version 14, including all changes.
.
| Rev |
Author |
# |
Line |
| 7 |
CraigBox |
1 |
Apache can be used as a reverse proxy - that is, it allows access to internal sites from an external network, such as the Internet. |
| |
|
2 |
|
| |
|
3 |
__NOTE__ This can lead to a security flaw, if you leave your apache unsecured and enable all proxying, you will act as an open relay. Be warned! |
| |
|
4 |
|
| |
|
5 |
There are a few different ways you can use apache to proxy, such as: |
| |
|
6 |
|
| |
|
7 |
* mod_rewrite |
| |
|
8 |
* mod_proxy |
| |
|
9 |
* mod_proxy_html |
| |
|
10 |
|
| |
|
11 |
!! mod_rewrite |
| |
|
12 |
|
| |
|
13 |
mod_rewrite will rewrite a source URL transparently to the end user. AddToMe |
| |
|
14 |
|
| |
|
15 |
!! mod_proxy |
| |
|
16 |
|
| |
|
17 |
mod_proxy is useful for simple proxying rules, such as when you want to expose a flat directory to the world, or if the internal site only uses relative URLs |
| |
|
18 |
|
| |
|
19 |
For example, I have an internal network appliance (a camera) with a very simple web interface, that I wish to expose to a (properly authenticated) Internet: |
| |
|
20 |
|
| |
|
21 |
<verbatim> |
| |
|
22 |
<IfModule mod_proxy.c> |
| |
|
23 |
ProxyRequests Off |
| |
|
24 |
<Location /camera> |
| |
|
25 |
ProxyPass http://camera.internal.org/ |
| |
|
26 |
ProxyPassReverse http://camera.internal.org/ |
| |
|
27 |
AuthType Basic |
| |
|
28 |
AuthName "Camera" |
| |
|
29 |
AuthLDAPUrl ldap:///dc=internal,dc=org?uid |
| |
|
30 |
Require user daniel camera |
| |
|
31 |
</Location> |
| |
|
32 |
</IfModule> |
| |
|
33 |
</verbatim> |
| |
|
34 |
|
| |
|
35 |
"~ProxyRequests Off" disables arbitrary proxying - this stops my webserver being an open relay. I've also configured the /camera location to require some specific auth, authing out of an LDAP tree on localhost. |
| |
|
36 |
|
| |
|
37 |
"~ProxyPass http://camera.internal.org" is actually shorthand for "~ProxyPass /camera http://camera.internal.org". I can make this shorthand because the ~ProxyPass directive is inside a <Location> block. This says to proxy any requests for for /camera/* to http://camera.internal.org/* |
| |
|
38 |
|
| |
|
39 |
~ProxyPassReverse, which has the same syntax as ~ProxyPass, will adjust the response URI to keep it pointing at the same place. |
| |
|
40 |
|
| |
|
41 |
This works fairly well, although it fails if the internal website is a bit more complicated, or is on a different port. Use mod_proxy_html for that! |
| |
|
42 |
|
| 10 |
KarstenBreivik |
43 |
! I get "client denied by server configuration: proxy:http://site" errors - or a 403 Forbidden message |
| 7 |
CraigBox |
44 |
|
| 10 |
KarstenBreivik |
45 |
You have a <proxy:*> block that is denying your access. Check in mods-enabled/proxy.conf if you're on Debian or Ubuntu, because it defaults to denying all. As a quick test, you can comment out the whole section, but for prod env's it should be configured correctly. |
| 7 |
CraigBox |
46 |
|
| |
|
47 |
!! mod_proxy_html |
| |
|
48 |
|
| |
|
49 |
Suppose I want to expose a website that is running on a non-standard port internally. I could use mod_proxy, if the website only used relative or path-only absolute URLS. However, the website happens to know what hostname and port it is supposed to be running on, and has some urls which are targetted directly at the hostname and port. mod_proxy will break in this case, because URLs in the webpages aren't rewritten, and I can't access the device directly from the external network. |
| |
|
50 |
|
| |
|
51 |
mod_proxy_html solves this, by rewriting parts of the source code on the fly. It's implemented as a filter in apache2, which means all webpages in the appropriate block pass through it, and can be rewritten on the fly. |
| |
|
52 |
|
| |
|
53 |
Here is an example config for exposing the [CUPS] web interface, which runs on port 631, via an ApacheReverseProxy: |
| 10 |
KarstenBreivik |
54 |
|
| |
|
55 |
First, get the mod_proxy_html module: |
| |
|
56 |
|
| |
|
57 |
<verbatim> |
| |
|
58 |
|
| |
|
59 |
# apt-get install libapache2-mod-proxy-html |
| |
|
60 |
|
| |
|
61 |
</verbatim> |
| |
|
62 |
|
| |
|
63 |
You may or may not have to enable the module with |
| |
|
64 |
|
| |
|
65 |
<verbatim> |
| |
|
66 |
|
| |
|
67 |
# a2enmod proxy_html |
| |
|
68 |
|
| 11 |
KarstenBreivik |
69 |
</verbatim> |
| 10 |
KarstenBreivik |
70 |
|
| 14 |
CraigBox |
71 |
Then edit the <tt><~IfModule mod_proxy.c></tt> section of /etc/apache2/mods-enabled/proxy.conf |
| 7 |
CraigBox |
72 |
|
| |
|
73 |
<verbatim> |
| |
|
74 |
<IfModule mod_proxy.c> |
| |
|
75 |
ProxyRequests Off |
| |
|
76 |
ProxyPass /cups http://cups.internal.org:631/ |
| |
|
77 |
ProxyHTMLURLMap http://cups.internal.org:631/ /cups |
| |
|
78 |
<Location /cups> |
| |
|
79 |
ProxyPassReverse http://cups.internal.org:631/ |
| |
|
80 |
SetOutputFilter proxy-html |
| |
|
81 |
ProxyHTMLURLMap / /cups/ |
| |
|
82 |
ProxyHTMLURLMap /cups/ /cups/ |
| |
|
83 |
</Location> |
| |
|
84 |
</IfModule mod_proxy.c> |
| |
|
85 |
</verbatim> |
| 10 |
KarstenBreivik |
86 |
|
| |
|
87 |
|
| |
|
88 |
Then reload the config |
| |
|
89 |
|
| |
|
90 |
<verbatim> |
| |
|
91 |
|
| |
|
92 |
/etc/init.d/apache2 force-reload |
| |
|
93 |
|
| |
|
94 |
</verbatim> |
| |
|
95 |
|
| |
|
96 |
|
| 7 |
CraigBox |
97 |
|
| |
|
98 |
New directives that are added include the ~ProxyHTMLURLMap directive, and the ~SetOutputFilter directive. |
| |
|
99 |
|
| |
|
100 |
~SetOutputFilter tells apache to pass the proxied content through the proxy-html filter, which mod_proxy_html provides. This does all the rewriting discussed below: |
| |
|
101 |
|
| |
|
102 |
The first ~ProxyHTMLURLMap directive tells mod_proxy_html to rewrite any instance of "http://cups.internal.org:631/" to "/cups". This means any absolute URLs will be rewritten to point under the /cups/ Location, which will then get proxied appropriately. |
| |
|
103 |
|
| |
|
104 |
The remaining ~ProxyHTMLURLMap directives handle URLs with just a set path, eg "/printers/printer1/". This will get rewritten to "/cups/printers/printer1/" and then proxied correctly. The last directive is a no-rewrite rule, intended to prevent infinite looping. |
| |
|
105 |
|
| |
|
106 |
----- |
| |
|
107 |
|
| |
|
108 |
!!Using Apache 2 with Outlook Web Access (OWA) |
| |
|
109 |
|
| |
|
110 |
First, enable some useful modules: |
| |
|
111 |
<pre> |
| |
|
112 |
a2enmod proxy |
| |
|
113 |
a2enmod headers |
| |
|
114 |
</pre> |
| |
|
115 |
|
| |
|
116 |
Placeholder for when I actually get this going: |
| |
|
117 |
|
| |
|
118 |
<verbatim> |
| |
|
119 |
<VirtualHost 1.2.3.4:80> |
| |
|
120 |
ServerName webmail.example.org |
| |
|
121 |
DocumentRoot /var/www/html/exchange |
| |
|
122 |
RedirectMatch ^/(index.html?)$ https://webmail.example.org/exchange/ |
| |
|
123 |
RedirectMatch ^/exchange$ https://webmail.example.org/exchange/ |
| |
|
124 |
</VirtualHost> |
| |
|
125 |
|
| |
|
126 |
<VirtualHost 1.2.3.4:443> |
| |
|
127 |
# This secures the server from being used as a third party |
| |
|
128 |
# proxy server |
| |
|
129 |
ProxyRequests Off |
| |
|
130 |
|
| |
|
131 |
# Allows the proxying of a SSL connection |
| |
|
132 |
SSLProxyEngine On |
| |
|
133 |
ProxyVia On |
| |
|
134 |
|
| |
|
135 |
DocumentRoot /home/user/mail_proxy/html/ |
| |
|
136 |
RequestHeader set Front-End-Https "On" |
| |
|
137 |
|
| |
|
138 |
ServerName mail |
| |
|
139 |
|
| |
|
140 |
# Set up SSL to work with this host |
| |
|
141 |
SSLEngine On |
| |
|
142 |
SSLCertificateFile /etc/apache/webmail-proxy/server.crt |
| |
|
143 |
SSLCertificateKeyFile /etc/apache/webmail-proxy/server.key |
| |
|
144 |
|
| |
|
145 |
SSLProxyMachineCertificateFile /etc/apache/webmail-proxy/certnew.cer |
| |
|
146 |
|
| |
|
147 |
ProxyPass /exchange/ https://mail-internal/exchange/ |
| |
|
148 |
ProxyPassReverse /exchange/ https://mail-internal/exchange/ |
| |
|
149 |
|
| |
|
150 |
ProxyPass /exchweb/ https://mail-internal/exchweb/ |
| |
|
151 |
ProxyPassReverse /exchweb/ https://mail-internal/exchweb/ |
| |
|
152 |
|
| |
|
153 |
ProxyPass /public/ https://mail-internal/public/ |
| |
|
154 |
ProxyPassReverse /public/ https://mail-internal/public/ |
| |
|
155 |
|
| |
|
156 |
ProxyPreserveHost On |
| |
|
157 |
</VirtualHost> |
| |
|
158 |
</verbatim> |
| |
|
159 |
|
| |
|
160 |
----- |
| |
|
161 |
|
| |
|
162 |
Here is a great article on [Apache Proxying|http://www.apacheweek.com/features/reverseproxies] |
| |
|
163 |
|
| |
|
164 |
----- |
| |
|
165 |
|
| |
|
166 |
!! Tested set of Apache reverse proxy rules |
| |
|
167 |
|
| |
|
168 |
by Chris Covington - malth@umich.edu |
| |
|
169 |
|
| |
|
170 |
How to ReverseProxy Outlook Web Access (OWA) and Outlook Mobile Access (OMA) with Apache 2.X, mod_proxy and mod_rewrite |
| |
|
171 |
|
| |
|
172 |
<verbatim> |
| |
|
173 |
Add the following to your Apache 2.0+ httpd.conf/ssl.conf to use the ReverseProxy feature: |
| |
|
174 |
|
| |
|
175 |
ProxyPreserveHost On |
| |
|
176 |
|
| |
|
177 |
#OWA % character in email subject fix |
| |
|
178 |
RewriteEngine On |
| |
|
179 |
RewriteMap percentsubject int:escape |
| |
|
180 |
RewriteCond $1 ^/exchange/.*\%.*$ |
| |
|
181 |
RewriteRule (/exchange/.*) ${percentsubject:$1} [P] |
| |
|
182 |
|
| |
|
183 |
#OWA |
| |
|
184 |
ProxyPass /exchange https://exchangserver.example.com/exchange |
| |
|
185 |
ProxyPassReverse /exchange https://exchangeserver.example.com/exchange |
| |
|
186 |
ProxyPass /Exchange https://exchangeserver.example.com/exchange |
| |
|
187 |
ProxyPassReverse /Exchange https://exchangeserver.example.com/exchange |
| |
|
188 |
ProxyPass /exchweb https://exchangeserver.example.com/exchweb |
| |
|
189 |
ProxyPassReverse /exchweb https://exchangeserver.example.com/exchweb |
| |
|
190 |
ProxyPass /public https://exchangeserver.example.com/public |
| |
|
191 |
ProxyPassReverse /public https://exchangeserver.example.com/public |
| |
|
192 |
ProxyPass /iisadmpwd https://exchangeserver.example.com/iisadmpwd |
| |
|
193 |
ProxyPassReverse /iisadmpwd https://exchangeserver.example.com/iisadmpwd |
| |
|
194 |
|
| |
|
195 |
#OMA |
| |
|
196 |
ProxyPass /oma https://exchangeserver.example.com/oma |
| |
|
197 |
ProxyPassReverse /oma https://exchangeserver.example.com/oma |
| |
|
198 |
|
| 8 |
MichaelBordignon |
199 |
#ActiveSync (for WM5+ devices) |
| 9 |
CraigBox |
200 |
ProxyPass /Microsoft-Server-ActiveSync https://exchangeserver.example.com/Microsoft-Server-ActiveSync |
| |
|
201 |
ProxyPassReverse /Microsoft-Server-ActiveSync https://exchangeserver.example.com/Microsoft-Server-ActiveSync |
| 7 |
CraigBox |
202 |
|
| |
|
203 |
</verbatim> |
