DigitalOcean Reverse Proxy: Difference between revisions
Jump to navigation
Jump to search
| Line 34: | Line 34: | ||
In case the modules are not enabled, you can enable them by opening the <code>/etc/httpd/conf.modules.d/00-proxy.conf</code> with '''vi, vim''' or '''nano''' | In case the modules are not enabled, you can enable them by opening the <code>/etc/httpd/conf.modules.d/00-proxy.conf</code> with '''vi, vim''' or '''nano''' | ||
== Config Reverse Proxy == | == Config Reverse Proxy == | ||
<syntaxhighlight lang="http"> | |||
# /etc/httpd/conf.d/httpd-proxy.conf | |||
<VirtualHost *:80> | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
AllowEncodedSlashes Off | |||
ServerName dev.chorke.org | |||
ServerAlias uat.chorke.org | |||
# proxy for amqp | |||
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon | |||
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp | |||
# proxy for mqtt | |||
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon | |||
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt | |||
# proxy for ebis | |||
ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon | |||
ProxyPassReverse /ebis http://127.0.0.1:8302/ebis | |||
# proxy for fhir | |||
ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon | |||
ProxyPassReverse /fhir http://127.0.0.1:8303/fhir | |||
# proxy for init | |||
ProxyPass /init http://127.0.0.1:8304/init nocanon | |||
ProxyPassReverse /init http://127.0.0.1:8304/init | |||
</VirtualHost> | |||
</syntaxhighlight> | |||
== Restrict Reverse Proxy == | |||
<syntaxhighlight lang="http"> | <syntaxhighlight lang="http"> | ||
# /etc/httpd/conf.d/httpd-proxy.conf | # /etc/httpd/conf.d/httpd-proxy.conf | ||
| Line 52: | Line 84: | ||
Allow from 192.168.0 | Allow from 192.168.0 | ||
</Proxy> | </Proxy> | ||
# proxy for ebis | # proxy for ebis | ||
| Line 72: | Line 96: | ||
ProxyPass /init http://127.0.0.1:8304/init nocanon | ProxyPass /init http://127.0.0.1:8304/init nocanon | ||
ProxyPassReverse /init http://127.0.0.1:8304/init | ProxyPassReverse /init http://127.0.0.1:8304/init | ||
</VirtualHost> | |||
</syntaxhighlight> | |||
== Restrict Proxy Location == | |||
<syntaxhighlight lang="http"> | |||
# /etc/httpd/conf.d/httpd-proxy.conf | |||
<VirtualHost *:80> | |||
ProxyPreserveHost On | |||
ProxyRequests Off | |||
AllowEncodedSlashes Off | |||
ServerName dev.chorke.org | |||
ServerAlias uat.chorke.org | |||
# proxy for amqp | |||
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon | |||
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp | |||
# proxy for mqtt | |||
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon | |||
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt | |||
# proxy for ebis | |||
<Location /ebis> | |||
Order Deny,Allow | |||
Deny from all | |||
Allow from ::1 | |||
Allow from 100.43.0 | |||
Allow from 127.0.0.1 | |||
Allow from 192.168.0 | |||
ProxyPass http://127.0.0.1:8302/ebis nocanon | |||
ProxyPassReverse http://127.0.0.1:8302/ebis | |||
</Location> | |||
</VirtualHost> | </VirtualHost> | ||
</syntaxhighlight> | </syntaxhighlight> | ||
Revision as of 19:40, 29 January 2019
Why Reverse Proxy
A reverse proxy is a type of proxy server that takes HTTP(S) requests and transparently distributes them to one or more backend servers. Reverse proxies are useful because many modern web applications process incoming HTTP requests using backend application servers which aren't meant to be accessed by users directly and often only support rudimentary HTTP features. You can use a reverse proxy to prevent these underlying application servers from being directly accessed. They can also be used to distribute the load from incoming requests to several different application servers, increasing performance at scale and providing fail-safeness. They can fill in the gaps with features the application servers don't offer, such as caching, compression, or SSL encryption too.
Prerequisites
- CentOS 7 Droplet with root/sudo access
- Apache 2 installed on your CentOS 7
- Optionally, the nano/vim text editor
yum install httpd apachectl restart systemctl status httpd apachectl -t
Required Modules
The modules that are needed to use Apache as a reverse proxy include mod_proxy itself and several of its add-on modules, which extend its functionality to support different network protocols. Specifically, we will be using:
mod_proxy, the main proxy module Apache module for redirecting connections; it allows Apache to act as a gateway to the underlying application servers.mod_proxy_http, which adds support for proxying HTTP connections.mod_proxy_balancerandmod_lbmethod_byrequests, which add load balancing features for multiple backend servers.
The command output will list all enabled Apache modules. The four lines you're looking for are the aforementioned module names:
httpd -M # console output proxy_module (shared) .... more .... lbmethod_byrequests_module (shared) .... more .... proxy_balancer_module (shared) proxy_http_module (shared) .... more ....
In case the modules are not enabled, you can enable them by opening the /etc/httpd/conf.modules.d/00-proxy.conf with vi, vim or nano
Config Reverse Proxy
# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias uat.chorke.org
# proxy for amqp
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp
# proxy for mqtt
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt
# proxy for ebis
ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon
ProxyPassReverse /ebis http://127.0.0.1:8302/ebis
# proxy for fhir
ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon
ProxyPassReverse /fhir http://127.0.0.1:8303/fhir
# proxy for init
ProxyPass /init http://127.0.0.1:8304/init nocanon
ProxyPassReverse /init http://127.0.0.1:8304/init
</VirtualHost>
Restrict Reverse Proxy
# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias uat.chorke.org
<Proxy *>
Order Deny,Allow
Deny from all
Allow from ::1
Allow from 100.43.0
Allow from 127.0.0.1
Allow from 192.168.0
</Proxy>
# proxy for ebis
ProxyPass /ebis http://127.0.0.1:8302/ebis nocanon
ProxyPassReverse /ebis http://127.0.0.1:8302/ebis
# proxy for fhir
ProxyPass /fhir http://127.0.0.1:8303/fhir nocanon
ProxyPassReverse /fhir http://127.0.0.1:8303/fhir
# proxy for init
ProxyPass /init http://127.0.0.1:8304/init nocanon
ProxyPassReverse /init http://127.0.0.1:8304/init
</VirtualHost>
Restrict Proxy Location
# /etc/httpd/conf.d/httpd-proxy.conf
<VirtualHost *:80>
ProxyPreserveHost On
ProxyRequests Off
AllowEncodedSlashes Off
ServerName dev.chorke.org
ServerAlias uat.chorke.org
# proxy for amqp
ProxyPass /amqp http://127.0.0.1:8300/amqp nocanon
ProxyPassReverse /amqp http://127.0.0.1:8300/amqp
# proxy for mqtt
ProxyPass /mqtt http://127.0.0.1:8301/mqtt nocanon
ProxyPassReverse /mqtt http://127.0.0.1:8301/mqtt
# proxy for ebis
<Location /ebis>
Order Deny,Allow
Deny from all
Allow from ::1
Allow from 100.43.0
Allow from 127.0.0.1
Allow from 192.168.0
ProxyPass http://127.0.0.1:8302/ebis nocanon
ProxyPassReverse http://127.0.0.1:8302/ebis
</Location>
</VirtualHost>
Check Apache Config
apachectl -t # apachectl restart systemctl restart httpd
# grant network connection to apache setsebool -P httpd_can_network_connect on
Check Reverse Proxy
All configuration done! Right now need to check either your are able access http://dev.chorke.org/init/ or not, instead of http://dev.chorke.org:8304/init. Then you should prevent direct access to http://dev.chorke.org:8304/init.