policy being to allow people to work from home, a lot of our services are available as web services. As we make heavy usage of virtualization, these websites are spread on many different virtual machines, depending on their requirements (PHP, Java, Python, Mysql, Postgresql...). With only a limited number of public IP addresses, we hence had the need for a HTTP reverse proxy.
Came the question: what would be the reverse proxy that would best fit our usage? We had a look at several alternatives: Varnish, Squid, Apache with mod_proxy, nginx, haproxy... The reasons that made us chose mod_proxy were the following:
- It is in main - So long-term supported, which is critical for a frontal webserver. As we have canonical support, we can rely on them so that business-critical bugs will be sorted.
- Very good documentation - most of the other solutions are badly documented (nginx documentation is in russian and part of it is non translated, squid documentation isn't great neither...)
- Easy configuration - a lot easier than varnish or squid...
- Low traffic: we don't have millions of hits a day; so even if maybe other reverse proxies have better pure performance, it is not our main point of interest.
- You get all the other apache modules with it: mod_rewrite, mod_cache, etc...
After several months of use, I am very happy with that choice. It runs on a quite low-end VM and the load rarely goes over 0.1.
After some weeks, we decided we wanted to improve security and purchased a wildcard SSL certificate. There is also a big advantage in using a reverse proxy to do encryption: the backend application doesn't have to support HTTPS - and you have a single way to configure it. In other words, it is easy (you just do the configuration once for the apache proxy, and don't have to configure it for every single HTTP server you may be running), and completely transparent for the backend.
Several months ago, many people pointed me at Pound - but it just wasn't needed, thanks to mod_ssl. In the end, what I am doing is mass name-based virtual hosting with SSL; which is apparently not recommended (throws warnings in the logs, any idea why?) but works like a charm. This is how one of my vhost declaration would look like:
<VirtualHost *:80>
ServerName website.thehumanjourney.net
# Rewrite all incoming http request from external IP to https
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^10.0.*$
RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]
ProxyPass / http://INTERNALIP/
ProxyPassReverse / http://website.thehumanjourney.net/
ProxyPassReverse / http://INTERNALIP/
CustomLog /var/log/apache2/website.thehumanjourney.net.access.log combined
ErrorLog /var/log/apache2/website.thehumanjourney.net.error.log
</VirtualHost>
<VirtualHost *:443>
ServerName website.thehumanjourney.net
SSLEngine on
SSLCertificateFile /etc/apache2/ssl/thehumanjourney.crt
SSLCertificateKeyFile /etc/apache2/ssl/thehumanjourney.key
ProxyPass / http://INTERNALIP/
ProxyPassReverse / http://website.thehumanjourney.net/
ProxyPassReverse / http://INTERNALIP/
CustomLog /var/log/apache2/website.thehumanjourney.net.access.log combined
ErrorLog /var/log/apache2/website.thehumanjourney.net.error.log
</VirtualHost>
The ProxyPassReverse is the bit of black magic that took me a while to figure out; but in the end, it is just if the website creates a redirection using its internal address, the proxy would convert it to the external address before passing it to the user.
Even with SSL, the CPU doesn't blink at all. Many people consider this as a bad choice as they associate apache with bad performances; but before you decide not to use apache as a reverse proxy because it is "slow" - ask yourself the question: do you really have the need for the X GB/s throughput that nginx or varnish may provide?
Hi,
the problem is not the cpu...with some money you can have a lot of cpu today and make apache look like a rockstar.
Apache does a great job, but sometimes you really need a better performance.
For SSL Boosting, sometimes an offloader is much better, even if it cost more money
Posted by shermann on January 11, 2009 at 11:06 PM GMT+00:00 #
ermmm... i think we can use Thor for proxy ..
Posted by Melayu Boleh on April 22, 2009 at 08:52 AM GMT+00:00 #
Hey man
I'm working on a similar config and can't find a definite answer anywhere else on this. Where should all the above config be done? In the ports.conf file or the 000-default file?
Posted by Francois on September 09, 2009 at 06:09 PM GMT+00:00 #
Thanks very much! Was looking for this info all over for a client system. This is excellent!
Posted by dave on December 22, 2009 at 01:31 AM GMT+00:00 #
Do you shop online? we offer the high quality Wholesale shoes,Designer handbags,Air jordan shoes and the lowest price. Shoes and handbags quality is guaranteed and We will send goods tracking service.
Posted by Jordan fans on August 03, 2011 at 02:43 AM GMT+00:00 #
Hi. I wanted to drop you a quick note to express my thanks. I’ve been following your blog for a month or so and have picked up a ton of e way you’ve structured your site.
Posted by UGG Greenfield on October 06, 2011 at 09:04 AM GMT+00:00 #
Quite a lot of women that would like to receive the Louis Vuitton Bags as a gift. So it is great idea for these people who do not know what to buy. Based on the fact that various bags brand among the market, and here for the Louis Vuitton Outletthat all can provide you the authentic handbags. Our Louis Vuitton Handbags that now on sale the new design for 2011 winter season. The fashion appearance that you would definitely show great love to them.
Posted by Louis Vuitton Outlet store on October 10, 2011 at 08:27 AM GMT+00:00 #
Cheap <strong>replica Louis Vuitton handbags</strong> on sale, buy new fashion wholesale discount replica LV handbags from China suppliers.Shop the latest <strong>Louis Vuitton bags</strong> handpicked by a global community of independent trendsetters and stylists.
Posted by louis vuitton replica on October 13, 2011 at 01:11 AM GMT+00:00 #
555clf8
good
Posted by Cheap Jordan Shoes on October 15, 2011 at 12:58 AM GMT+00:00 #
555clf7
good for you
Posted by Cheap Nike Shox on October 15, 2011 at 12:58 AM GMT+00:00 #
555yxj3
Let your yea be yea and your nay be nay.
Posted by Supra Shoes on October 15, 2011 at 06:30 AM GMT+00:00 #
555yxj7
Knowledge comes from experience alone.
Posted by ugg boots clearance on October 15, 2011 at 06:31 AM GMT+00:00 #
Always interesting to read a different website. Thank you for the input . Except for the content , the design of your website is really amazing . Cheers.
Posted by ugg boots on October 20, 2011 at 01:23 AM GMT+00:00 #
Branson last month said he hoped to launch a vessel into space within the next 12 months, which he said would kick off an era of commercial space travel.
Posted by discount uggs on October 22, 2011 at 07:48 AM GMT+00:00 #
People who wear mulberry bags sale re very modern and stylish. Mulberry Bayswater Bag are that loved by many people all over the world.Mulberry outlet is among the best luxury style businesses inside the world.
Posted by mulberry bags on October 25, 2011 at 06:59 AM GMT+00:00 #
The official spoke on condition of anonymity to discuss a private diplomatic exchange. north face clearanceEarlier this month, U.S. officials claimed agents linked to Iran's Quds Force — an elite wing of the powerful Revolutionary Guard — were involved in the suspected plot to kill the Saudi ambassador to the U.S., Adel Al-Jubeir.
Posted by north face clearance on November 01, 2011 at 02:58 AM GMT+00:00 #
Welcome to visiting our jerseys .jerseys from china . jerseys sale products are won highly praise from our customers.
our goal is to be popular and fashionable vane,offer the best products and service, the most preferential price.
Posted by cheap jerseys from china on November 10, 2011 at 04:30 AM GMT+00:00 #
http://www.hermesbagsoutletsale.com
Posted by Hermes Handbags on November 22, 2011 at 01:15 AM GMT+00:00 #