Tutorial

How To Use Apache HTTP Server As Reverse-Proxy Using mod_proxy Extension

Published on February 15, 2014
author

O.S. Tezer

How To Use Apache HTTP Server As Reverse-Proxy Using mod_proxy Extension
Not using Ubuntu 12.04?Choose a different version or distribution.
Ubuntu 12.04

Introduction


Apache is a tried and tested HTTP server which comes with access to a very wide range of powerful extensions. Although it might not seem like the go-to choice in terms of running a reverse-proxy, system administrators who already depend on Apache for the available rich feature-set can also use it as a gateway to their application servers. In most cases, this will translate to removing an additional layer from their server set up or the need to use yet another tool just to redirect connections.

In this DigitalOcean article, we are going to see set up Apache on Ubuntu 13 and use it as a reverse-proxy to welcome incoming connections and redirect them to application server(s) running on the same network. For this purpose, we are going to use and work with the mod_proxy extension and several other related Apache modules.

Glossary


1. Apache


2. Apache Working As A Reverse-Proxy Using mod_proxy


3. Installing Apache And mod_proxy


  1. Updating The Operating-System
  2. Getting The Essential Build Tools
  3. Getting The Modules And Dependencies

4. Configuring Apache To Proxy Connections


  1. Activating The Modules
  2. Modifying The Default Configuration
  3. Enabling Load-Balancing
  4. Enabling SSL Support
  5. Restarting Apache

Apache


Apache HTTP server does not require an introduction, since it is probably the most famous and popular web-server that exists. It is possible to run Apache very easily on many different platforms and set ups. The application comes with a lot of third party modules to handle different kind of tasks (mod_rewrite for rule-based URL rewriting) and one of them, albeit nowadays relatively neglected, is mod_proxy: The Apache Module to implement a proxy (or gateway) for servers running on the back-end.

Tip: According to some articles, Apache’s name comes from server’s “patchy” nature - i.e. it being a collection of application patches (or modules).

Note: To learn more about Apache, you can check out the Wikipedia entry on the subject - Apache HTTP Server.

Apache Working As A Reverse-Proxy Using mod_proxy


mod_proxy is the Apache module for redirecting connections (i.e. a gateway, passing them through). It is enabled for use just like any other module and configuration is pretty basic (or standard), in line with others. mod_proxy is not just a single module but a collection of them, with each bringing a new set of functionality.

Some of these modules are:

  • mod_proxy: The main proxy module for Apache that manages connections and redirects them.

  • mod_proxy_http: This module implements the proxy features for HTTP and HTTPS protocols.

  • mod_proxy_ftp: This module does the same but for FTP protocol.

  • mod_proxy_connect: This one is used for SSL tunnelling.

  • mod_proxy_ajp: Used for working with the AJP protocol.

  • mod_proxy_wstunnel: Used for working with web-sockets (i.e. WS and WSS).

  • mod_proxy_balancer: Used for clustering and load-balancing.

  • mod_cache: Used for caching.

  • mod_headers: Used for managing HTTP headers.

  • mod_deflate: Used for compression.

Note: To learn more about Apache and mod_proxy, you can check out the official Apache documentation on the subject here.

Installing Apache And mod_proxy


Note: Instructions given here are kept brief, since chances are you already have Apache installed or know how to use it. Nonetheless, by following the steps below you can get a new Ubuntu VPS running Apache in a matter of minutes.

Updating The Operating-System


We will begin with preparing our virtual server. We are going to first upgrade the default available components to make sure that we have everything up-to-date.

Update the software sources list and upgrade the dated applications:

  1. aptitude update
  2. aptitude -y upgrade

Getting The Essential Build Tools


Let’s continue with getting the essential package for application building - the build-essential. This package contains tools necessary to install certain things from source.

Run the following command to install build-essential package:

  1. aptitude install -y build-essential

Getting The Modules And Dependencies


Next, we are going to get the module and dependencies.

Run the following command to install them:

  1. aptitude install -y libapache2-mod-proxy-html libxml2-dev

Configuring Apache To Proxy Connections


Activating The Modules


Before configuring Apache, we are going to enable the necessary modules that we will be using in this tutorial, or which might come in handy in the future.

First, let’s verify that all modules are correctly installed and ready to be activated.

Run the following command to get a list of available Apache modules:

  1. a2enmod
  2. # You will be presented with an output similar to:
  3. # Your choices are: access_compat actions alias allowmethods asis auth_basic auth_digest auth_form authn_anon authn_core authn_dbd authn_dbm authn_file authn_socache authnz_ldap authz_core authz_dbd authz_dbm authz_groupfile authz_host authz_owner authz_user autoindex buffer cache cache_disk cache_socache cgi cgid charset_lite data dav dav_fs dav_lock dbd deflate dialup dir dump_io echo env expires ext_filter file_cache filter headers heartbeat heartmonitor include info lbmethod_bybusyness lbmethod_byrequests lbmethod_bytraffic lbmethod_heartbeat ldap log_debug log_forensic lua macro mime mime_magic mpm_event mpm_itk mpm_prefork mpm_worker negotiation proxy proxy_ajp proxy_balancer proxy_connect proxy_express proxy_fcgi proxy_fdpass proxy_ftp proxy_html proxy_http proxy_scgi proxy_wstunnel ratelimit reflector remoteip reqtimeout request rewrite sed session session_cookie session_crypto session_dbd setenvif slotmem_plain slotmem_shm socache_dbm socache_memcache socache_shmcb speling ssl status substitute suexec unique_id userdir usertrack vhost_alias xml2enc
  4. # Which module(s) do you want to enable (wildcards ok)?

Once you are prompted with the choice of modules you desire, you can pass the below line listing the module names:

The list of modules:

  1. proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html

Or alternatively, you can run the following commands to enable the modules one by one:

  1. a2enmod proxy
  2. a2enmod proxy_http
  3. a2enmod proxy_ajp
  4. a2enmod rewrite
  5. a2enmod deflate
  6. a2enmod headers
  7. a2enmod proxy_balancer
  8. a2enmod proxy_connect
  9. a2enmod proxy_html

Note: Some modules are likely to be enabled by default. Trying to enable them twice will just ensure that they are active.

Modifying The Default Configuration


In this step, we are going to see how to modify the default configuration file 000-default.conf inside /etc/apache2/sites-enabled to set up “proxying” functionality.

Run the following command to edit the default Apache virtual host using the nano text editor:

  1. nano /etc/apache2/sites-enabled/000-default.conf

Here, we will be defining a proxy virtual host using mod_virtualhost and mod_proxy together.

Copy-and-paste the below block of configuration, amending it to suit your needs:

    <VirtualHost *:*>
        ProxyPreserveHost On
        
        # Servers to proxy the connection, or;
        # List of application servers:
        # Usage:
        # ProxyPass / http://[IP Addr.]:[port]/
        # ProxyPassReverse / http://[IP Addr.]:[port]/
        # Example: 
        ProxyPass / http://0.0.0.0:8080/
        ProxyPassReverse / http://0.0.0.0:8080/
        
        ServerName localhost
    </VirtualHost>

Press CTRL+X and confirm with Y to save and exit.

Note: To learn more about virtual host configurations, you can check out the detailed Apache manual on the subject by clicking here.

Enabling Load-Balancing


If you have multiple back-end servers, a good way to distribute the connection when proxying them is to use Apache’s load balancing features.

Start editing the virtual-host settings like the previous step, but this time using the below configuration example:

    <Proxy balancer://mycluster>
        # Define back-end servers:

        # Server 1
        BalancerMember http://0.0.0.0:8080/
        
        # Server 2
        BalancerMember http://0.0.0.0:8081/
    </Proxy>
    
    <VirtualHost *:*>
        # Apply VH settings as desired
        # However, configure ProxyPass argument to
        # use "mycluster" to balance the load
        
        ProxyPass / balancer://mycluster
    </VirtualHost>

Enabling SSL Reverse-Proxy Support


If you are dealing with SSL connections and certificates, you will also need to enable a secondary virtual host with below settings.

Repeat the steps from the previous steps but using these configuration options:

    Listen 443
     
    NameVirtualHost *:443
    <VirtualHost *:443>
    
        SSLEngine On
        
        # Set the path to SSL certificate
        # Usage: SSLCertificateFile /path/to/cert.pem
        SSLCertificateFile /etc/apache2/ssl/file.pem
        
        
        # Servers to proxy the connection, or;
        # List of application servers:
        # Usage:
        # ProxyPass / http://[IP Addr.]:[port]/
        # ProxyPassReverse / http://[IP Addr.]:[port]/
        # Example: 
        ProxyPass / http://0.0.0.0:8080/
        ProxyPassReverse / http://0.0.0.0:8080/
        
        # Or, balance the load:
        # ProxyPass / balancer://balancer_cluster_name
    
    </VirtualHost>

Restarting Apache


Once you are happy with your configuration, you will need to restart the cloud server for the changes to go into effect.

Execute the following command to restart Apache:

  1. service apache2 restart

And that’s it!

You can now visit your VPS and Apache shall reverse-proxy connections to your back-end application servers.

Thanks for learning with the DigitalOcean Community. Check out our offerings for compute, storage, networking, and managed databases.

Learn more about our products

About the authors
Default avatar
O.S. Tezer

author

Still looking for an answer?

Ask a questionSearch for more help

Was this helpful?
 
10 Comments


This textbox defaults to using Markdown to format your answer.

You can type !ref in this text area to quickly search our full set of tutorials, documentation & marketplace offerings and insert the link!

Works like a charm!

I had a problem with the balancer. I always received err_too_many_redirects from my browser. The Problem was the cluster member url contained a slash (/) after the portnumber - i removed those, and added a slash on ProxyPass

<Proxy balancer://mycluster>
    # Define back-end servers:

    # Server 1
    BalancerMember http://0.0.0.0:8081

    # Server 2
    BalancerMember http://0.0.0.0:8082
</Proxy>
<VirtualHost *:8080>
    ProxyPass / balancer://mycluster/
</VirtualHost>

After removing those two slashes and adding the other one to VirtualHost section, everything worked fine.

my loadbalancer setup: port 8080 balancing to 8081 & 8082

Below config worked for me for frontend and backend with selfsigned ssl.

<VirtualHost *:1443>
        ServerName somehost.local
        ProxyPreserveHost On
        ProxyRequests off
        SSLEngine on
        SSLProxyEngine on
        SSLProxyVerify none
        SSLProxyCheckPeerName off
        SSLProxyCheckPeerCN off
        SSLProxyCheckPeerExpire off
        SSLEngine      On
        ProxyPass / https://anotherhost:443/
        ProxyPassReverse / https://anotherhost:443/

        SSLCertificateFile      /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
</VirtualHost>

I can’t get this running. I’m trying to set up RStudio to run at www.mywebsite/rstudio. I’ve got the following 000-default.conf::

<VirtualHost *:*>
    ProxyPreserveHost On

    # Servers to proxy the connection, or;
    # List of application servers:
    # Usage:
    # ProxyPass / http://[IP Addr.]:[port]/
    # ProxyPassReverse / http://[IP Addr.]:[port]/
    # Example:
    ProxyPass        /rstudio/ http://localhost:8787/
    ProxyPassReverse /rstudio/ http://localhost:8787/
    ServerName localhost
</VirtualHost>

However, I still get a 404 when trying to browse to the webpage. I’ve followed this guide to the “T.” I wonder if it has to do with the fact that I’m using DO’s one-click Wordpress installation on Ubuntu.

Hi,

I hope you can help with this because I am a little bit confused.

I’m an apache 2.2 httpd and want to communicate to a secured server which is also HTTPS SSL by using ProxyPass and ProxyPassReverse.

Sample architecture:

Outside world ==> https ssl Apache 2.2 httpd (localhost) ==> Secured server Https ssl (domain.com) I am the middle man here.

What exactly do I need from them (domain.com) in order for me to configure Apache 2.2 httpd-ssl.conf properly?

Do I only need their public key? I don’t think I also need their certificate, otherwise I can generate their private key. I don’t think that’s handy…and insecured.

This is my current configuration when the outside world visit the middle man apache server. Can you take a look and check what I am missing to get it working theoretically?

=======

LoadModule ssl_module modules/mod_ssl.so LoadModule proxy_module modules/mod_proxy.so LoadModule proxy_http_module modules/mod_proxy_http.so

Listen 8443

<VirtualHost *:8443> ServerName localhost.localdomain SSLEngine on SSLCertificateFile /etc/httpd/conf.d/ssl/server.crt SSLCertificateKeyFile /etc/httpd/conf.d/ssl/server_priv.pem

ProxyRequests off
SSLProxyEngine on
Loglevel debug

ErrorLog /home/df/Desktop/errorLog_443.txt
TransferLog /home/df/Desktop/transferLog_443.txt

<Location /gd_endpoint/>
	ProxyPass https://domain.com:45093/abc/1.1.0
	ProxyPassReverse https://domain.com:45093/abc/1.1.0
	Order deny,allow
	Deny from all
	Allow from all
</Location>

</VirtualHost>

Hello, I need some help: I have a Ruby application running on port:8550 and Apache on :80. How do I serve requests to :8550 on a clean url?

Hi everyone, in “Enabling SSL Reverse-Proxy Support”, I added: “ProxyPreserveHost On” line <VirtualHost *:443> … ProxyPreserveHost On ProxyPass / http://0.0.0.0:8080/ ProxyPassReverse / http://0.0.0.0:8080/ … </VirtualHost> I hope it can be useful.

Can’t activate gzip encoding. module deflate loaded, .htaccess edited with following:

<IfModule mod_deflate.c>
        # Insert filter
        SetOutputFilter DEFLATE
		AddOutputFilterByType DEFLATE application/atom+xml \
									  application/javascript \
									  application/json \
									  application/rss+xml \
									  application/vnd.ms-fontobject \
									  application/x-font-ttf \
									  application/xhtml+xml \
									  application/xml \
									  font/opentype \
									  image/svg+xml \
									  image/x-icon \
									  text/css \
									  text/html \
									  text/plain \
									  text/x-component \
									  text/xml

        # Netscape 4.x has some problems...
        BrowserMatch ^Mozilla/4 gzip-only-text/html

        # Netscape 4.06-4.08 have some more problems
        BrowserMatch ^Mozilla/4\.0[678] no-gzip

        # MSIE masquerades as Netscape, but it is fine
        # BrowserMatch \bMSIE !no-gzip !gzip-only-text/html

        # NOTE: Due to a bug in mod_setenvif up to Apache 2.0.48
        # the above regex won't work. You can use the following
        # workaround to get the desired effect:
        BrowserMatch \bMSI[E] !no-gzip !gzip-only-text/html

        # Don't compress images
        SetEnvIfNoCase Request_URI \
        \.(?:gif|jpe?g|png)$ no-gzip dont-vary

        # Make sure proxies don't deliver the wrong content
        Header append Vary User-Agent env=!dont-vary
		
		#exclude the following file types
		SetEnvIfNoCase Request_URI \.(?:exe|t?gz|zip|iso|tar|bz2|sit|rar|png|jpg|gif|jpeg|flv|swf|mp3)$ no-gzip dont-vary

		#set compression level
		DeflateCompressionLevel 9

		
</IfModule>

wont work anyways

Andrew SB
DigitalOcean Employee
DigitalOcean Employee badge
June 17, 2014

This comment has been deleted

    Ive set up a reverse proxy as above to go to www.example.com/server1. That works fine but when i click on any link in /server1 it bypasses the proxy and loads up the original page

    Try DigitalOcean for free

    Click below to sign up and get $200 of credit to try our products over 60 days!

    Sign up

    Join the Tech Talk
    Success! Thank you! Please check your email for further details.

    Please complete your information!

    Become a contributor for community

    Get paid to write technical tutorials and select a tech-focused charity to receive a matching donation.

    DigitalOcean Documentation

    Full documentation for every DigitalOcean product.

    Resources for startups and SMBs

    The Wave has everything you need to know about building a business, from raising funding to marketing your product.

    Get our newsletter

    Stay up to date by signing up for DigitalOcean’s Infrastructure as a Newsletter.

    New accounts only. By submitting your email you agree to our Privacy Policy

    The developer cloud

    Scale up as you grow — whether you're running one virtual machine or ten thousand.

    Get started for free

    Sign up and get $200 in credit for your first 60 days with DigitalOcean.*

    *This promotional offer applies to new accounts only.