DigitalOcean Reverse Proxy: Difference between revisions
No edit summary |
|||
(19 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
== Why Reverse Proxy == | == Why Reverse Proxy == | ||
A ''reverse proxy'' is a type of proxy server that takes HTTP(S) requests and transparently distributes them to one or more backend servers. Reverse proxies are useful because many modern web applications process incoming HTTP requests using backend application servers which aren't meant to be accessed by users directly and often only support rudimentary HTTP features. You can use a reverse proxy to prevent these underlying application servers from being directly accessed. They can also be used to distribute the load from incoming requests to several different application servers, increasing performance at scale and providing fail-safeness. They can fill in the gaps with features the application servers don't offer, such as caching, compression, or SSL encryption too. | A ''reverse proxy'' is a type of proxy server that takes HTTP(S) requests and transparently distributes them to one or more backend servers. Reverse proxies are useful because many modern web applications process incoming HTTP requests using backend application servers which aren't meant to be accessed by users directly and often only support rudimentary HTTP features. You can use a reverse proxy to prevent these underlying application servers from being directly accessed. They can also be used to distribute the load from incoming requests to several different application servers, increasing performance at scale and providing fail-safeness. They can fill in the gaps with features the application servers don't offer, such as caching, compression, or SSL encryption too. | ||
== Prerequisites == | == Prerequisites == | ||
# CentOS 7 Droplet with root/sudo access | # CentOS 7 Droplet with root/sudo access | ||
# Apache 2 installed on your CentOS 7 | # Apache 2 installed on your CentOS 7 | ||
# Optionally, the nano/vim text editor | # Optionally, the nano/vim text editor | ||
Line 13: | Line 12: | ||
apachectl -t | apachectl -t | ||
== Config Reverse Proxy == | == Required Modules == | ||
The modules that are needed to use Apache as a reverse proxy include <code>mod_proxy</code> itself and several of its add-on modules, which extend its functionality to support different network protocols. Specifically, we will be using: | |||
# <code>mod_proxy</code>, the main proxy module Apache module for redirecting connections; it allows Apache to act as a gateway to the underlying application servers. | |||
# <code>mod_proxy_http</code>, which adds support for proxying HTTP connections. | |||
# <code>mod_proxy_balancer</code> and <code>mod_lbmethod_byrequests</code>, which add load balancing features for multiple backend servers. | |||
The command output will list all enabled Apache modules. The four lines you're looking for are the aforementioned module names: | |||
httpd -M | |||
# console output | |||
proxy_module (shared) | |||
.... more .... | |||
lbmethod_byrequests_module (shared) | |||
.... more .... | |||
proxy_balancer_module (shared) | |||
proxy_http_module (shared) | |||
.... more .... | |||
In case the modules are not enabled, you can enable them by opening the <code>/etc/httpd/conf.modules.d/00-proxy.conf</code> with '''vi, vim''' or '''nano''' | |||
== Config Reverse Proxy == | |||
<syntaxhighlight lang="http"> | |||
# /etc/httpd/conf.d/httpd-proxy.conf | |||
<VirtualHost *:80> | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
AllowEncodedSlashes Off | |||
ServerName dev.chorke.org | |||
ServerAlias uat.chorke.org | |||
# proxy for amqp | |||
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon | |||
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp | |||
# proxy for mqtt | |||
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon | |||
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt | |||
# proxy for ebis | |||
ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon | |||
ProxyPassReverse /ebis http://127.0.0.1:8302/ebis | |||
# proxy for fhir | |||
ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon | |||
ProxyPassReverse /fhir http://127.0.0.1:8303/fhir | |||
# proxy for init | |||
ProxyPass /init http://127.0.0.1:8304/init nocanon | |||
ProxyPassReverse /init http://127.0.0.1:8304/init | |||
</VirtualHost> | |||
</syntaxhighlight> | |||
== Restrict Reverse Proxy == | |||
<syntaxhighlight lang="http"> | <syntaxhighlight lang="http"> | ||
# /etc/httpd/conf.d/httpd-proxy.conf | # /etc/httpd/conf.d/httpd-proxy.conf | ||
Line 31: | Line 84: | ||
Allow from 192.168.0 | Allow from 192.168.0 | ||
</Proxy> | </Proxy> | ||
# proxy for ebis | # proxy for ebis | ||
Line 51: | Line 96: | ||
ProxyPass /init http://127.0.0.1:8304/init nocanon | ProxyPass /init http://127.0.0.1:8304/init nocanon | ||
ProxyPassReverse /init http://127.0.0.1:8304/init | ProxyPassReverse /init http://127.0.0.1:8304/init | ||
</VirtualHost> | |||
</syntaxhighlight> | |||
== Restrict Proxy Location == | |||
<syntaxhighlight lang="http"> | |||
# /etc/httpd/conf.d/httpd-proxy.conf | |||
<VirtualHost *:80> | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
AllowEncodedSlashes Off | |||
ServerName dev.chorke.org | |||
ServerAlias uat.chorke.org | |||
# proxy for amqp | |||
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon | |||
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp | |||
# proxy for mqtt | |||
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon | |||
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt | |||
# proxy for ebis | |||
<Location /ebis> | |||
Order Deny,Allow | |||
Deny from all | |||
Allow from ::1 | |||
Allow from 100.43.0 | |||
Allow from 127.0.0.1 | |||
Allow from 192.168.0 | |||
ProxyPass http://127.0.0.1:8302/ebis nocanon | |||
ProxyPassReverse http://127.0.0.1:8302/ebis | |||
</Location> | |||
</VirtualHost> | </VirtualHost> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
== Check Apache Config == | |||
apachectl -t | |||
# apachectl restart | |||
systemctl restart httpd | |||
# grant network connection to apache | |||
setsebool -P httpd_can_network_connect on | |||
== Check Reverse Proxy == | |||
All configuration done! Right now need to check either your are able access <code>http://dev.chorke.org/init/</code> or not, instead of <code>http://dev.chorke.org:8304/init</code>. Then you should prevent direct access to <code>http://dev.chorke.org:8304/init</code>. All of the HTTP Port should be start with 83 and integration port 13. | |||
== Proxy Port Convention == | |||
{| | |||
| valign="top" | | |||
<source lang="bash"> | |||
#830 port prefix for TCP | |||
8300 for amqp console | |||
8301 for mqtt console | |||
8302 for ebis console | |||
8303 for fhir console | |||
8304 for init console | |||
</source> | |||
<source lang="bash"> | |||
#150 port prefix for TCP | |||
1500 for amqp management | |||
1501 for mqtt management | |||
1502 for ebis management | |||
1503 for fhir management | |||
1504 for init management | |||
</source> | |||
| valign="top" | | |||
<source lang="bash"> | |||
#831 port prefix for TLS | |||
8310 for amqp console | |||
8311 for mqtt console | |||
8312 for ebis console | |||
8313 for fhir console | |||
8314 for init console | |||
</source> | |||
<source lang="bash"> | |||
#151 port prefix for TLS | |||
1510 for amqp management | |||
1511 for mqtt management | |||
1512 for ebis management | |||
1513 for fhir management | |||
1514 for init management | |||
</source> | |||
| valign="top" | | |||
<source lang="bash"> | |||
#130 port prefix for TCP | |||
1300 for amqp service | |||
1301 for mqtt service | |||
1302 for ebis service | |||
1303 for fhir service | |||
1304 for init service | |||
</source> | |||
| valign="top" | | |||
<source lang="bash"> | |||
#131 port prefix for TLS | |||
1310 for amqp service | |||
1311 for mqtt service | |||
1312 for ebis service | |||
1313 for fhir service | |||
1314 for init service | |||
</source> | |||
|} | |||
==Knowledge== | |||
'''nocanon:''' | |||
Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional '''nocanon''' keyword suppresses this and passes the URL path "raw" to the backend. Note that this keyword may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy. | |||
'''noquery:''' | |||
Normally, mod_proxy will include the query string when generating the SCRIPT_FILENAME environment variable. The optional '''noquery''' keyword (available in httpd 2.4.1 and later) prevents this. | |||
'''interpolate:''' | |||
The optional '''interpolate''' keyword, in combination with ProxyPassInterpolateEnv, causes the ProxyPass to interpolate environment variables, using the syntax ${VARNAME}. Note that many of the standard CGI-derived environment variables will not exist when this interpolation happens, so you may still have to resort to mod_rewrite for complex rules. Also note that interpolation is supported within the scheme/hostname/port portion of a URL only for variables that are available when the directive is parsed (like Define). Dynamic determination of those fields can be accomplished with mod_rewrite. The following example describes how to use mod_rewrite to dynamically set the scheme to http or https: | |||
== References == | |||
{| | |||
| valign="top" | | |||
* [https://serverfault.com/questions/472482/ ProxyPass: Redirect directory URL to non-standard port] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-as-a-web-server-and-reverse-proxy-for-apache-on-one-ubuntu-16-04-server Configure Nginx as a Web Server and Reverse Proxy] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-16-04 Set Up Django with Postgres, Nginx, and Gunicorn] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-set-up-basic-http-authentication-with-nginx-on-centos-7 Set Up Basic HTTP Authentication With Nginx] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-configure-nginx-to-use-custom-error-pages-on-ubuntu-14-04 Configure Nginx to Use Custom Error Pages] | |||
* [https://httpd.apache.org/docs/2.4/mod/mod_proxy_balancer.html Apache Load Balancer Reverse Proxy] | |||
* [http://nginx.org/en/docs/http/ngx_http_autoindex_module.html Nginx HTTP Auto Index Module] | |||
* [https://www.digitalocean.com/community/tutorials/how-to-use-apache-as-a-reverse-proxy-with-mod_proxy-on-ubuntu-16-04 Apache as a Reverse Proxy ] | |||
* [https://www.nginx.com/resources/admin-guide/reverse-proxy/ Nginx Reverse Proxy] | |||
| valign="top" | | |||
|} |
Latest revision as of 17:47, 20 September 2021
Why Reverse Proxy
A reverse proxy is a type of proxy server that takes HTTP(S) requests and transparently distributes them to one or more backend servers. Reverse proxies are useful because many modern web applications process incoming HTTP requests using backend application servers which aren't meant to be accessed by users directly and often only support rudimentary HTTP features. You can use a reverse proxy to prevent these underlying application servers from being directly accessed. They can also be used to distribute the load from incoming requests to several different application servers, increasing performance at scale and providing fail-safeness. They can fill in the gaps with features the application servers don't offer, such as caching, compression, or SSL encryption too.
Prerequisites
- CentOS 7 Droplet with root/sudo access
- Apache 2 installed on your CentOS 7
- Optionally, the nano/vim text editor
yum install httpd apachectl restart systemctl status httpd apachectl -t
Required Modules
The modules that are needed to use Apache as a reverse proxy include mod_proxy
itself and several of its add-on modules, which extend its functionality to support different network protocols. Specifically, we will be using:
mod_proxy
, the main proxy module Apache module for redirecting connections; it allows Apache to act as a gateway to the underlying application servers.mod_proxy_http
, which adds support for proxying HTTP connections.mod_proxy_balancer
andmod_lbmethod_byrequests
, which add load balancing features for multiple backend servers.
The command output will list all enabled Apache modules. The four lines you're looking for are the aforementioned module names:
httpd -M # console output proxy_module (shared) .... more .... lbmethod_byrequests_module (shared) .... more .... proxy_balancer_module (shared) proxy_http_module (shared) .... more ....
In case the modules are not enabled, you can enable them by opening the /etc/httpd/conf.modules.d/00-proxy.conf
with vi, vim or nano
Config Reverse Proxy
# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias uat.chorke.org
# proxy for amqp
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp
# proxy for mqtt
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt
# proxy for ebis
ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon
ProxyPassReverse /ebis http://127.0.0.1:8302/ebis
# proxy for fhir
ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon
ProxyPassReverse /fhir http://127.0.0.1:8303/fhir
# proxy for init
ProxyPass /init http://127.0.0.1:8304/init nocanon
ProxyPassReverse /init http://127.0.0.1:8304/init
</VirtualHost>
Restrict Reverse Proxy
# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias uat.chorke.org
<Proxy *>
Order Deny,Allow
Deny from all
Allow from ::1
Allow from 100.43.0
Allow from 127.0.0.1
Allow from 192.168.0
</Proxy>
# proxy for ebis
ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon
ProxyPassReverse /ebis http://127.0.0.1:8302/ebis
# proxy for fhir
ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon
ProxyPassReverse /fhir http://127.0.0.1:8303/fhir
# proxy for init
ProxyPass /init http://127.0.0.1:8304/init nocanon
ProxyPassReverse /init http://127.0.0.1:8304/init
</VirtualHost>
Restrict Proxy Location
# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias uat.chorke.org
# proxy for amqp
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp
# proxy for mqtt
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt
# proxy for ebis
<Location /ebis>
Order Deny,Allow
Deny from all
Allow from ::1
Allow from 100.43.0
Allow from 127.0.0.1
Allow from 192.168.0
ProxyPass http://127.0.0.1:8302/ebis nocanon
ProxyPassReverse http://127.0.0.1:8302/ebis
</Location>
</VirtualHost>
Check Apache Config
apachectl -t # apachectl restart systemctl restart httpd
# grant network connection to apache setsebool -P httpd_can_network_connect on
Check Reverse Proxy
All configuration done! Right now need to check either your are able access http://dev.chorke.org/init/
or not, instead of http://dev.chorke.org:8304/init
. Then you should prevent direct access to http://dev.chorke.org:8304/init
. All of the HTTP Port should be start with 83 and integration port 13.
Proxy Port Convention
#830 port prefix for TCP
8300 for amqp console
8301 for mqtt console
8302 for ebis console
8303 for fhir console
8304 for init console
#150 port prefix for TCP
1500 for amqp management
1501 for mqtt management
1502 for ebis management
1503 for fhir management
1504 for init management
|
#831 port prefix for TLS
8310 for amqp console
8311 for mqtt console
8312 for ebis console
8313 for fhir console
8314 for init console
#151 port prefix for TLS
1510 for amqp management
1511 for mqtt management
1512 for ebis management
1513 for fhir management
1514 for init management
|
#130 port prefix for TCP
1300 for amqp service
1301 for mqtt service
1302 for ebis service
1303 for fhir service
1304 for init service
|
#131 port prefix for TLS
1310 for amqp service
1311 for mqtt service
1312 for ebis service
1313 for fhir service
1314 for init service
|
Knowledge
nocanon: Normally, mod_proxy will canonicalise ProxyPassed URLs. But this may be incompatible with some backends, particularly those that make use of PATH_INFO. The optional nocanon keyword suppresses this and passes the URL path "raw" to the backend. Note that this keyword may affect the security of your backend, as it removes the normal limited protection against URL-based attacks provided by the proxy.
noquery: Normally, mod_proxy will include the query string when generating the SCRIPT_FILENAME environment variable. The optional noquery keyword (available in httpd 2.4.1 and later) prevents this.
interpolate: The optional interpolate keyword, in combination with ProxyPassInterpolateEnv, causes the ProxyPass to interpolate environment variables, using the syntax ${VARNAME}. Note that many of the standard CGI-derived environment variables will not exist when this interpolation happens, so you may still have to resort to mod_rewrite for complex rules. Also note that interpolation is supported within the scheme/hostname/port portion of a URL only for variables that are available when the directive is parsed (like Define). Dynamic determination of those fields can be accomplished with mod_rewrite. The following example describes how to use mod_rewrite to dynamically set the scheme to http or https: