How to set up a reverse proxy using Apache
A reverse proxy server acts as an intermediary for requests from clients seeking resources from other servers. It provides an additional layer of abstraction and control to ensure the smooth flow of network traffic between clients and servers. Apache, a popular web server software, can be easily configured as a reverse proxy server.
Using Apache as a reverse proxy means that Apache receives requests from the Internet and forwards them to servers in an internal network. Those servers process the requests and reply to Apache, which then sends the replies back to the client. This setup can be beneficial for load balancing, caching, and separating public from private network traffic.
Configuring Apache as a reverse proxy requires the use of the mod_proxy module, which is typically included in the default Apache installation. The module provides the necessary directives to handle proxy functions.
Steps to configure Apache as a reverse proxy server:
-
Launch terminal application.
-
Enable proxy and proxy_http module for Apache.
$ sudo a2enmod proxy proxy_http [sudo] password for user: Enabling module proxy. Considering dependency proxy for proxy_http: Module proxy already enabled Enabling module proxy_http. To activate the new configuration, you need to run: systemctl restart apache2
-
Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
-
CentOS and Red Hat enables both modules by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a proxy, proxy_http Loadmodule directive n/a LoadModule proxy_module <module_locations>/mod_proxy.so
LoadModule proxy_http_module <module_locations>/mod_proxy_http.so -
-
Create or edit the virtual host file where you want to set up the reverse proxy using your preferred text editor.
$ sudo vi /etc/apache2/sites-available/your-site.conf
-
Add proxy configuration to desired VirtualHost setting.
<VirtualHost *:80> ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass "/backend-service-01" "http://backend-service-01.local/" ProxyPassReverse "/backend-service-01" "http:///backend-service-01.local" ProxyPass "/backend-service-02" "http://backend-service-02.local/" ProxyPassReverse "/backend-service-02" "http://backend-service-02.local" </VirtualHost>
Directive/Option Description ProxyRequests Off Disables forward proxy requests. This is important for a reverse proxy setup to ensure that your server doesn't unintentionally act as a forward proxy. <Proxy *> … </Proxy> Defines access control for a proxy. The * means it applies to all proxied content. Order deny,allow Sets the order of processing the Deny and Allow directives. In this case, deny rules are processed before allow rules. Allow from all Allows access from all IP addresses. ProxyPass Maps remote servers into the namespace of the local server. For example, ProxyPass "/backend-service-01" "http://backend-service-01.local/" means that when someone accesses http://your-apache-server/backend-service-01, they are actually accessing http://backend-service-01.local/ behind the scenes. ProxyPassReverse Adjusts the URL in the Location, Content-Location, and URI headers on HTTP redirect responses. This is essential for ensuring that redirects issued by the backend server point to the reverse proxy, not the original server. -
Save and exit the editor.
-
Restart Apache to apply the changes.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
-
Test direct access to backend service.
$ curl http://backend-service-01.local I am backend-service-01.local
The request will fail if the backend service is hosted in a private network under a NAT.
This test could also be done by browsing the URL using a web browser.
-
Test accessing backend service via configured Apache reverse proxy.
$ curl http://proxy-server/backend-service-01 I am backend-service-01.local