Common configuration topics

This module was experimental in Apache 1.1.x. Improvements and bugfixes - were made in Apache v1.2.x and Apache v1.3.x, then the module underwent a - major overhaul for Apache v2.0. The protocol support was upgraded to - HTTP/1.1, and filter support was enabled.

During the overhaul process, mod_proxy features - have been split into several module files: mod_proxy_http, - mod_proxy_ftp and mod_proxy_connect. - Thus, if you want to use one or more of the particular proxy functions, - load mod_proxy and the appropriate - module(s) into the server (either statically or dynamically via the - LoadModule directive).

Please note that the caching function present in mod_proxy up to Apache v1.3.x has been removed - from mod_proxy and incorporated into a new module, - mod_cache. In other words, the Apache 2.0.x proxy doesn't - cache - all caching functionality has been moved into - mod_cache, which is capable of caching any content, not - just content from the proxy.

Apache's proxy features are divided into several modules in + addition to mod_proxy: + mod_proxy_http, mod_proxy_ftp + and mod_proxy_connect. Thus, if you want to use + one or more of the particular proxy functions, load + mod_proxy and the appropriate module(s) + into the server (either statically at compile-time or dynamically + via the LoadModule + directive).

If you need to use SSL when contacting remote servers, have a look at the - SSLProxy* directives in mod_ssl.

In addition, extended features are provided by other modules. + Caching is provided by mod_cache and related + modules. The ability to contact remote servers using the SSL/TLS + protocol is provided by the SSLProxy* directives of + mod_ssl. These additional modules will need + to be loaded and configured to take advantage of these features.

Common configuration topics -

Forward and Reverse Proxies
Controlling access to your proxy
Why doesn't file type xxx download via - FTP?
How can I force an FTP ASCII download of File - xxx?
How can I access FTP files outside of my home - directory?
How can I hide the FTP cleartext password in my - browser's URL line?
Why does Apache start more slowly when using the - proxy module?
What other functions are useful for an intranet - proxy server?
How can I make the proxy talk HTTP/1.0 and - disable keepalives?

Forward and Reverse Proxies

Apache can be configured in both a forward and - reverse proxy configuration.

+ reverse proxy mode.

A forward proxy is an intermediate system that enables a - browser to connect to a remote network to which it normally does not have - access. A forward proxy can also be used to cache data, reducing load on - the networks between the forward proxy and the remote webserver.

An ordinary forward proxy is an intermediate + server that sits between the client and the origin + server. In order to get content from the origin server, + the client sends a request to the proxy naming the origin server + as the target and the proxy then requests the content from the + origin server and returns it to the client. The client must be + specially configured to use the forward proxy to access other + sites.

Apache's mod_proxy can be figured to behave like a - forward proxy using the ProxyRemote directive. In addition, caching of data can be - achieved by configuring mod_cache. Other dedicated - forward proxy packages include Squid.

A typical usage of a forward proxy is to provide Internet + access to internal clients that are otherwise restricted by a + firewall. The forward proxy can also use caching (as provided + by mod_cache) to reduce network usage.

A reverse proxy is a webserver system that is capable of - serving webpages sourced from other webservers - in addition to webpages - on disk or generated dynamically by CGI - making these pages look like - they originated at the reverse proxy.

The forward proxy is activated using the ProxyRequests directive. Because + forward proxys allow clients to access arbitrary sites through + your server and to hide their true origin, it is essential that + you secure your server so that only + authorized clients can access the proxy before activating a + forward proxy.

When configured with the mod_cache module the reverse proxy can act as - a cache for slower backend webservers. The reverse proxy can also enable - advanced URL strategies and management techniques, allowing webpages - served using different webserver systems or architectures to coexist - inside the same URL space. Reverse proxy systems are also ideal for - implementing centralised logging websites with many or diverse website - backends. Complex multi-tier webserver systems can be constructed using an - mod_proxy frontend and any number of backend - webservers.

A reverse proxy, by contrast, appears to the + client just like an ordinary web server. No special + configuration on the client is necessary. The client makes + ordinary requests for content in the name-space of the reverse + proxy. The reverse proxy then decides where to send those + requests, and returns the content as if it was itself the + origin.

The reverse proxy is configured using the ProxyPass and ProxyPassReverse directives. Caching can be - enabled using mod_cache as with the forward proxy.

A typical usage of a reverse proxy is to provide Internet + users access to a server that is behind a firewall. Reverse + proxies can also be used to balance load among several back-end + servers, or to provide caching for a slower back-end server. + In addition, reverse proxies can be used simply to bring + several servers into the same URL space.

+ +

A reverse proxy is activated using the ProxyPass directive or the + [P] flag to the RewriteRule directive. It is + not necessary to turn ProxyRequests on in order to + configure a reverse proxy.

Basic Examples + +

The examples below are only a very basic idea to help you + get started. Please read the documentation on the individual + directives.

+ +

In addition, if you wish to have caching enabled, consult + the documentation from mod_cache.

+ + Forward Proxy + ProxyRequests On
+ ProxyVia On
+
+ <Proxy *>
+ + Order deny,allow
+ Deny from all
+ Allow from internal.example.com
+ + </Proxy&gr; + + + Reverse Proxy + ProxyRequests Off
+
+ <Proxy *>
+ + Order deny,allow
+ Allow from all
+ + </Proxy>
+
+ ProxyPass /foo/ http://foo.example.com/bar/
+ ProxyPassReverse /foo/ http://foo.example.com/bar/ + +

+ +

Controlling access to your proxy

You can control who can access your proxy via the Proxy control block using + module="mod_proxy" type="section">Proxy control block as in the following example:

@@ -124,11 +149,26 @@ </Proxy> -

When configuring a reverse proxy, access control takes on the - attributes of the normal server Directory configuration.

For more information on access control directives, see + mod_access.

+ +

Strictly limiting access is essential if you are using a + forward proxy (using the ProxyRequests directive). + Otherwise, your server can be used by any client to access + arbitrary hosts while hiding his or her true identity. This is + dangerous both for your network and for the Internet at large. + When using a reverse proxy (using the ProxyPass directive with + ProxyRequests Off), access control is less + critical because clients can only contact the hosts that you + have specifically configured.

FTP Proxy + +

Why doesn't file type <var>xxx</var> download via FTP?

You probably don't have that particular file type defined as @@ -173,7 +213,7 @@ in my browser's URL line?

To log in to an FTP server by username and password, Apache uses different strategies. In absense of a user name and password in the URL - altogether, Apache sends an anomymous login to the FTP server, + altogether, Apache sends an anonymous login to the FTP server, i.e.,

@@ -215,9 +255,8 @@ might intercept your password on its way.

- -

Why does Apache start more slowly when using - the proxy module? +

Slow Startup

If you're using the ProxyBlock directive, hostnames' IP addresses are looked up and cached during startup for later match test. This may take a few @@ -225,10 +264,12 @@ occur.

What other functions are useful for an - intranet proxy server? +

Intranet Proxy

An Apache proxy server situated in an intranet needs to forward - external requests through the company's firewall. However, when it has to + external requests through the company's firewall (for this, configure + the ProxyRemote directive + to forward the respective scheme to the firewall proxy). + However, when it has to access resources within the intranet, it can bypass the firewall when accessing hosts. The NoProxy directive is useful for specifying which hosts belong to the intranet and @@ -246,8 +287,7 @@ files will then contain fully qualified hosts.

How can I make the proxy talk HTTP/1.0 and - disable keepalives? +

Protocol Adjustments

For circumstances where you have a application server which doesn't implement keepalives or HTTP/1.1 properly, there are 2 environment variables which when set send a HTTP/1.0 with no keepalive. These are set @@ -266,7 +306,6 @@ </Location>

Proxy @@ -506,10 +545,15 @@

When used inside a Location section, the first argument is ommitted and the local + >Location section, the first argument is omitted and the local directory is obtained from the Location.

+ The ProxyRequests directive should + usually be set off when using + ProxyPass. +

If you require a more flexible reverse-proxy configuration, see the RewriteRule directive with the [P] flag.

@@ -563,7 +607,7 @@ >ProxyPass directive.

When used inside a Location section, the first argument is ommitted and the local + >Location section, the first argument is omitted and the local directory is obtained from the Location.