logo
Apache Lounge
Webmasters

 

About Forum Index Downloads Search Register Log in RSS X


Keep Server Online

If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.

or

Bitcoin

A donation makes a contribution towards the costs, the time and effort that's going in this site and building.

Thank You! Steffen

Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
Post new topic   Forum Index -> Apache View previous topic :: View next topic
Reply to topic   Topic: Reverse proxy help Page 1, 2  Next
Author
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Wed 18 Nov '15 11:44    Post subject: Reverse proxy help Reply with quote

Hello everybody,

I am an Apache noob and I would really appreciate your help.

My problem is that from work, I can no longer access to different services running on non standard ports on my NAS (a QNAP).

I have then decided to use the built-in QNAP Apache webserver to reverse-proxy such services on ports 80 and 443 (to which I can connect).

In particular I would like to:

1. set a Virtual Host (using sub1.domain.com) to connect to a service running on the same host (my QNAP) (http://localhost:58000)
2. set a Virtual Host (using sub2.domain.com) to connect to another host within the LAN (http://192.168.1.1:78080)
3. set a Virtual Host (using sub3.domain.com) to connect to an external website (e.g. https://www.google.com)

Here is what I did (in order to avoid misunderstanding I have explained everything from start to end), but of course it does not work and I think still need some tweak.

STEP 1:

a) backup original apache.conf

Code:
# mv /etc/config/apache/apache.conf  /etc/config/apache/extra/apache.conf_bkp


b) edit apache.conf

Code:
# nano /etc/config/apache/apache.conf


c) add following line

Code:
Include /etc/config/apache/extra/httpd-proxy.conf


d) save and exit


STEP 2:

a) create httpd-proxy.conf

Code:
# nano /etc/config/apache/extra/httpd-proxy.conf


b) add following lines

Code:
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_http_module modules/mod_proxy_http.so


c) save and exit

STEP 3:

a) backup original httpd-vhosts-user.conf and httpd-ssl-vhosts-user.conf

Code:
# mv /etc/config/apache/extra/httpd-vhosts-user.conf  /etc/config/apache/extra/httpd-vhosts-user.conf_bkp
# mv /etc/config/apache/extra/httpd-ssl-vhosts-user.conf  /etc/config/apache/extra/httpd-ssl-vhosts-user.conf_bkp


b) edit httpd-vhosts-user.conf as below

General sections (FYI, no change needed):

Code:
NameVirtualHost *:80

<VirtualHost _default_:80>
   DocumentRoot "/share/Web"
</VirtualHost>


1. Virtual Host to connect to the service running on http://localhost:58000

Code:
<VirtualHost *:80>
   ServerName sub1.domain.com
   DocumentRoot "/share/Web/sub1"

   ProxyPreserveHost On
   ProxyRequests Off
   ProxyVia Off
   ProxyPass /sub1 http://localhost:58000
   ProxyHTMLURLMap http://localhost:58000 /sub1

<Location /sub1>
   ProxyPassReverse /   
   ProxyHTMLInterp On
   ProxyHTMLURLMap  /      /sub1
   RequestHeader    unset  Accept-Encoding
</Location>

<Proxy *>
   AddDefaultCharset off   
   Order deny,allow
   Deny from all
   Allow from all
</Proxy>

<Directory "/share/Web/sub1">
   Options FollowSymLinks MultiViews
   Order allow,deny
   Allow from all
</Directory>   
</VirtualHost>


2. Virtual Host to connect to other service running on http://192.168.1.1:78080

Code:
<VirtualHost *:80>
   ServerName sub2.domain.com
   DocumentRoot "/share/Web/sub2"

   ProxyPreserveHost On
   ProxyRequests Off
   ProxyVia Off
   ProxyPass /sub2 http://192.168.1.1:78080
   ProxyHTMLURLMap http://192.168.1.1:78080 /sub2

<Location /Asus>
   ProxyPassReverse /
   ProxyHTMLInterp On
   ProxyHTMLURLMap  /      /sub2
   RequestHeader    unset  Accept-Encoding
</Location>

<Proxy *>
   AddDefaultCharset off
   Order deny,allow
   Deny from all
   Allow from all
</Proxy>

<Directory "/share/Web/sub2">
   Options FollowSymLinks MultiViews
   Order allow,deny
   Allow from all
</Directory>
</VirtualHost>


c) edit httpd-ssl-proxy.conf as below

General sections (FYI, no change needed):

Code:
NameVirtualHost *:443

<VirtualHost _default_:443>
   DocumentRoot "/share/Web"
</VirtualHost>


3. Virtual Host to connect to the given external site (e.g. google) [credits to kamal @ serverfault.com]

Code:
<VirtualHost *:443>
   ServerName sub3.domain.com

   ProxyPreserveHost On

<Proxy *>
   AddDefaultCharset off
   Order deny,allow
   Deny from all
   Allow from all
</Proxy>

   ProxyPass /sub3 https://www.google.com/
   ProxyHTMLURLMap https://www.google.com /sub3

<Location /sub3>
   ProxyPassReverse /
   ProxyHTMLInterp On
   ProxyHTMLURLMap  /      /sub3
   RequestHeader    unset  Accept-Encoding
</Location>
</VirtualHost>


STEP 4:

a) restart Apache

Code:
# /etc/init.d/Qthttpd.sh restart


However none of these Virtual Hosts work (I have a connection fail or endless loading).

I would be really obliged if therefore someone could help me out.

Thank you very much in advance!

giopas
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 19 Nov '15 16:53    Post subject: Reply with quote

An easy reverse proxy inside a vhost would be

Code:

ProxyPass / http://192.168.1.1:78080/
ProxyPassReverse / 192.168.1.1:78080/
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Thu 19 Nov '15 17:11    Post subject: Reply with quote

Thank you very much for your reply, JB!

So you mean that the below is simply wrong?

Code:
ProxyPass /sub2 http://192.168.1.1:78080
ProxyHTMLURLMap http://192.168.1.1:78080 /sub2


Shall I create an empty folder or this is not even necessary?

What other sections shall I include in the Vhost section?

giopas
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Thu 19 Nov '15 18:17    Post subject: Reply with quote

Hey JB,

I have done as you said and started from the basics (starting from the service on localhost, which is KeyBox) Smile

If I do this it basically works:

Code:
<VirtualHost *:80>
    ServerName sub.domain.com
    ProxyPass / http://localhost:58000/
    ProxyPassReverse / http://localhost:58000/
</VirtualHost>


However I receive the following screen problem (the service runs on Jetty) you can see in the image. Basically I cannot write in the emulated terminal (it works great without proxy using my 3G connection on the phone).

CLICK FOR SCREENSHOT (sorry I could not upload it directly on a webhost)

How can I fix this? Shall I use some of the following options? Which one?

Code:
ProxyHTMLInterp On
ProxyHTMLURLMap / http://localhost:58000/
RequestHeader unset Accept-Encoding
ProxyPreserveHost On
ProxyRequests Off
ProxyVia Off
ProxyHTMLURLMap http://localhost:58000/ /

Thanks,

giopas

ps: having a (full functional) terminal access is already a very good achievement!
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Thu 19 Nov '15 19:46    Post subject: Reply with quote

If I understand correctly from here, as KeyBox uses jetty, I should use something like this instead (deleting ProxyPassReverse / http://localhost:58000/ and adding other lines)?

Code:
<VirtualHost *:80>
    ServerName sub.domain.com
    ProxyPass / http://localhost:58000/
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyStatus On
    <Proxy *>
    Order deny,allow
    Allow from all
    </Proxy>
</VirtualHost>
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 20 Nov '15 17:39    Post subject: Reply with quote

With jetty you might try mod_proxy_ajp that is designed for Java APP. I use it for my jenkins server.

Code:

<VirtualHost *:80>
    ServerName jenkins
    DocumentRoot "/mario/Apache22/htdocs"
    <Directory "/mario/Apache22/htdocs">
        Options Indexes Includes FollowSymLinks
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Deny from none
    </Directory>
    <Location />
        ProxyPass ajp://localhost:8009/
        ProxyPassReverse ajp://localhost:8009/
    </Location>
</virtualhost>


How ever. Why didn't you addt the ProxyPassReverse, too ??

For your image I get some french error warning that hot linking is not allowed or I'm not a allowed to downlaod that file. ( my french is pretty poor)
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Fri 20 Nov '15 17:53    Post subject: Reply with quote

Because the resource says:

Quote:
Frequently Apache documentation instructs that you use ProxyPassReverse configuration so that Apache can rewrite any URLs in headers. However, if you use the ProxyPreserveHost configuration, Jetty can generate the correct URLs, and rewriting is not necessary:

ProxyPreserveHost On


In relation to your suggestion, I have tried it, but it does not work (or maybe I cannot make it work...).

Could be this due to the fact that instructions are not in the appropriate order or redundant?

Meanwhile I have gone a bit further with KeyBox thanks to some help. But I still cannot make it working:

Code:
<VirtualHost *:80>
    ServerName sub.domain.com
    ProxyRequests Off
<Proxy *>
    Order deny,allow
    Allow from all
</Proxy>
<LocationMatch "/admin/(terms.*)">
    ProxyPass ws://127.0.0.1:58000/$1
    ProxyPassReverse ws://127.0.0.1:58000/$1
roxyPass ajp://127.0.0.1:58000/$1
    ProxyPassReverse ajp://127.0.0.1:58000/$1</LocationMatch>
    ProxyPass / http://localhost:58000/
    ProxyPassReverse / http://localhost:58000/
    ProxyRequests Off
    ProxyPreserveHost On
    ProxyStatus On
</VirtualHost>


Maybe I could try:

Code:
<LocationMatch "/admin/(terms.*)">
    ProxyPass ajp://127.0.0.1:58000/$1
    ProxyPassReverse ajp://127.0.0.1:58000/$1
</LocationMatch>

EDIT: I confirm that this does not solve the issue.

Moreover, I have solved at least one of the three Virtual Hosts problem:

Code:
<VirtualHost *:80>
ServerName sub2.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://192.168.1.1/
ProxyPassReverse / http://192.168.1.1/
ProxyStatus On
</VirtualHost>

In this case the good think is that, since it is a router, I do not need to refer to any port on 192.168.1.1, since port 80 is open by default from within the LAN (I need to specify a port only if you access from WAN).

However I am completely stuck with the third code. In fact I suspect that since I want to connect to an https page and my 443 port on the NAS is already used by the NAS webUI (and I cannot run the webserver on ports other than 80 and 443), there is not much I can do.

By now I only have the following on http:

Code:
<VirtualHost *:80>
ServerName sub3.domain.com
ProxyRequests Off
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
<Location />
Order allow,deny
Allow from all
</Location>
ProxyPreserveHost On
ProxyPass / http://www.domain.com/
ProxyPassReverse / http://www.domain.com/
ProxyStatus On
</VirtualHost>

Do you see any other possible solutions?

Thanks!!
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Mon 23 Nov '15 13:33    Post subject: Reply with quote

Hi,

just an update on the first "web socket proxy".

I discovered that I am running Apache 2.2.31 on my QNAP but that mod_proxy_wstunnel requires Apache > 2.4.5. I should then either upgrade Apache (but I would need QNAP to do it) or patch it.

Could then my problem be linked to this or it is a false problem?

Moreover, what do you think at proxying an https through http? To be more clear, I would like to access gmail through a reverse proxy...
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 26 Nov '15 18:38    Post subject: Reply with quote

For accessing gmail you should really use a forward proxy and not a reverse proxy. There are many different domain names included when you open mail.google.com
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Thu 26 Nov '15 18:56    Post subject: Reply with quote

could you please explain a bit more, I am not sure I am following...

EDIT: would a forward proxy allow me to jump corporate firewall restrictions? Smile
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Thu 26 Nov '15 19:15    Post subject: Reply with quote

Nope it wouldn't help you to cheat that firewall.

I had that problem once.. and solved it Wink https://mariobrandt.de/archives/technik/ssh-tunnel-bypassing-transparent-proxy-using-apache-170/
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Thu 26 Nov '15 19:23    Post subject: Reply with quote

The problem with that solution is that you need to change proxy settings from the client browser. If I do so, I would be immediately disconnected from internet and alert IT Smile

That's why for SSH I prefer to use a web ssh terminal like shellinabox or keybox
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 27 Nov '15 0:37    Post subject: Reply with quote

giopas wrote:
could you please explain a bit more, I am not sure I am following...


Ok a forward proxy is what you can't use...

What I wanted to say for mail.google.com. There are several other domains in HTML for dynamic and static content. The domain names are dynamic. For example gp6.googleusercontent.com clients1.google.com and so on. I think you can't cover all that domains in the reverse proxy.
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Fri 27 Nov '15 9:03    Post subject: Reply with quote

OK in that case I will keep using my smartphone :-/

But if I want to use the reverse proxy for pastebin.com and/or WWW.chesspaste.com, how should I do? I tried a simple configuration but I receive redirect to Azure (and another cloud service provider) error telling that there is probably a DNS misconfiguration and that they not recognize my subdomain (of course).
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Sat 28 Nov '15 10:55    Post subject: Reply with quote

I suggest that you may use subdomains

Code:
<VirtualHost *:80>
    ServerName pastebin.yourdomain.com
    DocumentRoot "/Apache24/htdocs"
    <Directory "/Apache24/htdocs">
        Options Indexes Includes FollowSymLinks
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Deny from none
    </Directory>
    <Location />
        ProxyPass http://pastebin.com/
        ProxyPassReverse http://pastebin.com/
    </Location>
</virtualhost>
<VirtualHost *:80>
    ServerName chesspaste.yourdomain.com
    DocumentRoot "/Apache24/htdocs"
    <Directory "/Apache24/htdocs">
        Options Indexes Includes FollowSymLinks
        AllowOverride All
        Order Allow,Deny
        Allow from all
        Deny from none
    </Directory>
    <Location />
        ProxyPass http://WWW.chesspaste.com/
        ProxyPassReverse http://WWW.chesspaste.com/
    </Location>
</virtualhost>
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Sat 28 Nov '15 12:39    Post subject: Reply with quote

Thank you, it works for both Smile

I just have the problem now of creating the reverse proxy on apache 2.2.x on port 80 for KeyBox (which needs web sockets connections) accessible through reverse proxy on apache 2.4 on port 88... Confused

Thank you for your support!!
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Thu 25 Feb '16 17:27    Post subject: Reply with quote

Hi JB,

I am back! Smile

I was reading again at your points on gmail.

What if I create a forward proxy on a virtual host apache and then use ngrok (https://ngrok.com/) as a reverse proxy? Would this works?

I have actually installed RainLoop to access gmail from behind a corporate firewall, but of course it is not possible to label emails, as this is - I believe - a non standard protocol used by gmail together with IMAP.

It would be great to build something that actually can make me access gmail (without using VNC of course Smile ).

What do you think?

Some readings (for me): https://trafficserver.readthedocs.org/en/5.3.x/admin/forward-proxy.en.html
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 26 Feb '16 10:57    Post subject: Reply with quote

The concept of ngrock may work. I haven't tried it. Apache traffic server works only in Linux. I tried that beast but wasn't happy with it as I am with httpd apache.
Back to top
giopas



Joined: 18 Nov 2015
Posts: 29

PostPosted: Fri 26 Feb '16 11:04    Post subject: Reply with quote

Ngrok would only serve as bridge to jump corporate restrictions and connect to apache server. But how to configure apache to do that?

How to configure a virtual host of apache as forward proxy to gmail? Could you please give me an hand on that?

It is cool to learn apache trying to solve practical problems Smile
Back to top
James Blond
Moderator


Joined: 19 Jan 2006
Posts: 7373
Location: Germany, Next to Hamburg

PostPosted: Fri 26 Feb '16 11:11    Post subject: Reply with quote

a simple forward proxy
Code:

<VirtualHost _default_:80>

<IfModule mod_proxy.c>
    ProxyRequests On
    <Proxy *>
        AddDefaultCharset off
                Require ip 127.0.0.1
                Require ip ::1
    </Proxy>
    # https://httpd.apache.org/docs/current/mod/mod_proxy.html#proxyvia
    ProxyVia Block
</IfModule>


        ServerAdmin webmaster@localhost

        DocumentRoot /var/www/
        <Directory /var/www/>
                Options Indexes FollowSymLinks
                AllowOverride None
                Require all granted
        </Directory>
        ErrorLog /var/log/apache2/localhost_error.log

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/localhost_access.log combined
</VirtualHost>
Back to top


Reply to topic   Topic: Reverse proxy help View previous topic :: View next topic
Post new topic   Forum Index -> Apache Page 1, 2  Next