- Installation & Uninstallation
- Local and remote management using IIS 7
- Context and processing order
- Apache compatibility
- core functions
- Release history
- License agreement
mod_proxy provides a set of instruments for flexible adjustment of forward or reverse proxy on your server.
Reverse proxy looks to the client as an ordinary web server. No special configuration on the client sde is needed. The client makes conventional requests for content in the namespace of reverse proxy. Reverse proxy then decides where to send those requests and returns requested content as if it was the destination.
Reverse proxy is typically used to provide Internet access to a server protected by firewall. Reverse proxy may also be used in the role of load balancer distributing load among several back-end servers, or provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.
ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass /foo http://foo.example.com/bar ProxyPassReverse /foo http://foo.example.com/bar
Forward proxy is an intermediate server residing between the client and destination server. To get content from destination server the client sends a request to proxy specifying destination server as the target and proxy then requests the content from destination server and returns it to the client. The client should have forward proxy configured correctly to be able to access other sites.
Forward proxy is typically used to provide Internet access to internal clients that are otherwise restricted by firewall.
Forward proxy is initiated by
directive. As forward proxy allows clients to access arbitrary sites through
your server and hide their true credentials, prior to forward proxy activation
you need to secure your server so that only authorized users could access the
ProxyRequests On ProxyVia On <Proxy *> Order deny,allow Deny from all Allow from internal.example.com </Proxy>
Load-balanced proxy server does not look like something new for mod_proxy, but by default it won't work with PHP sessions and many other applications. But don't fall in despair! Below is a rather simple solution for that issue.
Say you have 2 backend servers: www1.example.com and www2.example.com . You should add the following to your backend vhost configuration:
RewriteEngine On RewriteRule .* - [CO=BALANCEID:balancer.www1:.example.com]
Then do the same for www2, not forgetting to change the cookie value to reflect this. Now you need to tell your frontend proxy that it should look for this cookie, and which server each "route" refers to:
ProxyPass / balancer://cluster/ lbmethod=byrequests stickysession=BALANCEID ProxyPassReverse / balancer://cluster/ <Proxy balancer://cluster> BalancerMember http://www1.example.com route=www1 BalancerMember http://www2.example.com route=www2 </Proxy>
Each new incoming request will be directed to the backend server according to your load-balancing method, and any subsequent requests from that user (assuming they have cookies enabled) will then go back to the same backend server. When they close their browser and the cookie expires, the "binding" is reset and they'll get a new random server next time they connect.
Sample httpd.conf configuration to enable proxying
application to internal server
<Location /accounts/> ProxyPass http://internal.company.com/accounts/ ProxyPassReverse http://internal.company.com/accounts/ ProxyPassReverseCookieDomain internal.company.com www.company.com </Location>
Related articles and topics
- Helicon Ape mod_proxy: proxy-server inside IIS
- Load balancing with Helicon Ape mod_proxy
|BalancerMember||S V D .h||Add a member to a load balancing group|
|NoProxy||S V D .h||Hosts, domains, or networks that will be connected to directly|
|ProxyBlock||S V D .h||Words, hosts, or domains that are banned from being proxied|
|ProxyIOBufferSize||S V D .h||Determine size of internal data throughput buffer|
|ProxyMaxForwards||S V D .h||Maximium number of proxies that a request can be forwarded through|
|ProxyPass||S V D .h||Maps remote servers into the local server URL-space|
|ProxyPassReverse||S V D .h||Adjusts the URL in HTTP response headers sent from a reverse proxied server|
|ProxyPassReverseCookieDomain||S V D .h||Adjusts the Domain string in Set-Cookie headers from a reverse- proxied server|
|ProxyPassReverseCookiePath||S V D .h||Adjusts the Path string in Set-Cookie headers from a reverse- proxied server|
|ProxyPreserveHost||S V D .h||Use incoming Host HTTP request header for proxy request|
|ProxyReceiveBufferSize||S V D .h||Network buffer size for proxied HTTP and FTP connections|
|ProxyRemoteMatch||S V D .h||Remote proxy used to handle requests matched by regular expressions|
|ProxyRequests||S V D .h||Enables forward (standard) proxy requests|
|ProxyTimeout||S V D .h||Network timeout for proxied requests|
|ProxyVia||S V D .h||Information provided in the Via HTTP response header for proxied requests|
|balancer-manager||S V D .h||Maps specific url to load balancer web interface|
<Location /balancer-manager/> SetHandler balancer-manager Order allow,deny Allow from 127.0.0.7 ::1 localhost </Location>
Add a member to a load balancing group
BalancerMember [balancer-url] backend-url [key=value] [...]
This directive adds a member to a load balancing group.
It must be used within a
are used to for adjustment of balancer member.
- timeout — Connection timeout in seconds. If not set, will wait until the free connection is available. This directive is used for limiting the number of connections to the backend server
— Worker load factor. Used with
BalancerMember. It is a value between 1 and 100 that defines the normalized weighted load applied to the server (balancer member)
- route — Route of the server (balancer member) when used inside load balancer. The route is a value appended to session id
— Redirection Route of the server (balancer member). This value is usually
set dynamically to enable safe removal of the node from the cluster. If
set, all requests without session id will be redirected to balancer member
routeparameter equals this value.
- statusttl — Automatic update status interval in seconds.
ProxyPass / balancer://cluster/ lbmethod=byrequests stickysession=seesionid <Proxy balancer://cluster> BalancerMember http://backend1.example.com/ route=b1 loadfactor=10 statusttl=60 BalancerMember http://backend2.example.com/ route=b2 loadfactor=5 </Proxy> BalancerMember balancer://cluster http://backend3.example.com/ route=b3 loadfactor=1
Hosts, domains, or networks that will be connected to directly
NoProxy host [host] [...]
directive is only applicable to proxy servers within
directive stores the list of subnets, IP
addresses, hosts and/or domains, separated by spaces. A request to the host
from the list will be processed directly without forwarding to
ProxyRemote * http://firewall.mycompany.com:81 NoProxy .mycompany.com 192.168.112.0/21
may be everything from the list:
— is a partially qualified DNS domain name
preceded by a period. It represents a list of hosts which logically belong
to the same DNS domain or zone (i.e., the suffixes of the hostnames all end
To distinguish Domains from Hostnames , Domains are always written with preceding period.
NoProxy .com .domain.org.
Note! Domain name comparisons are performed regardless of case, and Domains are always supposed to be anchored to the root of DNS tree, therefore
.mydomain.com.(note the trailing period) are considered equal. As domain comparison does not involve a DNS lookup, it is much more efficient than SubNet comparison.
— is a partially qualified internet address
in numeric (dotted quad) form, optionally followed by a slash and the netmask,
specified as the number of significant bits in the
It is used to represent a subnet of hosts which can be reached over a common
network interface. In the absence of the explicit net mask it is assumed that
omitted (or zero valued) trailing digits specify the mask. (In this case,
the netmask can only be multiples of 8 bits wide.)
the subnet 192.168.0.0 with an implied netmask of 16 valid bits (may be used in the netmask form 255.255.0.0)
NoProxy 192.168 192.168.0.0
the subnet 192.168.112.0/21 with a netmask of 21 valid bits (may be used in the form 255.255.248.0). As a degenerate case, a
SubNetwith 32 valid bits is the equivalent to an IPAddr, while a
SubNetwith zero valid bits (e.g., 0.0.0.0/0) is the same as the constant _Default_, matching any IP address.
— represents a fully qualified internet address
in numeric (dotted quad) form. Usually, this address represents a host, but
there need not necessarily be a DNS domain name connected with the address.
Note! An IPAddr does not need to be resolved by the DNS system, so it can result in more effective server performance.
— is a fully qualified DNS domain name
which can be resolved to one or more
IPAddrsvia the domain name service (DNS). It represents a logical host (in contrast to
Domains, see above) and must be resolvable to at least one
IPAddr(or often to a list of hosts with different
NoProxy prep.ai.mit.edu www.apache.org
In many situations, it is more effective to specify an
in place of a
since a DNS lookup can be avoided.
comparisons are done regardless of case,
are always assumed anchored to the root
of the DNS tree, therefore two hosts
(note the trailing period) are considered equal.
Words, hosts, or domains that are banned from being proxied
ProxyBlock *|word|host|domain [word|host|domain] [...]
directive specifies a list of words, hosts and/or
domains, separated by spaces. HTTP, HTTPS, and FTP access to the sites whose
names contain specified words, hosts or domains will be blocked by proxy server.
The proxy module will also attempt to determine IP addresses of list items and
cache them for match against as well. That may slow down the server startup
ProxyBlock somesite.com some-host.ru sub.domain.gov
will also be matched if requested by IP address.
Note also that
blocks connections to all sites.
Determine size of internal data throughput buffer
directive allows o set internal buffer
size, which acts as a temporary buffer for the data between input and output.
The size must be less or equal to 8192.
Note! There are hardly any cases when you need to change that value.
Maximium number of proxies that a request can be forwarded through
directive specifies the maximum number of
proxies through which a request may walk, if no
header exists in the request. This directive allows to avoid infinite proxy.
Maps remote servers into the local server URL-space
ProxyPass [path] !|backend-url [key=value key=value ...]]
directive allows remote servers to be mapped into
the space of the local server; the local server does not act as a proxy in the
conventional sense, but appears to be a mirror of the remote server.
is the name of a local virtual path;
is a partial
URL for the remote server and cannot include a query string.
If you put
file, it's necessary to explicitly specify
BUT when using this directive inside
this parameter shall be omitted (mod_proxy will automatically apply path specified
in <Location> section or path to .htaccess file as a ProxyPass path). So
ProxyPass /app/ http://backend.domain.com/
<Location /app/> ProxyPass http://backend.domain.com/ </Location>
directive should usually be set
Say you have a local server
ProxyPass /mirror/foo/ http://backend.domain.com/
will cause a local request to
be internally converted into a proxy request to
directive is used when you don't want to reverse proxy some subdirectory.
ProxyPass /mirror/foo/i ! ProxyPass /mirror/foo http://backend.domain.com
will proxy all requests to
Note! Order is important. you need to put the exclusions before the general ProxyPass directive.
Adjustment of load balancing
And here is the list of parameters used when proxy acts as load balancer:
= byrequests | bytraffic | random | byresponsetime —
Balancer load-balance method. Possible values:
byrequeststo perform weighted request counting;
bytrafficto perform weighted traffic byte count balancing;
randomto perform weighted random balancing;
byresponsetimeto perform weighted response time balancing;
- stickysession — Balancer sticky session name. Common values are JSESSIONID or PHPSESSIONID, they depend on the backend application server that supports sessions.
Regular expression to grab the balancer route from sticky session cookie. For example:
If set to
on, the session will break if the balancer member is in error state or disabled. Set this value to
onif backend servers do not support session replication.
- timeout — Balancer timeout in seconds. If set, this will be the maximum time to wait for a free balancer member.
- maxattempts — Maximum number of failover attempts before giving up
ProxyPass /folder/proxy/balancer/fake/ balancer://cluster1/ <Proxy balancer://cluster1> BalancerMember http://localhost:80/folder/proxy/balancer/real/ loadfactor=1 BalancerMember http://localhost:81/folder/proxy/balancer/real/ loadfactor=1 </Proxy>
ProxyPass /ape/proxy/balancer/faketraff/ balancer://cluster2/ lbmethod=bytraffic
<Proxy balancer://clustersession> BalancerMember http://localhost:80/ape/proxy/balancer/real/ loadfactor=100 route=p80 BalancerMember http://localhost:81/ape/proxy/balancer/real/ loadfactor=1 route=p81 BalancerMember http://localhost:82/ape/proxy/balancer/real/ loadfactor=1 route=p82
BalancerMember http://localhost:83/ape/proxy/balancer/real/ loadfactor=1 route=p83 redirect=p82 status=+d </Proxy>
When used inside a
section, the first argument is omitted and the local directory is obtained from the
If you need more flexible reverse proxy configuration,
Adjusts the URL in HTTP response headers sent from a reverse proxied server
ProxyPassReverse [path] url
directive allows to adjust the URL in the
headers of HTTP redirect responses. This is necessary when using reverse proxy
to avoid by-passing reverse proxy because of HTTP redirects on the backend servers
which stay behind reverse proxy.
Only aforementioned HTTP response headers will be rewritten. This means that if the proxied content contains absolute URL references, they will by-pass the proxy.
is the name of a local virtual path;
is a partial URL for the remote server - they are used the
same way as in
Say the local server has address
ProxyPass /mirror/foo/ http://backend.domain.com/ ProxyPassReverse /mirror/foo/ http://backend.domain.com/ ProxyPassReverseCookieDomain backend.domain.com public.domain.com ProxyPassReverseCookiePath / /mirror/foo/
The above code will cause a local request to
to be internally treated as a proxy request to
It will also take care of redirects sent by
server: when it redirects
*** adjusts this to
the HTTP redirect response to the client.
directive can also be used in conjunction
with proxy pass-through feature (
RewriteRule ... [P]
) from mod_rewrite because
it doesn't depend on a corresponding
When used inside a
section, the first argument is omitted and the local directory is obtained from
Adjusts the Domain string in Set-Cookie headers from a reverse-proxied server.
ProxyPassReverseCookieDomain internal-domain public-domain
is used similarly to
but it rewrites domain string in
Adjusts the Path string in Set-Cookie headers from a reverse- proxied server.
ProxyPassReverseCookiePath internal-path public-path
is used similarly to
but it rewrites the path string in
Use incoming Host HTTP request header for proxy request
When enabled, this option will pass the
line from the incoming request to the proxied host, instead of the hostname specified in the ProxyPass line.
works only for the web-sites that use
Application pool with .NET 4.0 and higher.
Network buffer size for proxied HTTP and FTP connections.
directive specifies an explicit TCP/IP
network buffer size for proxied HTTP and FTP connections to provide increased
throughput. It has to be greater than 512 or set to 0 to specify that system's
default buffer size should be used.
Remote proxy used to handle certain requests
ProxyRemote match remote-server
specifies remote proxies for this proxy.
is either the name of a URL-scheme supported by remote server, or a partial
URL for which remote server should be used, or
indicate the server should be addressed for all requests.
is a partial URL for the remote server (only http protocol is supported.
ProxyRemote http://thissite.com/ http://thatsite.com:8000 ProxyRemote * http://othersite.com ProxyRemote ftp http://ftpproxy.domain.com:8080
directive also supports reverse proxy configuration
- a backend webserver can be embedded into a virtualhost URL space even if that
server is hidden behind another forward proxy.
Remote proxy used to handle requests matched by regular expressions
ProxyRemoteMatch regex remote-server
is identical to the
directive, except that the first argument is a regular expression that is matched
against the requested URL.
Enables forward (standard) proxy requests
directive enables or disables forward proxy
If you are implementing reverse proxy configuration, this option should be set to
Do not enable
feature until your server is secured. Open proxy servers are dangerous for your
network as well as for the Internet as a whole.
Network timeout for proxied requests
directive allows you to specify a timeout for
proxy requests. This is useful when you have a slow application server, and
rather than wait unlimited time, it's better to return a timeout response.
Information provided in the Via HTTP response header for proxied requests
directive controls the use of the
HTTP header by the proxy. It is destined to control the flow of proxy requests
through the chain of proxy servers.
The following values may be assigned to this directive:
(default) — no special processing is performed.
If a request or reply contains
Via:header, it is passed through unchanged.
— each request and reply will get
Via:header line added for the current host.
— each generated
Via:header line will be appended by Helicon Ape version shown as a
— every proxy request
will have all its
Via:header lines removed. No new
Via:header will be generated.