Simple Apache reverse proxy example

Simple Apache reverse proxy example

Get Social!

Background

Apache can be used as a reverse proxy to relay HTTP/ HTTPS requests to other machines. This is common practice and comes with two main benefits:

  • Security – Your Apache instance can be put in a DMZ and exposed to the world while the web servers can sit behind it with no access to the outside world.
  • Reduce load – You can reduce the load on the web servers with various methods such as web caching at the proxy, load balancing and deflecting traffic for invalid requests.

The interesting stuff – ProxyPass

To set up Apache as a reverse proxy server you will need to enable mod_proxy. Some other common mods you may need are below.

  • mod_proxy
  • mod_http
  • mod_headers
  • mod_html

To enable mods in Ubuntu/ Debian you need to make sure they are installed, then enabled. For example, installing and enabling mod_proxy would look like this:

apt-get install libapache2-mod-proxy-html a2enmod mod_proxy

Once these mods are enabled, we can begin editing the Apache config. The locations of these vary depending on your Linux distribution. For RHEL based distributions, this will be your httpd.conf; for Debian based, sites-available/default.

Inside your VirtualHost tag create a Location tag which matches the external path you wish to use. For this example we will use /.

<Location />
    # commands go here
</Location>

Inside the Location tag add the proxy options ProxyPass and ProxyPassReverse followed by the site address which will be the target of the proxy. You will also need a couple of lines to allow access.

    ProxyPass http://mywebsite.jamescoyle.net/
    ProxyPassReverse http://mywebsite.jamescoyle.net/
    Order allow,deny
    Allow from all

Outside of the location tags, towards the top of the virtual host add a few extras:

    ProxyHTMLStripComments on
    ProxyRequests off
    SetOutputFilter proxy-html
    ProxyHTMLDoctype XHTML

If you will be proxying SSL traffic, you will also need to add:

    SSLProxyEngine on

Restart apache or reload the settings for the changes to take effect:

    service apache2 reload

You will now have a working proxy – all requests sent to / will be fetched from http://mywebsite.jamescoyle.net.

Example Apache reverse proxy VirtualHost

The below example shows an Apache VirtualHost which is listening on port 80. The confiiguration accepts requests on which match the www.jamescoyle.net hostname and proxys the requests to the backend server mywebsite.jamescoyle.net.

<VirtualHost *:80>
    ServerAdmin [email protected]
    ProxyRequests off
    DocumentRoot /var/www
    SSLProxyEngine on
    ProxyPreserveHost On

    ServerName www.jamescoyle.net

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    # Possible values include: debug, info, notice, warn, error, crit,
    # alert, emerg.
    LogLevel error

    <Location />
        ProxyPass http://mywebsite.jamescoyle.net/
        ProxyPassReverse http://mywebsite.jamescoyle.net/
        Order allow,deny
        Allow from all
    </Location>

</VirtualHost>


19 Comments

R Hejc

20-Feb-2014 at 5:06 pm

Are you able to proxy Java Console (KVM for servers)? I’m getting message Connected to sevrer on port 5900, but Java never start when behind proxy…

    james.coyle

    20-Feb-2014 at 5:27 pm

    I have not found a way to do this with Apache.

Reinaldo

28-Apr-2014 at 3:25 pm

Thank you.
Your tip worked for me.

Ian Miell

3-Jun-2014 at 8:23 pm

I’ve long struggled with getting this working when playing with it casually until stumbling across this article, so have written this up into a ShutIt module:

https://github.com/ianmiell/shutit/blob/master/library/apache_proxypass/apache_proxypass.py

To get a copy of the container:

docker pull imiell/apache_proxypass

More context:

http://ianmiell.github.io/shutit/

praween

25-Jan-2015 at 4:21 am

James,
I am newbie to reverse proxy and i came across your articles in google when i was searching for reverse proxy. I am impressed with your work. I am having proxmox at my home. Would you please guide step by step how to setup reverse proxy for proxmox or atleast give the order of your links to follow. I followed this page but unable to install the packages.

Thanks
Praween

    james.coyle

    26-Jan-2015 at 9:59 am

    What errors are you getting?

hem

22-Jan-2016 at 8:43 pm

I need to block one URL

https://example.com/opensso/UI/Login?service=adminconsoleservice&locale=

but same time my main URL should work like

https:/example.com/opensso/UI/Login

any idea How to do that

Rgds..Hem

Adam

7-Mar-2016 at 10:38 pm

Hi

Thanks for the great tutorial!

is it possible to make the proxy preserve the original url? i can see that you set the “ProxyPreserveHost On” but the address seems to be overwritten.

Thanks

Gunnar

10-May-2016 at 5:47 pm

Hi,
if you want to use apache only as a reverse proxy, why is it neccessary to implement the line “ProxyPass http://mywebsite.jamescoyle.net/“? Not only “ProxyPassReverse http://mywebsite.jamescoyle.net/“?
Thanks for answer.

Phil Gardner

2-Nov-2016 at 4:09 pm

This isn’t working in Ubuntu 16.04 – Apache rejects the code and reverts the virtual host config file to the previous version. Any ideas?

    james.coyle

    2-Nov-2016 at 6:07 pm

    What does it reject? Does the error.log give any more information?

Daniel Cunil

14-Jun-2017 at 6:04 pm

Hey, I’m trying to do the same for nginx. Get error:

[proxy:error] [pid 2158:tid 140667709277952] (111)Connection refused: AH00957: HTTPS: attempt to connect to 127.0.1.1:9654 (xxx.xxxx.com) failed
[proxy_http:error] [pid 2158:tid 140667709277952] [client x.x.x.x:61269] AH01114: HTTP: failed to make connection to backend: xxx.xxxx.com

Ashish

5-Aug-2017 at 4:48 am

We have a server1 as xyz.co.in and we have setup reverse proxy on this such that xyz.co.in/promotions will serve contents from server2. Server2 also has apache2 and domain name configured in VirtualHost is abc.co.in… we want this server2 to also pass contents when xyz.co.in/promotions is called…

I understand settings at server1 and have also done other relevant settings. However, can you please help with what settings I need to do on server2?

Many thanks

Mallinath

30-Sep-2017 at 5:59 pm

Hi,
I need your help in configuring multi domain authentication through ldap in httpd.conf

constantinos

8-Jul-2018 at 3:20 pm

i did as the above example but my apache dies?

Carlos de Luna Saenz

12-Jun-2020 at 4:48 pm

I am getting a “strange behavour , muy Virtual host section is:

ServerAdmin [email protected]
ProxyRequests off
DocumentRoot /var/www
# SSLProxyEngine on
ProxyPreserveHost Off

ServerName beisbolicos

ErrorLog ${APACHE_LOG_DIR}/beisbolicos_error.log
CustomLog ${APACHE_LOG_DIR}/beisbolicos_access.log combined

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
# LogLevel error

ProxyPass http://localhost:8080/
ProxyPassReverse http://localhost:8080
Order allow,deny
Allow from all

ProxyPass http://www.beisbolicos.com/
ProxyPassReverse http://www.beisbolicos.com/
Order allow,deny
Allow from all

ProxyPass http://www.beisbolicos.com/beisbolicos.nsf/
ProxyPassReverse http://www.beisbolicos.com/beisbolicos.nsf/
Order allow,deny
Allow from all

ProxyPass http://www.beisbolicos.com/beisbolicos.nsf/
ProxyPassReverse http://www.beisbolicos.com/beisbolicos.nsf/
Order allow,deny
Allow from all

The result is tat everything is send to the localhost:8080 definition for /.
It does not matter if the / location is at the beggin or at the end

Tuxmika

22-Aug-2021 at 7:57 pm

Hi

What is the fonction of ProxyPreserveHost On

Cordially

Jim Kinter

11-Jan-2022 at 6:05 pm

Is it possible to use reverse proxy for specific paths/things on a private server? Or does it just aim at the whole private IP itself?
For instance, I have a Raspberry PI with a webcam on it on the private network. I have a full fledged Apache HTTPD web server that sits both on the private and public IP’s (dual-homed NICs).
Id like to allow a only video stream URL from the Pi to be visible on a webpage on the server, while not allowing any visitor to hit the whole Pi (guessing/scanning for URL paths), where controls and such would not be seen/accessible.
Thanks

Leave a Reply

Visit our advertisers

Quick Poll

Are you using Docker.io?

Visit our advertisers