Intro: Configure Reverse Proxy With Apache On (RHEL7/CentOS7)

Recently on my job i was asked, to publish an Apache Web-Server for internet users. I was asked by the management to suggest a secure way to deploy web-servers publicly, obviously security is top concern if we talk about internet. After some research on google, I decide to use Reverse Proxy Apache server approach, as it is is most commonly used and secure way to expose internal servers online.

`

Why Reverse Proxy:

Reverse Proxy approach is used to build a secure web-server setup for your website. Using a reverse proxy is a simple and convenient approach to allowing access to servers on your trusted network from external networks, such as the internet. Apache as reverse proxy allows all your servers to remain hidden from the internet. This solution hides actual infrastructure information from internet world, so exposing less information to the the outside world is better. If hackers are presented with actual information such as server name, ports and services, it makes more easy for them to attack.

What is Proxy?

The word “Proxy” used to describe a situation, where someone is acting on behalf of someone else. But in IT domain we will say one server is acting on behalf of an other server or computer. A proxy server act as a gateway between client and server, also provides increased security and performance.

  • A proxy is simply a middleman between client and server communication.

There are mainly two types of proxy servers:

  • Forward proxy: also known as proxy server
  • Reverse proxy

Forward Proxy (Also Called Proxy Server):

A Forward Proxy Server which is commonly knows as proxy server act as a gateway for internal clients to access internet. It protects internal clients by showing its own IP address while communicating over the internet instead of client’s IP. The address of proxy server usually configured in client’s browsers settings so all HTTP requests routed via the proxy server. Forward Proxy Servers are typically operated by ISP’s or by Network Administrators e.g Squid Web Proxy Server.

Forward Proxy Server Concept
Forward Proxy Server Concept

Reverse Proxy:

A Reverse Proxy Server act as a gateway allowing access to internal servers from an external network. It accept request directly from clients on behalf of actual web server and respond back to the client with data. For a client the Reverse HTTP Proxy Server is actual HTTP server as it receives request as an ordinary web-server. The actual web-server is not visible to internet clients as it resides in internal network with private IP addresses.

  • A single website may have several web-servers behind reverse proxy.

Reverse Proxy Concept
Reverse Proxy Concept

Summary

If you want to secure internal clients, put them behind forward proxy. On the other hand, if your intentions is to secure your servers from internet, put them behind a reverse proxy.

Reverse Proxy Apache:

In this article we will see how to configure reverse proxy apache server using Apache virtual hosts. Before we start actual configuration, lets see below diagram to understand lab network we are going to use in this article.

Reverse Proxy Apache Lab Diagram
Reverse Proxy Lab Diagram

Diagram Explained:

Above diagram includes two servers and one client for testing, as shown in diagram the reverse proxy apache server rpsrv.broexperts.com will receive external traffic on WAN network and redirect all HTTP request to websrv.broexperts.com (An Apache Web-Server) over hidden HTTP port 9954. This port is customly configured http port on websrv.broexperts.com. Communication between two server will be completely invisible for the client.broexperts.com.

1. Apache Installation:

I assume that you have done all initial setup; Minimal version of CentOS 7 installed and network is setup with fully qualified hostnames. Before you start installation make sure everything is setup according to lab diagram.

Step 1: Host File Entries

Make sure /etc/hosts file contains fully qualified hostname entries pointing IP addresses as follows.

127.0.0.1       localhost
10.0.0.1    rpsrv rpsrv.broexperts.com
10.0.0.100      websrv websrv.broexperts.com

Step 2: Disable SE-Linux (On Both Servers)

For permanent disable selinux, edit the file /etc/sysconfig/selinux.
Change the value of SELINUX=enforcing directive into SELINUX=disabled and restart the system

vi /etc/sysconfig/selinux
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing  SELinux security policy is enforced.
# permissive SELinux prints warnings instead of enforcing.
# disabled No SELinux policy is loaded.
SELINUX=disabled
# SELINUXTYPE= can take one of these two values:
# targeted  Targeted processes are protected,
# mls Multi Level Security protection.
SELINUXTYPE=targeted

Save the file and RESTART the system. Without restart of system SELINUX mode will not be changed permanently.

Step 3: Apache Installation

Login with root user and Install Apache on both servers using following command.

# yum install httpd -y

Step 4: Change Apache Default Port (On websrv.broexperts.com)

As shown in diagram, the communication from rpsrv.broexperts.com to websrv.broexperts.com will be on hidden HTTP port which is 9954. To change Apache default 80 port to 9954, simply open “/etc/httpd/conf/httpd.conf” in Vi Text Editor and change “Listen 80” directive to “Listen 9954” as follows.

Listen 9954

Step 5: Allow HTTP Traffic on Both Servers.

Allow 9954 on websrv.broexperts.com to accept HTTP traffic.

firewall-cmd --permanent --add-port=9954/tcp
firewall-cmd --reload

Allow 80 port on rpsrv.broexperts.com.

firewall-cmd --permanent --add-service=http
firewall-cmd --reload

Step 6: Start Apache Service on Both Servers

Start Apache service and make sure it will start automatically on reboot.

systemctl start httpd
systemctl enable httpd

2: Reverse Proxy Apache Configuration:

Apache requires “mod_proxy.so” and “mod_proxy_http.so” modules to perform proxy requests and these modules are loaded by default in RHEL7/CentOS7, to make sure the availability of these modules in Apache check the below lines are un-commented in “/etc/httpd/conf/httpd.conf” file.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

We will use “ProxyPass” and “ProxyPassReverse” directives in Apache configuration file, to tell apache where to proxy requests.

Step 1: Enable Reverse Proxy in Apache (Only on rpsrv.broexperts.com server)

After installing Apache Server using rpm reverse proxy module will be enabled by default. You can enable by editing “/etc/httpd/conf/httpd.conf” file or for Apache 2.4 edit “/etc/httpd/conf.modules.d/00-proxy.conf” then un-comment below lines or add if not available.

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so

Step 2: Proxy Requests Configuration

We have websrv.broexperts.com (IP: 10.0.0.100/24) server running Apache 2.4 on custom define 9954 HTTP port. After setting up proxy request on rpsrv.broexperts.com server, our client.broexperts.com will be able to access local webserver via reverse proxy. Refer to above diagram to have clear view.

Below directives are important to setup reverse proxy in Apache.

  • ProxyRequests
  • ProxyPass
  • ProxyPassReverse

ProxyRequests:

This directive allows or prevent Apache web server from functioning as forward proxy server, in a typical reverse proxy this directive should be set to off.

ProxyPass

This will maps remote server (rpsrv.broexperts.com) into local server (websrv.broexperts.com) URL space.

ProxyPassReverse

This will adjusts the URL in HTTP response headers sent from a reverse proxied server.

Configure httpd.conf (on rpsrv.broexperts.com)

Add below lines at very botton of rpsrv.broexperts.com server’s /etc/httpd/conf/httpd.conf file and restart Apache.

ProxyRequests Off
NameVirtualHost *:80
<VirtualHost *:80>
    ServerAdmin admin@broexperts.com
    ServerName rpsrv.broexperts.com
    ServerAlias rpsrv
    ErrorLog logs/rpsrv.broexperts.com-error_log
    CustomLog logs/rpsrv.broexperts.com-access_log common
    ProxyPass / http://websrv.broexperts.com:9954/
    ProxyPassReverse / http://10.0.0.100:9954/
    RewriteEngine  On
</VirtualHost>

Step 3: Setup HomePage for Local Server (websrv.broexperts.com)

Create index.html file under /var/www/html directory and below lines.

vi /var/www/html/index.html

Add below lines and save index.html file.

Index Page From Local Server
Index Page From Local Server

Step 4: Testing From Remote Client

Open browser in client.broexperts.com and browse rpsrv.broexperts.com server address.

reverse proxy result page
reverse proxy result page

Note: Before you browse rpsrv.broexperts.com, enter below entry in DNS or in client’s host file (c:\windows\system32\drivers\etc\hosts).

172.29.51.1        rpsrv.broexperts.com

That’s all. Client browser is showing website hosted on our local server (websrv.broexperts.com), which means our client computer is able to browse local server via reverse proxy apache server.

Similar Posts