Apache module mod_proxy

March 11, 2004 in Programming | Comments (0)

This is one of the greatest features of Apache that I’ve found yet. We have an application that offers some web services, but runs on a Windows server. We don’t want to put the Windows server on the front lines, so we proxy requests from a Linux Apache server to the Windows server behind the firewall.

To make this work, you have to enable the proxy. Here’s what the proxy directives look like in our httpd.conf file:

<IfModule mod_proxy.c>
    ProxyRequests On
    <Directory proxy:*>
      Order deny,allow
      Deny from all
      Allow from 10.0.1.0/16
    </Directory>
</IfModule>

The nice thing about this configuration is that it will allow anything on our internal network to be proxied through, but external requests get denied (that’s what the Allow from part does). We only consume the web services internally (server processes or wrapper pages that control access), so this lets us make the output from the services available without actually exposing the Windows web server on the wild web.

To make the services description language available, you can add a <files> section and specify the extensions you want to let through from an external source (add this inside the IfModule block):

<Files "*.wsdl">
  Order deny,allow
  Deny from none
  Allow from all
</Files>

Now we can advertise the services publicly, even though we only satisfy them locally.

You then need to set up the virtual host sections for the proxied web sites. The virtual directory for the web services application should already be set up on the Windows server. In this directive, you specify the name of the directory to watch for, and then the http mapping to remote virtual directory on the Windows box.

<VirtualHost 10.0.1.1:80 ###.###.###.###:80>
  ServerName server.name.com
  DocumentRoot /www/services
  ProxyPass /RemoteServiceVirtualDir/ http://windows_server/RemoteServiceVirtualDir/
  <Directory /www/services>
    <Files *.htm*>
      SetHandler perl-script
      PerlHandler Apache::SSI
      PerlSetVar SSIPerlPass_Request no
    </Files>
    Options SymLinksIfOwnerMatch +ExecCGI
    AllowOverride All
    Order allow,deny
    Allow from all
  </Directory>
</VirtualHost>

Any requests for http://server.name.com/RemoteServiceVirtualDir will be forwarded to the Windows machine for resolution.


No Responses to “Apache module mod_proxy”

RSS feed for comments on this post.

  1. Comment by Central Scrutinizer — March 11, 2004 at 2:43 pm  

    Well, when I wrote this I didn’t have a good way to test it outside our firewall. A friend of mine showed up online and tried it… my Allow from trick didn’t work a crap. Instead I had to go back and add File blocks for all the stuff I wanted to let through. Oh well. It’s still a very cool feature that helps me protect my Windows machine from the bad guys.