Reverse Proxy Server: Introduction

From The Uniform Server Wiki
Jump to navigation Jump to search

MPG UniCenter

MPG UniCenter

Uniform Server 3.5-Apollo
Reverse Proxy.

If you have searched the Wiki you will have wondered why so many mini-servers! These were designed to explore various aspects and architectures using multiple servers without the tedium of setting each server up from scratch. The following looks at reverse proxy servers.

Reverse proxy

A reverse proxy is all about hiding a bank of servers behind a main server. There are several reasons why you want to do this, for instance to reduce the load on your main server by allowing other servers to take the strain. These would be dedicated boxes running specific specialised tasks requiring raw computing power either to create web pages or to access and process data from databases before being served to an end user.

Other users may want to integrate various media from smaller servers such as web cameras or even part of an intranet. All these servers are hidden and not directly accessible from the Internet. It is the responsibility of the main server (reverse proxy) to grant and allow access from the Internet.

The advantage of this set-up, only one domain name required, password access if used is centralised. Hidden servers are all mapped into the main server's name space (fred.com) making them transparent to an end user.

http://fred.com/
http://fred.com/info/
http://fred.com/camera_1/
http://fred.com/camera_2/
http://fred.com/secrete_server/
http://fred.com/accounts/

Mapping is not complex its as easy as creating folders, assign each server a folder name, for example
info, camera_1, camera_2, secrete_server, accounts.

Suppose your domain name is fred.com a user would access the above by typing the URL's shown on the left into their browser address bar:

The real significance a user sees only a set of seamless folders for your domain. Your main server can still be used to server web pages the other servers are there to either reduce your main server load or to enhance content that is not possible any other way.


Main server is commonly referred to as a front-end server and all others as back-end servers.


Depending on your application all these servers can be run on the same PC, only downside will be in the amount of processing power required.


The following looks at server_a and server_b in detail.

Top

Front-end Server

For this tutorial you can use either Uniform Server 3.5-Apollo or mini-server 20 for the front-end server. They both require the same proxy files (modules), mini-server 20 comes complete with matching modules these cannot be used with Apollo if you decide to use Uniform server as a proxy server follow the instruction below to obtain the correct versions.

Uniform Server 3.5-Apollo Proxy Files

The required files for running a proxy server are not included with Uniform Server 3.5 no big deal. Go to Apache archive download site and download file apache_2.0.59-win32-x86-openssl-0.9.7j.msi to extract the binaries follow the instructions on this page Support and download.

mod_proxy.so
mod_proxy_http.so
mod_proxy_ftp.so
mod_proxy_connect.so

Copy these four files to folder:

\Uniform Server\udrive\usr\local\apache2\modules

Edit Apache's configuration file: httpd.conf
Located in folder: \Uniform Server\udrive\usr\local\apache2\conf

Locate these lines:

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_ftp_module modules/mod_proxy_ftp.so 

Un-comment as shown. (remove the hash #)

Restart server for the settings to take place.

That completes the set-up you can now use proxy commands in your configuration file this I cover this later.

Top

mini_server_20_reverse_proxy

This tutorial assumes you are using mini-server 20 download from this page advantage of this the server is preconfigured and includes several configuration files you can swap in while following each example.

Start the server; your browser will automatically start if not already running. The main index page displays four links, info, Wiki, Wordpress and Joomla. Click either link the expected result will be page not found, this server although fully functional has not been set-up to proxy any back-end servers. This will be addressed in the tutorial.

Top

Back-end Server Web Sites

In this tutorial I want our back-end server (server_b) to serve all web pages. Being lazy I will be using mini-server 6 check this page for details.

Run server 6 and type http://localhost:8086/ into your browser. An index page is displayed check out test sites test1; test2 and test3 ignore their content. What won’t be immediately apparent sites test1 and test 2 use relative links while site test3 uses web root relative links? You will see the significance of this latter.

Sites are accessible by typing the following into a browser:

  • http://localhost:8086/ -- Main index page
  • http://localhost:8086/test1/ -- Uses relative links
  • http://localhost:8086/test2/ -- Uses relative links
  • http://localhost:8086/test3/ -- Uses web root relative links

Both servers are now ready to run the tutorial examples.

Top

Security

Before I continue lets have a quick look at security issues. Although we are experimenting and well! Basically having a play it’s important to restrict access to the servers.

The only server allowed accessed from the Internet is our front-end server. The default installation of Uniform Server is to deny access. You can open the server to allow access especially if you want to perform real tests say using a DynDNS account or even your real domain.

Top

Front-end Server

Open the file .htaccess in folder \udrive\www and set the following three lines to suit your needs:

.htaccess (local access only)

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

 

.htaccess (on-line)

#Order Deny,Allow
#Deny from all
#Allow from 127.0.0.1

When running a reverse proxy on-line it must be prevented from being an open proxy otherwise any Internet user can use it for forwarding and covertly access the Internet through your server. OK sounds dramatic! The solution is to switch proxy requests off this prevents all external proxy requests being processed however internal ones are still honored.

Feeling paranoid! Well you can further restrict access by targeting a specific machine using a proxy block. Putting these two together gives the following block of code always add it before using a reverse proxy:

ProxyRequests off
<Proxy *>
  Order deny,allow
  Deny from all
  Allow from 127.0.0.1
</Proxy>

ProxyRequests off: Prevents any external requests through the proxy engine.

Optional

Proxy block: Not really required shown as an example it restricts local access only.

Most important is Proxy Requests Off

Note: When you put your servers on-line either remove the proxy block <Proxy *></Proxy> or replace the IP address with a list of IP addresses you wish to allow.

Top

Back-end Servers

Each back-end server requires an .htaccess file to restrict access as follows:

.htaccess (local access only)
Folder: \udrive\www

Order Deny,Allow
Deny from all
Allow from 127.0.0.1

If your back-end servers reside on a different machine change the “Allow from 127.0.0.1” to the IP address of the machine that is running the proxy server.

I cannot think of one reason why you would want to open any back-end servers so don’t, always restrict access.

Top

Summary

That completes the front and back-end server overview including security. Enabling the front-end server, as a proxy is straightforward un-comment the appropriate lines in Apache’s configuration file.

Both front and back-end server are ready to run its time to look at some practical proxy examples starting with a basic configuration.

Top


Ric