General Apache notes and tips.
A reverse proxy server sits in front of your web servers, proxying requests from outside users.
An Apache reverse proxy requires three configuration components:
Proxypermissions, allowing clients to proxy to your backend servers
ProxyPassrules, mapping frontend requests to backend urls
- Reverse rules, mapping redirections and headers set by your backend servers to proper frontend urls.
End users must be permitted to proxy via your Apache server to your backend servers. Use the
<Proxy http://10.0.0.20:8080/*> Order allow,deny Allow from all </Proxy>
This lets any ip address proxy to any path on the http server running on port 8080 or 10.0.0.20. Note that reverse proxies grant access to machines from the IP Address of the reverse proxy server. Incorrect permissions can allow users to access machines behind your firewall.
<ProxyPass> directives specify which backends should handle which frontend URLs.
There are three ways to provide this mapping:
- A RewriteRule with a
[Proxy]command – any matched request will be proxied
ProxyPassdirective whose first argument is the frontend path and whose second argument is the backend url
<Location>block containing a
ProxyPasswhich takes only a single argument, the backend url – any requests which match the Location block will be sent to the backend
These three forms are equivalent:
RewriteRule ^/app/(.*)$ http://10.0.0.20:8080/app/$1 [P] ProxyPass /app/ http://10.0.0.20:8080/app/ <Location /app/> ProxyPass http://10.0.0.20:8080/app/ </Location>
The reverse proxy rules transform URLs in redirects and other headers to frontend URLs. This is necessary because backend servers will generally send private, backend URLs in headers, not the proper public URLs.
ProxyPassReverseCookiePath tell Apache how to mangle these headers as they pass from the backend to the client in order to form valid frontend URLs.
ProxyPassReverse will rewrite any
Location headers sent using backend URLs to use the corresponding frontend URLs. For instance, a backend server which sends:
Could be rewritten to:
ProxyPathReverseCookiePath does the same for
Set-Cookie headers. This prevents a backend application that sets
a cookie named
/ from clobbering the
sessionid cookies of other applications hosted from
ProxyPass, can be used with two arguments in a Server or VirtualHost
context, or with one argument in a Location context.
PPRCP must be given two arguments, and will rewrite any matching internal cookie
path to the given external cookie path, without re-adding any suffixes from the internal
path. Using a
ProxyPassReverseCookiePath prevents backend apps from accidentally or
maliciously interfering with one another.
<Location /foobar> ProxyPass http://10.0.0.20:8080 ProxyPassReverse http://10.0.0.20:8080 </Location> ProxyPassReverseCookiePath / /foobar
HTTPS terminated in front of Apache
If https sessions are terminated before the Apache reverse proxy (or backend server), include the scheme in the ServerName directive:
An explicit scheme is needed because when terminating HTTPS sessions on a load balancer or accelerator in front of Apache, Apache's ServerName will default to the
http: scheme. This will cause both redirections and ProxyPassReverse/ProxyPassReverseCookiePath header mangling to break.