mod_proxymod_proxy overviewmod_proxy provides a set of instruments for flexible adjustment of forward or reverse proxy on your server. Forward and reverse proxyHelicon Ape mod_proxy module can be configured in both forward and reverse proxy mode. Forward proxy is an intermediate server residing between the client and destination server. To get content from destination server the client sends a request to proxy specifying destination server as the target and proxy then requests the content from destination server and returns it to the client. The client should have forward proxy configured correctly to be able to access other sites. Forward proxy is typically used to provide Internet access to internal clients that are otherwise restricted by firewall. Forward proxy is initiated by ProxyRequests directive. As forward proxy allows clients to access arbitrary sites through your server and hide their true credentials, prior to forward proxy activation you need to secure your server so that only authorized users could access the proxy. Reverse proxy, on the contrary, looks to the client like an ordinary web server. No special configuration on the client is needed. The client makes conventional requests for content in the namespace of reverse proxy. Reverse proxy then decides where to send those requests and returns requested content as if it was the destination. Reverse proxy is typically used to provide Internet access to a server protected by firewall. Reverse proxy may also be used in the role of load balancer distributing load among several back-end servers, or provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space. Reverse proxy is initiated by ProxyPass directive or by [P] flag after RewriteRule directive. There's no need to enable ProxyRequests to configure reverse proxy. Here are very basic examples of forward and reverse proxy configurations: Forward Proxy
Reverse Proxy
mod_proxy as balancer with PHP sticky sessionsLoad-balanced proxy server does not look like something new for mod_proxy, but by default it won't work with PHP sessions and many other applications. But don't fall in despair! Below is a rather simple solution for that issue. Say you have 2 backend servers: www1.example.com and www2.example.com. You should add the following to your backend vhost configuration:
Then do the same for www2, not forgetting to change the cookie value to reflect this. Now you need to tell your frontend proxy that it should look for this cookie, and which server each "route" refers to:
Each new incoming request will be directed to the backend server according to your load-balancing method, and any subsequent requests from that user (assuming they have cookies enabled) will then go back to the same backend server. When they close their browser and the cookie expires, the "binding" is reset and they'll get a new random server next time they connect. mod_proxy directivesNoProxy
NoProxy directive is only applicable to proxy servers within intranets. NoProxy directive stores the list of subnets, IP addresses, hosts and/or domains, separated by spaces. A request to the host from the list will be processed directly without forwarding to ProxyRemote proxy server(s). Example:
The host arguments for NoProxy may be everything from the list:
Example:
To distinguish Domains from Hostnames, Domains are always written with preceding period. Note! Domain name comparisons are performed regardless of case, and Domains are always supposed to be anchored to the root of DNS tree, therefore .MyDomain.com and .mydomain.com. (note the trailing period) are considered equal. As domain comparison does not involve a DNS lookup, it is much more efficient than SubNet comparison.
Example:
the subnet 192.168.0.0 with an implied netmask of 16 valid bits (may be used
in the netmask form 255.255.0.0)
the subnet 192.168.112.0/21 with a netmask of 21 valid bits (may
be used in the form 255.255.248.0)
Example:
Note! An IPAddr does not need to be resolved by the DNS system, so it can result in more effective apache performance.
Example:
Note! In many situations, it is more effective to specify an IPAddr in place of a Hostname since a DNS lookup can be avoided. Hostname comparisons are done regardless of case, and Hostnames are always assumed anchored to the root of the DNS tree, therefore two hosts WWW.MyDomain.com and www.mydomain.com. (note the trailing period) are considered equal. ProxyBlock
ProxyBlock directive specifies a list of words, hosts and/or domains, separated by spaces. HTTP, HTTPS, and FTP access to the sites whose names contain specified words, hosts or domains will be blocked by proxy server. The proxy module will also attempt to determine IP addresses of list items and cache them for match against as well. That may slow down the server startup time. Example:
sub.domain.gov will also be matched if requested by IP address. Note that domain would also be sufficient to match domain.gov. Note also that
blocks connections to all sites. ProxyIOBufferSize
ProxyIOBufferSize directive allows o set internal buffer size, which acts as a temporary buffer for the data between input and output. The size must be less or equal to 8192. Note! There are hardly any cases when you need to change that value. ProxyMaxForwards
ProxyMaxForwards directive specifies the maximum number of proxies through which a request may walk, if no Max-Forwards header exists in the request. This directive allows to avoid infinite proxy Example:
ProxyPass
ProxyPass directive allows remote servers to be mapped into the space of the local server; the local server does not act as a proxy in the conventional sense, but appears to be a mirror of the remote server. path is the name of a local virtual path; url is a partial URL for the remote server and cannot include a query string. Note! If you put ProxyPass directive into httpd.conf file, it's necessary to explicitly specify path parameter; BUT when using this directive inside <Location> section or .htaccess, this parameter shall be omitted (mod_proxy will automatically apply path specified in <Location> section or path to .htaccess file as a ProxyPass path). Example:
equals to
ProxyRequests directive should usually be set off when using ProxyPass. Say you have a local server http://domain.com/ then
will cause a local request to http://domain.com/mirror/foo/bar to be internally converted into a proxy request to http://backend.domain.com/bar. The ! directive is used when you don't want to reverse proxy some subdirectory. Example:
will proxy all requests to /mirror/foo to backend.domain.com except requests to /mirror/foo/i. Note! Order is important. you need to put the exclusions before the general ProxyPass directive. It is also possible to use pooled connections to the backend server. key=value are used to for adjustment of connection pooling.
And here is the list of parameters used when proxy acts as load balancer:
When used inside a <Location> section, the first argument is omitted and the local directory is obtained from the <Location>. If you need more flexible reverse proxy configuration, consider using RewriteRule directive with [P] flag. ProxyPassReverse
ProxyPassReverse directive allows to adjust the URL in the Location, Content-Location and URI headers of HTTP redirect responses. This is necessary when using reverse proxy to avoid by-passing reverse proxy because of HTTP redirects on the backend servers which stay behind reverse proxy. Only aforementioned HTTP response headers will be rewritten. This means that if the proxied content contains absolute URL references, they will by-pass the proxy. path is the name of a local virtual path; url is a partial URL for the remote server - they are used the same way as in ProxyPass directive. Example: Say the local server has address http://domain.com/.
The above code will cause a local request to http://domain.com/mirror/foo/bar to be internally treated as a proxy request to http://backend.domain.com/bar (ProxyPass functionality). It will also take care of redirects sent bybackend.domain.com server: when it redirects http://backend.domain.com/bar to http://backend.domain.com/quux, *** adjusts this to http://domain.com/mirror/foo/quux before forwarding the HTTP redirect response to the client. Note that ProxyPassReverse directive can also be used in conjunction with proxy pass-through feature (RewriteRule ... [P]) from mod_rewrite because it doesn't depend on a corresponding ProxyPass directive. When used inside a <Location> section, the first argument is omitted and the local directory is obtained from the <Location>. ProxyPassReverseCookieDomain
ProxyPassReverseCookieDomain is used similarly to ProxyPassReverse, but it rewrites domain string in Set-Cookie headers. ProxyPassReverseCookiePath
ProxyPassReverseCookiePath is used similarly to ProxyPassReverse, but it rewrites the path string in Set-Cookie headers. ProxyReceiveBufferSize
ProxyReceiveBufferSize directive specifies an explicit TCP/IP network buffer size for proxied HTTP and FTP connections to provide increased throughput. It has to be greater than 512 or set to 0 to specify that system's default buffer size should be used. Example:
ProxyRemote
ProxyRemote specifies remote proxies for this proxy. match is either the name of a URL-scheme supported by remote server, or a partial URL for which remote server should be used, or * to indicate the server should be addressed for all requests. remote-server is a partial URL for the remote server (only http protocol is supported. Example:
ProxyRemote directive also supports reverse proxy configuration - a backend webserver can be embedded into a virtualhost URL space even if that server is hidden behind another forward proxy. ProxyRemoteMatch
ProxyRemoteMatch is identical to the ProxyRemote directive, except that the first argument is a regular expression that is matched against the requested URL. ProxyRequests
ProxyRequests directive enables or disables forward proxy functionality. If you are implementing reverse proxy configuration, this option should be set to off. Warning! Do not enable ProxyRequests feature until your server is secured. Open proxy servers are dangerous for your network as well as for the Internet as a whole. ProxyTimeout
ProxyTimeout directive allows you to specify a timeout for proxy requests. This is useful when you have a slow application server, and rather than wait unlimited time, it's better to return a timeout response.
ProxyVia
ProxyVia directive controls the use of the Via: HTTP header by the proxy. It is destined to control the flow of proxy requests through the chain of proxy servers. The following values may be assigned to this directive:
|