You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Vincent Blondel <vi...@xtra-net.org> on 2005/03/15 11:29:53 UTC
[users@httpd] reverse proxy configuration.
Hi all,
We recently decided to set up a dmz in our infrastructure and I have
chosen to use openbsd 3.6 with built in apache 1.3.29 ( compiled and
hardened by the OpenBSD team ) with mod_proxy / mod_security and
mod_rewrite.
So before setting up all this in a real life world, I currently spend my
time to let this configuration work in our developement lan.
So let's immagine I get next infrastructure :
reverse proxy real internal web server
rproxy1.example.net -----> iweb1.example.net ( example.org )
192.168.1.25:80 192.168.1.19:80
So, as you can see it, we just would like to forward all internet incoming
traffic ( port 80 ) from our external web server ( rproxy1.example.net )
to our internal web server ( iweb1.example.net ).
iweb1.example.net hosts example.net and example.org ( configured by
VirtualHost ). iweb1 runs with FreeBSD 4.10 and apache 1.3.33. A last
detail, we do not use any firewall in this configuration. This is just to
make the configuration more easy.
So I am trying a configuration but it doesn't work. Please find below the
configuration
### Begin httpd.conf ########################################
# $Id$
#
### Section 1: Global Environment
ServerType standalone
# Do NOT add a slash at the end of the directory path.
ServerRoot "/var/www"
#LockFile logs/accept.lock
PidFile logs/httpd.pid
ScoreBoardFile logs/apache_runtime_status
Timeout 300
KeepAlive On
MaxKeepAliveRequests 100
KeepAliveTimeout 15
MinSpareServers 5
MaxSpareServers 10
StartServers 5
MaxClients 150
MaxRequestsPerChild 0
BindAddress rproxy1
# Dynamic Shared Object (DSO) Support
# Note: The order is which modules are loaded is important. Don't change
# the order below without expert advice.
LoadModule proxy_module /usr/lib/apache/modules/libproxy.so
#ExtendedStatus On
### Section 2: 'Main' server configuration
Port 80
## SSL Support
<IfDefine SSL>
Listen 80
Listen 443
</IfDefine>
# If you wish httpd to run as a different user or group, you must run
# httpd as root initially and it will switch.
User www
Group www
ServerAdmin webmaster@example.net
ServerName rproxy1.example.net
DocumentRoot "/var/www/htdocs"
# First, we configure the "default" to be a very restrictive set of
# permissions.
<Directory />
Options FollowSymLinks
AllowOverride None
Order deny,allow
Deny from all
</Directory>
#CacheNegotiatedDocs
UseCanonicalName On
TypesConfig conf/mime.types
DefaultType text/plain
<IfModule mod_mime_magic.c>
MIMEMagicFile conf/magic
</IfModule>
HostnameLookups Off
ErrorLog logs/error_log
LogLevel warn
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-
Agent}i\"" combined
LogFormat "%h %l %u %t \"%r\" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent
#CustomLog logs/access_log common
#CustomLog logs/referer_log referer
#CustomLog logs/agent_log agent
CustomLog logs/access_log combined
ServerSignature Off
###
# Proxy Server directives. Uncomment the following lines to
# enable the proxy server:
#
<IfModule mod_proxy.c>
ProxyRequests On
<Directory proxy:*>
Order deny,allow
Deny from all
# Allow from .your_domain.com
</Directory>
<Directory proxy:http://www.example.net/>
Order deny,allow
Allow from all
</Directory>
<Directory proxy:http://www.example.org/>
Order deny,allow
Allow from all
</Directory>
# Enable/disable the handling of HTTP/1.1 "Via:" headers.
# ("Full" adds the server version; "Block" removes all outgoing
Via:headers)
# Set to one of: Off | On | Full | Block
ProxyVia On
#
# To enable the cache as well, edit and uncomment the following lines:
# (no cacheing without CacheRoot)
#
#CacheRoot "/var/www/proxy/cache"
#CacheSize 5
#CacheGcInterval 4
#CacheMaxExpire 24
#CacheLastModifiedFactor 0.1
#CacheDefaultExpire 1
#NoCache a_domain.com another_domain.edu joes.garage_sale.com
</IfModule>
# End of proxy directives.
###
# IndexIgnore is a set of filenames which directory indexing should ignore
# and not include in the listing. Shell-style wildcarding is permitted.
IndexIgnore .??* *~ *# HEADER* README* RCS CVS *,v *,t
#
# AddEncoding allows you to have certain browsers (Mosaic/X 2.1+)
uncompress
# information on the fly. Note: Not all browsers support this.
# Despite the name similarity, the following Add* directives have nothing
# to do with the FancyIndexing customization directives above.
#
AddEncoding x-compress Z
AddEncoding x-gzip gz
#
# Customizable error response (Apache style)
# these come in three flavors
#
# 1) plain text
#ErrorDocument 500 "The server made a boo boo.
# n.b. the (") marks it as text, it does not get output
#
# 2) local redirects
#ErrorDocument 404 /missing.html
# to redirect to local URL /missing.html
#ErrorDocument 404 /cgi-bin/missing_handler.pl
# N.B.: You can redirect to a script or a document using server-sideincludes.
#
# 3) external redirects
#ErrorDocument 402 http://some.other_server.com/subscription_info.html
# N.B.: Many of the environment variables associated with the original
# request will *not* be available to such a script.
# Built-in Broken Browser Tweaks
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4\.0b2;" nokeepalive downgrade-1.0 force-response-1.0
BrowserMatch "RealPlayer 4\.0" force-response-1.0
BrowserMatch "Java/1\.0" force-response-1.0
BrowserMatch "JDK/1\.0" force-response-1.0
### Section 3: Virtual Hosts
# If you want to use name-based virtual hosts you need to define at
# least one IP address (and port number) for them.
NameVirtualHost rproxy1
<VirtualHost rproxy1>
ServerName www.example.net
ProxyPass / http://iweb1/
ProxyPassReverse / http://iweb1/
# CustomLog logs/iweb1.access_log combined
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
<VirtualHost rproxy1>
ServerName www.example.org
ProxyPass / http://iweb1/
ProxyPassReverse / http://iweb1/
# CustomLog logs/iweb1.access_log combined
<Location />
Order allow,deny
Allow from all
</Location>
</VirtualHost>
## SSL Global Context
## All SSL configuration in this context applies both to
## the main server and all SSL-enabled virtual hosts.
# Some MIME-types for downloading Certificates and CRLs
<IfDefine SSL>
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
</IfDefine>
<IfModule mod_ssl.c>
SSLPassPhraseDialog builtin
SSLSessionCache dbm:logs/ssl_scache
SSLSessionCacheTimeout 300
SSLMutex sem
# Pseudo Random Number Generator (PRNG):
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
#SSLRandomSeed startup file:/dev/random 512
#SSLRandomSeed startup file:/dev/urandom 512
#SSLRandomSeed connect file:/dev/random 512
#SSLRandomSeed connect file:/dev/urandom 512
SSLRandomSeed startup file:/dev/arandom 512
# Logging:
SSLLog logs/ssl_engine_log
SSLLogLevel info
</IfModule>
### End httpd.conf ########################################
Thanks to help me.
Vincent.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] reverse proxy configuration.
Posted by Vincent Blondel <vi...@xtra-net.org>.
> On Tue, 15 Mar 2005 11:29:53 +0100 (CET), Vincent Blondel
> <vi...@xtra-net.org> wrote:
>> We recently decided to set up a dmz in our infrastructure and I have
>> chosen to use openbsd 3.6 with built in apache 1.3.29 ( compiled and
>> hardened by the OpenBSD team ) with mod_proxy / mod_security and
>> mod_rewrite.
>>
>> So before setting up all this in a real life world, I currently spend my
>> time to let this configuration work in our developement lan.
>>
>> So let's immagine I get next infrastructure :
>>
>> reverse proxy real internal web server
>> rproxy1.example.net -----> iweb1.example.net ( example.org )
>> 192.168.1.25:80 192.168.1.19:80
>>
>> So, as you can see it, we just would like to forward all internet
>> incoming
>> traffic ( port 80 ) from our external web server ( rproxy1.example.net )
>> to our internal web server ( iweb1.example.net ).
>>
>> iweb1.example.net hosts example.net and example.org ( configured by
>> VirtualHost ). iweb1 runs with FreeBSD 4.10 and apache 1.3.33. A last
>> detail, we do not use any firewall in this configuration. This is just
>> to
>> make the configuration more easy.
>>
>> So I am trying a configuration but it doesn't work. Please find below
>> the
>> configuration
>
> There are a few problems here:
>
> 1. The OpenBSD version of apache is not really apache anymore. It is
> a forked version with openbsd-specific changes. So it will be
> difficult for us to help you on this list, since we know only about
> the real apache and we don't know anything about the openbsd changes.
>
Normally OpenBSD developers didn't change anything about the syntax
configuration from the Apache Foundation but there are well some security
improvements bring by the OpenBSD Team but I don't think this is important
in our case ???
> 2. "it doesn't work" is a very bad way to ask a question. We need to
> know exactly what you tried, and exactly what happened, including
> relevant excerpts from the error log, access log, and config files.
>
You are right so ... What I really tried is
such as I said it my real webserver runs whith FreeBSD and hosts some
domains and for each of them one or more hosts, for example :
www.example.net
ftp.example.net
mail.example.net
mirror.example.org
...
so to test my configuration I manually added on my workstation in /etc/hosts
192.168.1.25 www.example.net ftp mail
192.168.1.25 mirror.example.org
So I now send all my http packets to the proxy and not directly to the
FreeBSD web server.
... and when I test to browse any website hosted on my real web server (
naturally now through my proxy OpenBSD machine because /etc/hosts ) I am
always redirected to the first VirtualHost I defined on my real waeb
server, so in this case www.example.net
www.example.net |
ftp.example.net |______> www.example.net
mail.example.net |
mirror.example.net |
This naturally implies next error. When I try to browse
http://mail.example.net/login/ I get an error saying /login/ doesn't exist
because this directory only exists on mail.example.net :(
> 3. Notice I said "relevant excerpts". Please don't dump your complete
> config file here and except us to sift through it looking for the
> important stuff.
OK
>
> Sorry if this answer is not what you where looking for, but you need
> to help us out a little if you want us to help you.
>
> Joshua.
I hope this can be helpful for you ... and for me :)
Vincent
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
--
Vincent Blondel
homepage : http://jlang.dyndns.org
registered LFS user : 7485 http://www.linuxfromscratch.org
maintainer : http://oryx.xtra-net.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] reverse proxy configuration.
Posted by Joshua Slive <js...@gmail.com>.
On Tue, 15 Mar 2005 11:29:53 +0100 (CET), Vincent Blondel
<vi...@xtra-net.org> wrote:
> We recently decided to set up a dmz in our infrastructure and I have
> chosen to use openbsd 3.6 with built in apache 1.3.29 ( compiled and
> hardened by the OpenBSD team ) with mod_proxy / mod_security and
> mod_rewrite.
>
> So before setting up all this in a real life world, I currently spend my
> time to let this configuration work in our developement lan.
>
> So let's immagine I get next infrastructure :
>
> reverse proxy real internal web server
> rproxy1.example.net -----> iweb1.example.net ( example.org )
> 192.168.1.25:80 192.168.1.19:80
>
> So, as you can see it, we just would like to forward all internet incoming
> traffic ( port 80 ) from our external web server ( rproxy1.example.net )
> to our internal web server ( iweb1.example.net ).
>
> iweb1.example.net hosts example.net and example.org ( configured by
> VirtualHost ). iweb1 runs with FreeBSD 4.10 and apache 1.3.33. A last
> detail, we do not use any firewall in this configuration. This is just to
> make the configuration more easy.
>
> So I am trying a configuration but it doesn't work. Please find below the
> configuration
There are a few problems here:
1. The OpenBSD version of apache is not really apache anymore. It is
a forked version with openbsd-specific changes. So it will be
difficult for us to help you on this list, since we know only about
the real apache and we don't know anything about the openbsd changes.
2. "it doesn't work" is a very bad way to ask a question. We need to
know exactly what you tried, and exactly what happened, including
relevant excerpts from the error log, access log, and config files.
3. Notice I said "relevant excerpts". Please don't dump your complete
config file here and except us to sift through it looking for the
important stuff.
Sorry if this answer is not what you where looking for, but you need
to help us out a little if you want us to help you.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org