Author |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Wed 18 Nov '15 11:44 Post subject: Reverse proxy help |
|
|
Hello everybody,
I am an Apache noob and I would really appreciate your help.
My problem is that from work, I can no longer access to different services running on non standard ports on my NAS (a QNAP).
I have then decided to use the built-in QNAP Apache webserver to reverse-proxy such services on ports 80 and 443 (to which I can connect).
In particular I would like to:
1. set a Virtual Host (using sub1.domain.com) to connect to a service running on the same host (my QNAP) (http://localhost:58000)
2. set a Virtual Host (using sub2.domain.com) to connect to another host within the LAN (http://192.168.1.1:78080)
3. set a Virtual Host (using sub3.domain.com) to connect to an external website (e.g. https://www.google.com)
Here is what I did (in order to avoid misunderstanding I have explained everything from start to end), but of course it does not work and I think still need some tweak.
STEP 1:
a) backup original apache.conf
Code: | # mv /etc/config/apache/apache.conf /etc/config/apache/extra/apache.conf_bkp |
b) edit apache.conf
Code: | # nano /etc/config/apache/apache.conf |
c) add following line
Code: | Include /etc/config/apache/extra/httpd-proxy.conf |
d) save and exit
STEP 2:
a) create httpd-proxy.conf
Code: | # nano /etc/config/apache/extra/httpd-proxy.conf |
b) add following lines
Code: | LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so |
c) save and exit
STEP 3:
a) backup original httpd-vhosts-user.conf and httpd-ssl-vhosts-user.conf
Code: | # mv /etc/config/apache/extra/httpd-vhosts-user.conf /etc/config/apache/extra/httpd-vhosts-user.conf_bkp
# mv /etc/config/apache/extra/httpd-ssl-vhosts-user.conf /etc/config/apache/extra/httpd-ssl-vhosts-user.conf_bkp |
b) edit httpd-vhosts-user.conf as below
General sections (FYI, no change needed):
Code: | NameVirtualHost *:80
<VirtualHost _default_:80>
DocumentRoot "/share/Web"
</VirtualHost> |
1. Virtual Host to connect to the service running on http://localhost:58000
Code: | <VirtualHost *:80>
ServerName sub1.domain.com
DocumentRoot "/share/Web/sub1"
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
ProxyPass /sub1 http://localhost:58000
ProxyHTMLURLMap http://localhost:58000 /sub1
<Location /sub1>
ProxyPassReverse /
ProxyHTMLInterp On
ProxyHTMLURLMap / /sub1
RequestHeader unset Accept-Encoding
</Location>
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
Allow from all
</Proxy>
<Directory "/share/Web/sub1">
Options FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
</VirtualHost> |
2. Virtual Host to connect to other service running on http://192.168.1.1:78080
Code: | <VirtualHost *:80>
ServerName sub2.domain.com
DocumentRoot "/share/Web/sub2"
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
ProxyPass /sub2 http://192.168.1.1:78080
ProxyHTMLURLMap http://192.168.1.1:78080 /sub2
<Location /Asus>
ProxyPassReverse /
ProxyHTMLInterp On
ProxyHTMLURLMap / /sub2
RequestHeader unset Accept-Encoding
</Location>
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
Allow from all
</Proxy>
<Directory "/share/Web/sub2">
Options FollowSymLinks MultiViews
Order allow,deny
Allow from all
</Directory>
</VirtualHost> |
c) edit httpd-ssl-proxy.conf as below
General sections (FYI, no change needed):
Code: | NameVirtualHost *:443
<VirtualHost _default_:443>
DocumentRoot "/share/Web"
</VirtualHost> |
3. Virtual Host to connect to the given external site (e.g. google) [credits to kamal @ serverfault.com]
Code: | <VirtualHost *:443>
ServerName sub3.domain.com
ProxyPreserveHost On
<Proxy *>
AddDefaultCharset off
Order deny,allow
Deny from all
Allow from all
</Proxy>
ProxyPass /sub3 https://www.google.com/
ProxyHTMLURLMap https://www.google.com /sub3
<Location /sub3>
ProxyPassReverse /
ProxyHTMLInterp On
ProxyHTMLURLMap / /sub3
RequestHeader unset Accept-Encoding
</Location>
</VirtualHost> |
STEP 4:
a) restart Apache
Code: | # /etc/init.d/Qthttpd.sh restart |
However none of these Virtual Hosts work (I have a connection fail or endless loading).
I would be really obliged if therefore someone could help me out.
Thank you very much in advance!
giopas |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Thu 19 Nov '15 16:53 Post subject: |
|
|
An easy reverse proxy inside a vhost would be
Code: |
ProxyPass / http://192.168.1.1:78080/
ProxyPassReverse / 192.168.1.1:78080/
|
|
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Thu 19 Nov '15 17:11 Post subject: |
|
|
Thank you very much for your reply, JB!
So you mean that the below is simply wrong?
Code: | ProxyPass /sub2 http://192.168.1.1:78080
ProxyHTMLURLMap http://192.168.1.1:78080 /sub2 |
Shall I create an empty folder or this is not even necessary?
What other sections shall I include in the Vhost section?
giopas |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Thu 19 Nov '15 18:17 Post subject: |
|
|
Hey JB,
I have done as you said and started from the basics (starting from the service on localhost, which is KeyBox)
If I do this it basically works:
Code: | <VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://localhost:58000/
ProxyPassReverse / http://localhost:58000/
</VirtualHost> |
However I receive the following screen problem (the service runs on Jetty) you can see in the image. Basically I cannot write in the emulated terminal (it works great without proxy using my 3G connection on the phone).
CLICK FOR SCREENSHOT (sorry I could not upload it directly on a webhost)
How can I fix this? Shall I use some of the following options? Which one?
Code: | ProxyHTMLInterp On
ProxyHTMLURLMap / http://localhost:58000/
RequestHeader unset Accept-Encoding
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
ProxyHTMLURLMap http://localhost:58000/ / |
Thanks,
giopas
ps: having a (full functional) terminal access is already a very good achievement! |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Thu 19 Nov '15 19:46 Post subject: |
|
|
If I understand correctly from here, as KeyBox uses jetty, I should use something like this instead (deleting ProxyPassReverse / http://localhost:58000/ and adding other lines)?
Code: | <VirtualHost *:80>
ServerName sub.domain.com
ProxyPass / http://localhost:58000/
ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
</VirtualHost> |
|
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 20 Nov '15 17:39 Post subject: |
|
|
With jetty you might try mod_proxy_ajp that is designed for Java APP. I use it for my jenkins server.
Code: |
<VirtualHost *:80>
ServerName jenkins
DocumentRoot "/mario/Apache22/htdocs"
<Directory "/mario/Apache22/htdocs">
Options Indexes Includes FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from none
</Directory>
<Location />
ProxyPass ajp://localhost:8009/
ProxyPassReverse ajp://localhost:8009/
</Location>
</virtualhost>
|
How ever. Why didn't you addt the ProxyPassReverse, too ??
For your image I get some french error warning that hot linking is not allowed or I'm not a allowed to downlaod that file. ( my french is pretty poor) |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Fri 20 Nov '15 17:53 Post subject: |
|
|
Because the resource says:
Quote: | Frequently Apache documentation instructs that you use ProxyPassReverse configuration so that Apache can rewrite any URLs in headers. However, if you use the ProxyPreserveHost configuration, Jetty can generate the correct URLs, and rewriting is not necessary:
ProxyPreserveHost On |
In relation to your suggestion, I have tried it, but it does not work (or maybe I cannot make it work...).
Could be this due to the fact that instructions are not in the appropriate order or redundant?
Meanwhile I have gone a bit further with KeyBox thanks to some help. But I still cannot make it working:
Code: | <VirtualHost *:80>
ServerName sub.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<LocationMatch "/admin/(terms.*)">
ProxyPass ws://127.0.0.1:58000/$1
ProxyPassReverse ws://127.0.0.1:58000/$1
roxyPass ajp://127.0.0.1:58000/$1
ProxyPassReverse ajp://127.0.0.1:58000/$1</LocationMatch>
ProxyPass / http://localhost:58000/
ProxyPassReverse / http://localhost:58000/
ProxyRequests Off
ProxyPreserveHost On
ProxyStatus On
</VirtualHost> |
Maybe I could try:
Code: | <LocationMatch "/admin/(terms.*)">
ProxyPass ajp://127.0.0.1:58000/$1
ProxyPassReverse ajp://127.0.0.1:58000/$1
</LocationMatch> |
EDIT: I confirm that this does not solve the issue.
Moreover, I have solved at least one of the three Virtual Hosts problem:
Code: | <VirtualHost *:80>
ServerName sub2.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
ProxyStatus On
</VirtualHost> |
In this case the good think is that, since it is a router, I do not need to refer to any port on 192.168.1.1, since port 80 is open by default from within the LAN (I need to specify a port only if you access from WAN).
However I am completely stuck with the third code. In fact I suspect that since I want to connect to an https page and my 443 port on the NAS is already used by the NAS webUI (and I cannot run the webserver on ports other than 80 and 443), there is not much I can do.
By now I only have the following on http:
Code: | <VirtualHost *:80>
ServerName sub3.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://www.domain.com/
ProxyPassReverse / http://www.domain.com/
ProxyStatus On
</VirtualHost> |
Do you see any other possible solutions?
Thanks!! |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Mon 23 Nov '15 13:33 Post subject: |
|
|
Hi,
just an update on the first "web socket proxy".
I discovered that I am running Apache 2.2.31 on my QNAP but that mod_proxy_wstunnel requires Apache > 2.4.5. I should then either upgrade Apache (but I would need QNAP to do it) or patch it.
Could then my problem be linked to this or it is a false problem?
Moreover, what do you think at proxying an https through http? To be more clear, I would like to access gmail through a reverse proxy... |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Thu 26 Nov '15 18:38 Post subject: |
|
|
For accessing gmail you should really use a forward proxy and not a reverse proxy. There are many different domain names included when you open mail.google.com |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Thu 26 Nov '15 18:56 Post subject: |
|
|
could you please explain a bit more, I am not sure I am following...
EDIT: would a forward proxy allow me to jump corporate firewall restrictions? |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Thu 26 Nov '15 19:23 Post subject: |
|
|
The problem with that solution is that you need to change proxy settings from the client browser. If I do so, I would be immediately disconnected from internet and alert IT
That's why for SSH I prefer to use a web ssh terminal like shellinabox or keybox |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 27 Nov '15 0:37 Post subject: |
|
|
giopas wrote: | could you please explain a bit more, I am not sure I am following...
|
Ok a forward proxy is what you can't use...
What I wanted to say for mail.google.com. There are several other domains in HTML for dynamic and static content. The domain names are dynamic. For example gp6.googleusercontent.com clients1.google.com and so on. I think you can't cover all that domains in the reverse proxy. |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Fri 27 Nov '15 9:03 Post subject: |
|
|
OK in that case I will keep using my smartphone :-/
But if I want to use the reverse proxy for pastebin.com and/or WWW.chesspaste.com, how should I do? I tried a simple configuration but I receive redirect to Azure (and another cloud service provider) error telling that there is probably a DNS misconfiguration and that they not recognize my subdomain (of course). |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Sat 28 Nov '15 10:55 Post subject: |
|
|
I suggest that you may use subdomains
Code: | <VirtualHost *:80>
ServerName pastebin.yourdomain.com
DocumentRoot "/Apache24/htdocs"
<Directory "/Apache24/htdocs">
Options Indexes Includes FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from none
</Directory>
<Location />
ProxyPass http://pastebin.com/
ProxyPassReverse http://pastebin.com/
</Location>
</virtualhost>
<VirtualHost *:80>
ServerName chesspaste.yourdomain.com
DocumentRoot "/Apache24/htdocs"
<Directory "/Apache24/htdocs">
Options Indexes Includes FollowSymLinks
AllowOverride All
Order Allow,Deny
Allow from all
Deny from none
</Directory>
<Location />
ProxyPass http://WWW.chesspaste.com/
ProxyPassReverse http://WWW.chesspaste.com/
</Location>
</virtualhost> |
|
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Sat 28 Nov '15 12:39 Post subject: |
|
|
Thank you, it works for both
I just have the problem now of creating the reverse proxy on apache 2.2.x on port 80 for KeyBox (which needs web sockets connections) accessible through reverse proxy on apache 2.4 on port 88...
Thank you for your support!! |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Thu 25 Feb '16 17:27 Post subject: |
|
|
Hi JB,
I am back!
I was reading again at your points on gmail.
What if I create a forward proxy on a virtual host apache and then use ngrok (https://ngrok.com/) as a reverse proxy? Would this works?
I have actually installed RainLoop to access gmail from behind a corporate firewall, but of course it is not possible to label emails, as this is - I believe - a non standard protocol used by gmail together with IMAP.
It would be great to build something that actually can make me access gmail (without using VNC of course ).
What do you think?
Some readings (for me): https://trafficserver.readthedocs.org/en/5.3.x/admin/forward-proxy.en.html |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 26 Feb '16 10:57 Post subject: |
|
|
The concept of ngrock may work. I haven't tried it. Apache traffic server works only in Linux. I tried that beast but wasn't happy with it as I am with httpd apache. |
|
Back to top |
|
giopas
Joined: 18 Nov 2015 Posts: 29
|
Posted: Fri 26 Feb '16 11:04 Post subject: |
|
|
Ngrok would only serve as bridge to jump corporate restrictions and connect to apache server. But how to configure apache to do that?
How to configure a virtual host of apache as forward proxy to gmail? Could you please give me an hand on that?
It is cool to learn apache trying to solve practical problems |
|
Back to top |
|
James Blond Moderator
Joined: 19 Jan 2006 Posts: 7373 Location: Germany, Next to Hamburg
|
Posted: Fri 26 Feb '16 11:11 Post subject: |
|
|
a simple forward proxy
Code: |
<VirtualHost _default_:80>
<IfModule mod_proxy.c>
ProxyRequests On
<Proxy *>
AddDefaultCharset off
Require ip 127.0.0.1
Require ip ::1
</Proxy>
# https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyvia
ProxyVia Block
</IfModule>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/
<Directory /var/www/>
Options Indexes FollowSymLinks
AllowOverride None
Require all granted
</Directory>
ErrorLog /var/log/apache2/localhost_error.log
# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel warn
CustomLog /var/log/apache2/localhost_access.log combined
</VirtualHost>
|
|
|
Back to top |
|