You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Pranav Desai <pr...@gmail.com> on 2009/02/13 03:50:36 UTC
Transparent proxy setup works fine, but want to confirm the settings
Hello All,
I am trying to setup Apache 2.2.9 as a transparent proxy. So that the
users don't have to configure their browsers. Now the URLs coming in
are relative for transparent proxy, so normally apache tries to look
it up on the filesystem and it obviously fails. So I added a
RewriteRule to convert the relative to absolute URLs.
RewriteEngine On
RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
RewriteLog "logs/rewrite_log"
RewriteLogLevel 5
Now, it works perfectly for all traffic expect the one that is
destined for the server itself. E.g.
http://<apache_proxy_ip>:<port>/
Whenever I access the above link, the rewrite engine loops and the
server reaches the MaxClient. I have included the log below.
So, I added some conditions to not apply the RewriteRule for HOST
destined to the server.
RewriteCond %{HTTP_HOST} !10.1.0.206.*
RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
I wanted to confirm if this is the right way to do transparent proxy
or is there a better way to make it more solid ?
Just to mention, I want it to act primarily like a proxy server, so
losing/blocking all webserver functionality is also fine, as long as I
get the /server-status page. But I dont want a single url to fail the
server. So I will be fine if there is a better way to get the
transparency working while affecting the webserver.
Thanks for your time.
-- Pranav
============== lots of these message in the rewrite_log ===============
10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) init rewrite
engine with requested uri /
10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (3) applying pattern
'^/(.*)' to uri '/'
10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (4) RewriteCond:
input='/' pattern='!^/server.
*' => matched
10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) rewrite '/' ->
'http://10.1.0.206:2901/'
10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) forcing
proxy-throughput with http://10.1.
0.206:2901/
10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (1) go-ahead with
proxy request proxy:http://1
0.1.0.206:2901/ [OK]
10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) init rewrite
engine with requested uri /
10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (3) applying pattern
'^/(.*)' to uri '/'
10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (4) RewriteCond:
input='/' pattern='!^/server.
*' => matched
10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) rewrite '/' ->
'http://10.1.0.206:2901/'
10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) forcing
proxy-throughput with http://10.1.
0.206:2901/
10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
[10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (1) go-ahead with
proxy request proxy:http://1
0.1.0.206:2901/ [OK]
Re: Transparent proxy setup works fine, but want to confirm the
settings
Posted by Jeff Sadowski <je...@gmail.com>.
I've never used Apache as a transparent proxy I've always used squid.
On Thu, Feb 12, 2009 at 7:50 PM, Pranav Desai <pr...@gmail.com> wrote:
> Hello All,
>
> I am trying to setup Apache 2.2.9 as a transparent proxy. So that the
> users don't have to configure their browsers. Now the URLs coming in
> are relative for transparent proxy, so normally apache tries to look
> it up on the filesystem and it obviously fails. So I added a
> RewriteRule to convert the relative to absolute URLs.
>
> RewriteEngine On
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
> RewriteLog "logs/rewrite_log"
> RewriteLogLevel 5
>
> Now, it works perfectly for all traffic expect the one that is
> destined for the server itself. E.g.
> http://<apache_proxy_ip>:<port>/
>
> Whenever I access the above link, the rewrite engine loops and the
> server reaches the MaxClient. I have included the log below.
>
> So, I added some conditions to not apply the RewriteRule for HOST
> destined to the server.
> RewriteCond %{HTTP_HOST} !10.1.0.206.*
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
>
> I wanted to confirm if this is the right way to do transparent proxy
> or is there a better way to make it more solid ?
>
> Just to mention, I want it to act primarily like a proxy server, so
> losing/blocking all webserver functionality is also fine, as long as I
> get the /server-status page. But I dont want a single url to fail the
> server. So I will be fine if there is a better way to get the
> transparency working while affecting the webserver.
>
> Thanks for your time.
>
> -- Pranav
>
>
> ============== lots of these message in the rewrite_log ===============
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) init rewrite
> engine with requested uri /
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (3) applying pattern
> '^/(.*)' to uri '/'
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (4) RewriteCond:
> input='/' pattern='!^/server.
> *' => matched
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) rewrite '/' ->
> 'http://10.1.0.206:2901/'
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) forcing
> proxy-throughput with http://10.1.
> 0.206:2901/
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (1) go-ahead with
> proxy request proxy:http://1
> 0.1.0.206:2901/ [OK]
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) init rewrite
> engine with requested uri /
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (3) applying pattern
> '^/(.*)' to uri '/'
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (4) RewriteCond:
> input='/' pattern='!^/server.
> *' => matched
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) rewrite '/' ->
> 'http://10.1.0.206:2901/'
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) forcing
> proxy-throughput with http://10.1.
> 0.206:2901/
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (1) go-ahead with
> proxy request proxy:http://1
> 0.1.0.206:2901/ [OK]
>
Re: Transparent proxy setup works fine, but want to confirm the
settings
Posted by Pranav Desai <pr...@gmail.com>.
On Sat, Feb 14, 2009 at 1:03 PM, Ruediger Pluem <rp...@apache.org> wrote:
>
>
> On 02/14/2009 08:59 PM, Rainer Jung wrote:
>
>>
>> If you do reverse proxy only via RewriteRule, then you end up using no
>> connection pool (i.e. no persistent connections) to the HTTP_HOSTs. In
>> case there are only few of those (or few that carry the most load), you
>> would better define a connection pool to them with ProxyPass. If you
>> want to keep your rewrite construction, you can use a URL in ProxyPass,
>> which you know won't really occur:
>>
>> ProxyPass /does/not/exist http://most.important.host/ smax=... ...
>
> He is doing forward proxying here and not reverse proxying.
> In order to create a pool IMHO the better approach is
>
> <Proxy http://most.important.host/>
> ProxySet smax=...
> </Proxy>
>
I am confused a bit here.
With the RewriteRule I mentioned earlier will I lose persistent
connections for transparent proxy connections ?
And the above settings in addition to the RewriteRules will help in
getting persistent connections ... ?
-- Pranav
> Regards
>
> RĂ¼diger
>
Re: Transparent proxy setup works fine, but want to confirm the settings
Posted by Ruediger Pluem <rp...@apache.org>.
On 02/14/2009 08:59 PM, Rainer Jung wrote:
>
> If you do reverse proxy only via RewriteRule, then you end up using no
> connection pool (i.e. no persistent connections) to the HTTP_HOSTs. In
> case there are only few of those (or few that carry the most load), you
> would better define a connection pool to them with ProxyPass. If you
> want to keep your rewrite construction, you can use a URL in ProxyPass,
> which you know won't really occur:
>
> ProxyPass /does/not/exist http://most.important.host/ smax=... ...
He is doing forward proxying here and not reverse proxying.
In order to create a pool IMHO the better approach is
<Proxy http://most.important.host/>
ProxySet smax=...
</Proxy>
Regards
RĂ¼diger
Re: Transparent proxy setup works fine, but want to confirm the settings
Posted by Rainer Jung <ra...@kippdata.de>.
On 14.02.2009 01:46, Pranav Desai wrote:
> On Fri, Feb 13, 2009 at 1:26 AM, Graham Leggett<mi...@sharp.fm> wrote:
>> Pranav Desai wrote:
>>
>>> I am trying to setup Apache 2.2.9 as a transparent proxy. So that the
>>> users don't have to configure their browsers. Now the URLs coming in
>>> are relative for transparent proxy, so normally apache tries to look
>>> it up on the filesystem and it obviously fails. So I added a
>>> RewriteRule to convert the relative to absolute URLs.
>>>
>>> RewriteEngine On
>>> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
>>> RewriteLog "logs/rewrite_log"
>>> RewriteLogLevel 5
>>>
>>> Now, it works perfectly for all traffic expect the one that is
>>> destined for the server itself. E.g.
>>> http://<apache_proxy_ip>:<port>/
>>>
>>> Whenever I access the above link, the rewrite engine loops and the
>>> server reaches the MaxClient. I have included the log below.
>> That would make perfect sense though, you are asking the server to send you
>> to the server prefixed with the host header, and when you use the hostname
>> of the proxy server itself, you create a loop by definition, which means...
>>
>>> So, I added some conditions to not apply the RewriteRule for HOST
>>> destined to the server.
>>> RewriteCond %{HTTP_HOST} !10.1.0.206.*
>>> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
>> ...this is a sensible workaround.
>>
>>> I wanted to confirm if this is the right way to do transparent proxy
>>> or is there a better way to make it more solid ?
>> In theory this will work as is, I am not sure whether there is an option in
>> the proxy to do this natively without the need for rewrite.
>>
>
> I checked the proxy, and there isn't anything to specifically do this,
> but maybe I could have used some ReverseProxy config to get the same
> behavior, but I thought RewriteRule was a bit cleaner.
If you do reverse proxy only via RewriteRule, then you end up using no
connection pool (i.e. no persistent connections) to the HTTP_HOSTs. In
case there are only few of those (or few that carry the most load), you
would better define a connection pool to them with ProxyPass. If you
want to keep your rewrite construction, you can use a URL in ProxyPass,
which you know won't really occur:
ProxyPass /does/not/exist http://most.important.host/ smax=... ...
Regards,
Rainer
Re: Transparent proxy setup works fine, but want to confirm the
settings
Posted by Pranav Desai <pr...@gmail.com>.
On Fri, Feb 13, 2009 at 1:26 AM, Graham Leggett <mi...@sharp.fm> wrote:
> Pranav Desai wrote:
>
>> I am trying to setup Apache 2.2.9 as a transparent proxy. So that the
>> users don't have to configure their browsers. Now the URLs coming in
>> are relative for transparent proxy, so normally apache tries to look
>> it up on the filesystem and it obviously fails. So I added a
>> RewriteRule to convert the relative to absolute URLs.
>>
>> RewriteEngine On
>> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
>> RewriteLog "logs/rewrite_log"
>> RewriteLogLevel 5
>>
>> Now, it works perfectly for all traffic expect the one that is
>> destined for the server itself. E.g.
>> http://<apache_proxy_ip>:<port>/
>>
>> Whenever I access the above link, the rewrite engine loops and the
>> server reaches the MaxClient. I have included the log below.
>
> That would make perfect sense though, you are asking the server to send you
> to the server prefixed with the host header, and when you use the hostname
> of the proxy server itself, you create a loop by definition, which means...
>
>> So, I added some conditions to not apply the RewriteRule for HOST
>> destined to the server.
>> RewriteCond %{HTTP_HOST} !10.1.0.206.*
>> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
>
> ...this is a sensible workaround.
>
>> I wanted to confirm if this is the right way to do transparent proxy
>> or is there a better way to make it more solid ?
>
> In theory this will work as is, I am not sure whether there is an option in
> the proxy to do this natively without the need for rewrite.
>
I checked the proxy, and there isn't anything to specifically do this,
but maybe I could have used some ReverseProxy config to get the same
behavior, but I thought RewriteRule was a bit cleaner.
-- Pranav
> Regards,
> Graham
> --
>
Re: Transparent proxy setup works fine, but want to confirm the settings
Posted by Graham Leggett <mi...@sharp.fm>.
Pranav Desai wrote:
> I am trying to setup Apache 2.2.9 as a transparent proxy. So that the
> users don't have to configure their browsers. Now the URLs coming in
> are relative for transparent proxy, so normally apache tries to look
> it up on the filesystem and it obviously fails. So I added a
> RewriteRule to convert the relative to absolute URLs.
>
> RewriteEngine On
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
> RewriteLog "logs/rewrite_log"
> RewriteLogLevel 5
>
> Now, it works perfectly for all traffic expect the one that is
> destined for the server itself. E.g.
> http://<apache_proxy_ip>:<port>/
>
> Whenever I access the above link, the rewrite engine loops and the
> server reaches the MaxClient. I have included the log below.
That would make perfect sense though, you are asking the server to send
you to the server prefixed with the host header, and when you use the
hostname of the proxy server itself, you create a loop by definition,
which means...
> So, I added some conditions to not apply the RewriteRule for HOST
> destined to the server.
> RewriteCond %{HTTP_HOST} !10.1.0.206.*
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
...this is a sensible workaround.
> I wanted to confirm if this is the right way to do transparent proxy
> or is there a better way to make it more solid ?
In theory this will work as is, I am not sure whether there is an option
in the proxy to do this natively without the need for rewrite.
Regards,
Graham
--
Re: Transparent proxy setup works fine, but want to confirm the
settings
Posted by dreamice <dr...@gmail.com>.
Could you show the configuration detail of your Transparent proxy?
I really want to test this case.
Thanks.
Pranav Desai wrote:
>
> Hello All,
>
> I am trying to setup Apache 2.2.9 as a transparent proxy. So that the
> users don't have to configure their browsers. Now the URLs coming in
> are relative for transparent proxy, so normally apache tries to look
> it up on the filesystem and it obviously fails. So I added a
> RewriteRule to convert the relative to absolute URLs.
>
> RewriteEngine On
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
> RewriteLog "logs/rewrite_log"
> RewriteLogLevel 5
>
> Now, it works perfectly for all traffic expect the one that is
> destined for the server itself. E.g.
> http://<apache_proxy_ip>:<port>/
>
> Whenever I access the above link, the rewrite engine loops and the
> server reaches the MaxClient. I have included the log below.
>
> So, I added some conditions to not apply the RewriteRule for HOST
> destined to the server.
> RewriteCond %{HTTP_HOST} !10.1.0.206.*
> RewriteRule ^/(.*) http://%{HTTP_HOST}/$1 [P]
>
> I wanted to confirm if this is the right way to do transparent proxy
> or is there a better way to make it more solid ?
>
> Just to mention, I want it to act primarily like a proxy server, so
> losing/blocking all webserver functionality is also fine, as long as I
> get the /server-status page. But I dont want a single url to fail the
> server. So I will be fine if there is a better way to get the
> transparency working while affecting the webserver.
>
> Thanks for your time.
>
> -- Pranav
>
>
> ============== lots of these message in the rewrite_log ===============
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) init rewrite
> engine with requested uri /
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (3) applying pattern
> '^/(.*)' to uri '/'
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (4) RewriteCond:
> input='/' pattern='!^/server.
> *' => matched
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) rewrite '/' ->
> 'http://10.1.0.206:2901/'
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) forcing
> proxy-throughput with http://10.1.
> 0.206:2901/
> 10.1.0.156 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (1) go-ahead with
> proxy request proxy:http://1
> 0.1.0.206:2901/ [OK]
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) init rewrite
> engine with requested uri /
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (3) applying pattern
> '^/(.*)' to uri '/'
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (4) RewriteCond:
> input='/' pattern='!^/server.
> *' => matched
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) rewrite '/' ->
> 'http://10.1.0.206:2901/'
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (2) forcing
> proxy-throughput with http://10.1.
> 0.206:2901/
> 10.1.0.206 - - [12/Feb/2009:17:51:09 --0800]
> [10.1.0.206/sid#1a5bdab8][rid#1a6d66b8/initial] (1) go-ahead with
> proxy request proxy:http://1
> 0.1.0.206:2901/ [OK]
>
>
--
View this message in context: http://www.nabble.com/Transparent-proxy-setup-works-fine%2C-but-want-to-confirm-the-settings-tp21989245p22157118.html
Sent from the Apache HTTP Server - Dev mailing list archive at Nabble.com.