OA - Ubuntu
A blog about Ubuntu, mobile GIS and archaeology

Apache + mod_proxy + mod_ssl - A good, secure reverse proxy

Jan 11, 2009 by Yann Hamon

Having several offices in the company and one of our policy being to allow people to work from home, a lot of our services are available as web services. As we make heavy usage of virtualization, these websites are spread on many different virtual machines, depending on their requirements (PHP, Java, Python, Mysql, Postgresql...). With only a limited number of public IP addresses, we hence had the need for a HTTP reverse proxy.

Came the question: what would be the reverse proxy that would best fit our usage? We had a look at several alternatives: Varnish, Squid, Apache with mod_proxy, nginx, haproxy... The reasons that made us chose mod_proxy were the following:

  • It is in main - So long-term supported, which is critical for a frontal webserver. As we have canonical support, we can rely on them so that business-critical bugs will be sorted.
  • Very good documentation - most of the other solutions are badly documented (nginx documentation is in russian and part of it is non translated, squid documentation isn't great neither...)
  • Easy configuration - a lot easier than varnish or squid...
  • Low traffic: we don't have millions of hits a day; so even if maybe other reverse proxies have better pure performance, it is not our main point of interest.
  • You get all the other apache modules with it: mod_rewrite, mod_cache, etc...

After several months of use, I am very happy with that choice. It runs on a quite low-end VM and the load rarely goes over 0.1.

After some weeks, we decided we wanted to improve security and purchased a wildcard SSL certificate. There is also a big advantage in using a reverse proxy to do encryption: the backend application doesn't have to support HTTPS - and you have a single way to configure it. In other words, it is easy (you just do the configuration once for the apache proxy, and don't have to configure it for every single HTTP server you may be running), and completely transparent for the backend.

Several months ago, many people pointed me at Pound - but it just wasn't needed, thanks to mod_ssl. In the end, what I am doing is mass name-based virtual hosting with SSL; which is apparently not recommended (throws warnings in the logs, any idea why?) but works like a charm. This is how one of my vhost declaration would look like:


<VirtualHost *:80>
	ServerName website.thehumanjourney.net

        # Rewrite all incoming http request from external IP to https
        RewriteEngine On
        RewriteCond %{REMOTE_ADDR} !^10.0.*$
        RewriteRule ^/(.*) https://%{SERVER_NAME}/$1 [R,L]

	ProxyPass / http://INTERNALIP/
        ProxyPassReverse / http://website.thehumanjourney.net/
	ProxyPassReverse / http://INTERNALIP/

        CustomLog /var/log/apache2/website.thehumanjourney.net.access.log combined
        ErrorLog /var/log/apache2/website.thehumanjourney.net.error.log
</VirtualHost>
<VirtualHost *:443>
 	ServerName website.thehumanjourney.net
      
        SSLEngine on
	SSLCertificateFile /etc/apache2/ssl/thehumanjourney.crt
	SSLCertificateKeyFile /etc/apache2/ssl/thehumanjourney.key

        ProxyPass / http://INTERNALIP/
        ProxyPassReverse / http://website.thehumanjourney.net/
        ProxyPassReverse / http://INTERNALIP/

       CustomLog /var/log/apache2/website.thehumanjourney.net.access.log combined
       ErrorLog /var/log/apache2/website.thehumanjourney.net.error.log
</VirtualHost>

The ProxyPassReverse is the bit of black magic that took me a while to figure out; but in the end, it is just if the website creates a redirection using its internal address, the proxy would convert it to the external address before passing it to the user.

Even with SSL, the CPU doesn't blink at all. Many people consider this as a bad choice as they associate apache with bad performances; but before you decide not to use apache as a reverse proxy because it is "slow" - ask yourself the question: do you really have the need for the X GB/s throughput that nginx or varnish may provide?



Comments:

Hi,

the problem is not the cpu...with some money you can have a lot of cpu today and make apache look like a rockstar.
Apache does a great job, but sometimes you really need a better performance.
For SSL Boosting, sometimes an offloader is much better, even if it cost more money

Posted by shermann on January 11, 2009 at 11:06 PM GMT+00:00 #

ermmm... i think we can use Thor for proxy ..

Posted by Melayu Boleh on April 22, 2009 at 08:52 AM GMT+00:00 #

Hey man

I'm working on a similar config and can't find a definite answer anywhere else on this. Where should all the above config be done? In the ports.conf file or the 000-default file?

Posted by Francois on September 09, 2009 at 06:09 PM GMT+00:00 #

Thanks very much! Was looking for this info all over for a client system. This is excellent!

Posted by dave on December 22, 2009 at 01:31 AM GMT+00:00 #

Post a Comment:
Comments are closed for this entry.