From: Joshua Slive
This module was experimental in Apache 1.1.x. Improvements and bugfixes
- were made in Apache v1.2.x and Apache v1.3.x, then the module underwent a
- major overhaul for Apache v2.0. The protocol support was upgraded to
- HTTP/1.1
, and filter support was enabled.
During the overhaul process, mod_proxy
features
- have been split into several module files: mod_proxy_http
,
- mod_proxy_ftp
and mod_proxy_connect
.
- Thus, if you want to use one or more of the particular proxy functions,
- load mod_proxy
and the appropriate
- module(s) into the server (either statically or dynamically via the
- LoadModule
directive).
Please note that the caching function present in mod_proxy
up to Apache v1.3.x has been removed
- from mod_proxy
and incorporated into a new module,
- mod_cache
. In other words, the Apache 2.0.x proxy doesn't
- cache - all caching functionality has been moved into
- mod_cache
, which is capable of caching any content, not
- just content from the proxy.
If you need to use SSL when contacting remote servers, have a look at the
- SSLProxy*
directives in mod_ssl
.
Apache's proxy features are divided into several modules in
+ addition to mod_proxy
:
+ mod_proxy_http
, mod_proxy_ftp
+ and mod_proxy_connect
. Thus, if you want to use
+ one or more of the particular proxy functions, load
+ mod_proxy
and the appropriate module(s)
+ into the server (either statically at compile-time or dynamically
+ via the LoadModule
+ directive).
In addition, extended features are provided by other modules.
+ Caching is provided by mod_cache
and related
+ modules. The ability to contact remote servers using the SSL/TLS
+ protocol is provided by the SSLProxy*
directives of
+ mod_ssl
. These additional modules will need
+ to be loaded and configured to take advantage of these features.
mod_cache
mod_proxy_http
mod_proxy_ftp
mod_proxy_connect
Apache can be configured in both a forward and - reverse proxy configuration.
- -A forward proxy is an intermediate system that enables a - browser to connect to a remote network to which it normally does not have - access. A forward proxy can also be used to cache data, reducing load on - the networks between the forward proxy and the remote webserver.
- -Apache's mod_proxy
can be figured to behave like a
- forward proxy using the ProxyRemote
directive. In addition, caching of data can be
- achieved by configuring mod_cache
. Other dedicated
- forward proxy packages include Squid.
A reverse proxy is a webserver system that is capable of - serving webpages sourced from other webservers - in addition to webpages - on disk or generated dynamically by CGI - making these pages look like - they originated at the reverse proxy.
- -When configured with the mod_cache module the reverse proxy can act as
- a cache for slower backend webservers. The reverse proxy can also enable
- advanced URL strategies and management techniques, allowing webpages
- served using different webserver systems or architectures to coexist
- inside the same URL space. Reverse proxy systems are also ideal for
- implementing centralised logging websites with many or diverse website
- backends. Complex multi-tier webserver systems can be constructed using an
- mod_proxy
frontend and any number of backend
- webservers.
The reverse proxy is configured using the ProxyPass
and ProxyPassReverse
directives. Caching can be
- enabled using mod_cache as with the forward proxy.
An ordinary forward proxy is an intermediate + server that sits between the client and the origin + server. In order to get content from the origin server, + the client sends a request to the proxy naming the origin server + as the target and the proxy then requests the content from the + origin server and returns it to the client. The client must be + specially configured to use the forward proxy to access other + sites.
+ +A typical usage of a forward proxy is to provide Internet
+ access to internal clients that are otherwise restricted by a
+ firewall. The forward proxy can also use caching (as provided
+ by mod_cache
) to reduce network usage.
The forward proxy is activated using the ProxyRequests
directive. Because
+ forward proxys allow clients to access arbitrary sites through
+ your server and to hide their true origin, it is essential that
+ you secure your server so that only
+ authorized clients can access the proxy before activating a
+ forward proxy.
A reverse proxy, by contrast, appears to the + client just like an ordinary web server. No special + configuration on the client is necessary. The client makes + ordinary requests for content in the name-space of the reverse + proxy. The reverse proxy then decides where to send those + requests, and returns the content as if it was itself the + origin.
+ +A typical usage of a reverse proxy is to provide Internet + users access to a server that is behind a firewall. Reverse + proxies can also be used to balance load among several back-end + servers, or to provide caching for a slower back-end server. + In addition, reverse proxies can be used simply to bring + several servers into the same URL space.
+ +A reverse proxy is activated using the ProxyPass
directive or the
+ [P]
flag to the RewriteRule
directive. It is
+ not necessary to turn ProxyRequests
on in order to
+ configure a reverse proxy.
The examples below are only a very basic idea to help you + get started. Please read the documentation on the individual + directives.
+ +In addition, if you wish to have caching enabled, consult
+ the documentation from mod_cache
.
+ ProxyRequests On
+ ProxyVia On
+
+ <Proxy *>
+
+ Order deny,allow
+ Deny from all
+ Allow from internal.example.com
+
+ </Proxy
+
You can control who can access your proxy via the <Proxy>
control block using
+
+ ProxyRequests Off
+
+ <Proxy *>
+
+ Order deny,allow
+ Allow from all
+
+ </Proxy>
+
+ ProxyPass /foo/ http://foo.example.com/bar/
+ ProxyPassReverse /foo/ http://foo.example.com/bar/
+
You can control who can access your proxy via the <Proxy>
control block as in
the following example:
@@ -164,9 +195,23 @@
</Proxy>
When configuring a reverse proxy, access control takes on the
- attributes of the normal server <Directory>
configuration.
For more information on access control directives, see
+ mod_access
.
Strictly limiting access is essential if you are using a
+ forward proxy (using the ProxyRequests
directive).
+ Otherwise, your server can be used by any client to access
+ arbitrary hosts while hiding his or her true identity. This is
+ dangerous both for your network and for the Internet at large.
+ When using a reverse proxy (using the ProxyPass
directive with
+ ProxyRequests Off
), access control is less
+ critical because clients can only contact the hosts that you
+ have specifically configured.
If you're using the ProxyBlock
directive, hostnames' IP addresses are looked up
and cached during startup for later match test. This may take a few
seconds (or more) depending on the speed with which the hostname lookups
occur.
An Apache proxy server situated in an intranet needs to forward
- external requests through the company's firewall. However, when it has to
+ external requests through the company's firewall (for this, configure
+ the ProxyRemote
directive
+ to forward the respective scheme to the firewall proxy).
+ However, when it has to
access resources within the intranet, it can bypass the firewall when
accessing hosts. The NoProxy
directive is useful for specifying which hosts belong to the intranet and
@@ -277,10 +324,9 @@
a redirect response and send the client to the correct, fully qualified,
server address. This is the preferred method since the user's bookmark
files will then contain fully qualified hosts.
For circumstances where you have a application server which doesn't implement keepalives or HTTP/1.1 properly, there are 2 environment variables which when set send a HTTP/1.0 with no keepalive. These are set @@ -298,8 +344,7 @@ </Location>