Apache Http Reverse Proxy
- Reverse-Proxy – A useful Tool. A reverse proxy is a tool that intercepts and handles http(s) requests. The reverse proxy can forward it to different servers, caching the response, thus relieving the underlying web servers or distributing the load to uniformly different systems. All in all, a very handy tool for busy services or multiple small.
- LoadModule proxymodule modules/modproxy.so LoadModule proxyhttpmodule modules/modproxyhttp.so For the Debian based systems use the following command to enable the Proxy module with Apache. Sudo a2enmod proxy 2. Configure Apache Virtual Hosts. Now will start working with virtual host. We are creating three virtual hosts as below.
- Under Apache 1.x, modproxy only supported HTTP/1.0, but from Apache 2.0, it supports HTTP/1.1. This distinction is particularly important in a proxy, because one of the most significant changes between the two protocol versions is that HTTP/1.1 introduces rich new cache control mechanisms.
One of the most unique and useful features of Apache httpd's reverse proxy is the embedded balancer-manager application. Similar to modstatus, balancer-manager displays the current working configuration and status of the enabled balancers and workers currently in use. Browse other questions tagged apache-2.2 web-server mod-rewrite reverse-proxy mod-proxy or ask your own question. The Overflow Blog Podcast 330: How to.
Reverse Proxy and HTTP Redirects¶
As a reverse proxy cache, Traffic Server serves requests on behalf oforigin servers. Traffic Server is configured in such a way that itappears to clients like a normal origin server.
Understanding Reverse Proxy Caching¶
With forward proxy caching, Traffic Server handles web requests to originservers on behalf of the clients requesting the content. Reverse proxycaching (also known as server acceleration) is different because TrafficServer acts as a proxy cache on behalf of the origin servers that store thecontent. Traffic Server is configured to behave outwardly as origin serverwhich the client is trying to connect to. In a typical scenario the advertisedhostname of the origin server resolves to Traffic Server, which serves clientrequests directly, fetching content from the true origin server when necessary.
Reverse Proxy Solutions¶
There are many ways to use Traffic Server as a reverse proxy. Below area few example scenarios.
- Offload heavily-used origin servers.
- Deliver content efficiently in geographically distant areas.
- Provide security for origin servers that contain sensitive information.
Offloading Heavily-Used Origin Servers¶
Traffic Server can accept requests on behalf of the origin server and improvethe speed and quality of web serving by reducing load and hot spots onbackup origin servers. For example, a web hoster can maintain a scalableTraffic Server system with a set of low-cost, low-performance,less-reliable PC origin servers as backup servers. In fact, a singleTraffic Server can act as the virtual origin server for multiple backuporigin servers, as shown in the figure below.
Traffic Server as reverse proxy for a pair of origin servers
Delivering Content in Geographically-Dispersed Areas¶
Traffic Server can be used in reverse proxy mode to accelerate originservers that provide content to areas not located within closegeographical proximity. Caches are typically easier to manage and aremore cost-effective than replicating data. For example, Traffic Servercan be used as a mirror site on the far side of a trans-Atlantic link toserve users without having to fetch the request and content acrossexpensive, or higher latency, international connections. Unlike replication,for which hardware must be configured to replicate all data and to handle peakcapacity, Traffic Server dynamically adjusts to optimally use theserving and storing capacity of the hardware. Traffic Server is alsodesigned to keep content fresh automatically, thereby eliminating thecomplexity of updating remote origin servers.
Providing Security for an Origin Server¶
Traffic Server can be used in reverse proxy mode to provide security foran origin server. If an origin server contains sensitive informationthat you want to keep secure inside your firewall, then you can use aTraffic Server outside the firewall as a reverse proxy for that originserver. When outside clients try to access the origin server, therequests instead go to Traffic Server. If the desired content is notsensitive, then it can be served from the cache. If the content issensitive and not cacheable, then Traffic Server obtains the contentfrom the origin server (the firewall allows only Traffic Server accessto the origin server). The sensitive content resides on the originserver, safely inside the firewall.
How Does Reverse Proxy Work?¶
When a browser makes a request, it normally sends that request directlyto the origin server. When Traffic Server is in reverse proxy mode, itintercepts the request before it reaches the origin server. Typically,this is done by setting up the DNS entry for the origin server (i.e.,the origin server’s advertised hostname) so it resolves to the TrafficServer IP address. When Traffic Server is configured as the originserver, the browser connects to Traffic Server rather than the originserver. For additional information, see HTTP Reverse Proxy.
Note
To avoid a DNS conflict, the origin server’s hostname and its advertisedhostname must not be the same.
HTTP Reverse Proxy¶
In reverse proxy mode, Traffic Server serves HTTP requests on behalf ofa web server. The figure below illustrates how Traffic Server in reverseproxy mode serves an HTTP request from a client browser.
The figure above demonstrates the following steps:
- A client browser sends an HTTP request addressed to a host called
www.host.com
on port 80. Traffic Server receives the requestbecause it is acting as the origin server (the origin server’sadvertised hostname resolves to Traffic Server). - Traffic Server locates a map rule in the
remap.config
file andremaps the request to the specified origin server (realhost.com
). - If the request cannot be served from cache, Traffic Server opens aconnection to the origin server (or more likely, uses an existingconnection it has pre-established), retrieves the content, and optionallycaches it for future use.
- If the request was a cache hit and the content is still fresh in the cache,or the content is now available through Traffic Server because of step 3,Traffic Server sends the requested object to the client from the cachedirectly.
Note
Traffic Server, when updating its own cache from the origin server, willsimultaneously deliver that content to the client while updating itscache database. The response to the client containing the requested objectwill begin as soon as Traffic Server has received and processed the fullresponse headers from the origin server.
To configure HTTP reverse proxy, you must perform the following tasks:
Create mapping rules in the
remap.config
file (refer to CreatingMapping Rules for HTTP Requests).Enable the reverse proxy option (refer to Enabling HTTP Reverse Proxy).
In addition to the tasks above, you can also Setting Optional HTTP Reverse Proxy Options.
Handling Origin Server Redirect Responses¶
Origin servers often send redirect responses back to browsersredirecting them to different pages. For example, if an origin server isoverloaded, then it might redirect browsers to a less loaded server.Origin servers also redirect when web pages have moved to differentlocations. When Traffic Server is configured as a reverse proxy, it mustreaddress redirects from origin servers so that browsers are redirectedto Traffic Server and not to another origin server.
To readdress redirects, Traffic Server uses reverse-map rules. Unlessyou have proxy.config.url_remap.pristine_host_hdr
enabled(the default) you should generally set up a reverse-map rule foreach map rule. To create reverse-map rules, refer to Using MappingRules for HTTP Requests.
Using Mapping Rules for HTTP Requests¶
Traffic Server uses two types of mapping rules for HTTP reverse proxy.
map rule¶
A map rule translates the URL in client requests into the URL wherethe content is located. When Traffic Server is in reverse proxy mode andreceives an HTTP client request, it first constructs a complete requestURL from the relative URL and its headers. Traffic Server then looks fora match by comparing the complete request URL with its list of targetURLs in remap.config
. For the request URL to match a target URL, thefollowing conditions must be true:
- The scheme of both URLs must be the same.
- The host in both URLs must be the same. If the request URL containsan unqualified hostname, then it will never match a target URL with afully-qualified hostname.
- The ports in both URLs must be the same. If no port is specified in aURL, then the default port for the scheme of the URL is used.
- The path portion of the target URL must match a prefix of the requestURL path.
If Traffic Server finds a match, then it translates the request URL intothe replacement URL listed in the map rule: it sets the host and path ofthe request URL to match the replacement URL. If the URL contains pathprefixes, then Traffic Server removes the prefix of the path thatmatches the target URL path and substitutes it with the path from thereplacement URL. If two mappings match a request URL, then TrafficServer applies the first mapping listed in remap.config
.
reverse-map rule¶
A reverse-map rule translates the URL in origin server redirectresponses to point to Traffic Server so that clients are redirectedto Traffic Server instead of accessing an origin server directly. Forexample, if there is a directory /pub
on an origin server atwww.molasses.com
and a client sends a request to that origin serverfor /pub
, then the origin server might reply with a redirect bysending the Header Location:http://realhost.com/pub/
to let theclient know that it was a directory it had requested, not a document (acommon use of redirects is to normalize URLs so that clients canbookmark documents properly).
Traffic Server uses reverse_map
rules to prevent clients (thatreceive redirects from origin servers) from bypassing Traffic Server anddirectly accessing the origin servers. In many cases the client would behitting a wall because realhost.com
actually does not resolve forthe client. (E.g.: Because it’s running on a port shielded by afirewall, or because it’s running on a non-routable LAN IP)
Both map and reverse-map rules consist of a target (origin) URL anda replacement (destination) URL. In a map rule, the target URLpoints to Traffic Server and the replacement URL specifies where theoriginal content is located. In a reverse-map rule, the target URLspecifies where the original content is located and the replacement URLpoints to Traffic Server. Traffic Server stores mapping rules inremap.config
located in the Traffic Server config
directory.
Creating Mapping Rules for HTTP Requests¶
To create mapping rules:
- Enter the map and reverse-map rules into
remap.config
. - Run the command
traffic_ctlconfigreload
to apply the configuration changes.
Enabling HTTP Reverse Proxy¶
To enable HTTP reverse proxy:
Edit
proxy.config.reverse_proxy.enabled
inrecords.config
.Run the command
traffic_ctlconfigreload
to apply the configuration changes.
Setting Optional HTTP Reverse Proxy Options¶
Traffic Server provides several reverse proxy configuration options inrecords.config
that enable you to:
- Configure Traffic Server to retain the client host header informationin a request during translation.See
proxy.config.url_remap.pristine_host_hdr
. - Configure Traffic Server to serve requests only to the origin serverslisted in the mapping rules. As a result, requests to origin serversnot listed in the mapping rules are not served.See
proxy.config.url_remap.remap_required
. - Specify an alternate URL to which incoming requests from older clients ,suchas ones that do not provide
Host
headers, are directed.Seeproxy.config.header.parse.no_host_url_redirect
.
Run the command traffic_ctlconfigreload
to apply any of these configurationchanges.
Redirecting HTTP Requests¶
You can configure Traffic Server to redirect HTTP requests withouthaving to contact any origin servers. For example, if you redirect allrequests for http://www.ultraseek.com
tohttp://www.server1.com/products/portal/search/
, then all HTTPrequests for www.ultraseek.com
go directly towww.server1.com/products/portal/search
.
You can configure Traffic Server to perform permanent or temporaryredirects. Permanent redirects notify the browser of the URL change(by returning the HTTP status code 301
) so that the browser canupdate bookmarks. Temporary redirects notify the browser of the URLchange for the current request only (by returning the HTTP status code307
).
To set redirect rules:
- For each redirect you want to set enter a mapping rule in
remap.config
. - Run the command
traffic_ctlconfigreload
to apply the configuration changes.
Example¶
The following permanently redirects all HTTP requests forwww.server1.com
to www.server2.com
:
Reverse Proxy and HTTP Redirects¶
As a reverse proxy cache, Traffic Server serves requests on behalf oforigin servers. Traffic Server is configured in such a way that itappears to clients like a normal origin server.
Understanding Reverse Proxy Caching¶
With forward proxy caching, Traffic Server handles web requests to originservers on behalf of the clients requesting the content. Reverse proxycaching (also known as server acceleration) is different because TrafficServer acts as a proxy cache on behalf of the origin servers that store thecontent. Traffic Server is configured to behave outwardly as origin serverwhich the client is trying to connect to. In a typical scenario the advertisedhostname of the origin server resolves to Traffic Server, which serves clientrequests directly, fetching content from the true origin server when necessary.
Reverse Proxy Solutions¶
There are many ways to use Traffic Server as a reverse proxy. Below area few example scenarios.
Offload heavily-used origin servers.
Deliver content efficiently in geographically distant areas.
Provide security for origin servers that contain sensitive information.
Offloading Heavily-Used Origin Servers¶
Traffic Server can accept requests on behalf of the origin server and improvethe speed and quality of web serving by reducing load and hot spots onbackup origin servers. For example, a web host can maintain a scalableTraffic Server system with a set of low-cost, low-performance,less-reliable PC origin servers as backup servers. In fact, a singleTraffic Server can act as the virtual origin server for multiple backuporigin servers, as shown in the figure below.
Traffic Server as reverse proxy for a pair of origin servers¶
Delivering Content in Geographically-Dispersed Areas¶
Traffic Server can be used in reverse proxy mode to accelerate originservers that provide content to areas not located within closegeographical proximity. Caches are typically easier to manage and aremore cost-effective than replicating data. For example, Traffic Servercan be used as a mirror site on the far side of a trans-Atlantic link toserve users without having to fetch the request and content acrossexpensive, or higher latency, international connections. Unlike replication,for which hardware must be configured to replicate all data and to handle peakcapacity, Traffic Server dynamically adjusts to optimally use theserving and storing capacity of the hardware. Traffic Server is alsodesigned to keep content fresh automatically, thereby eliminating thecomplexity of updating remote origin servers.
Providing Security for an Origin Server¶
Traffic Server can be used in reverse proxy mode to provide security foran origin server. If an origin server contains sensitive informationthat you want to keep secure inside your firewall, then you can use aTraffic Server outside the firewall as a reverse proxy for that originserver. When outside clients try to access the origin server, therequests instead go to Traffic Server. If the desired content is notsensitive, then it can be served from the cache. If the content issensitive and not cacheable, then Traffic Server obtains the contentfrom the origin server (the firewall allows only Traffic Server accessto the origin server). The sensitive content resides on the originserver, safely inside the firewall.
How Does Reverse Proxy Work?¶
When a browser makes a request, it normally sends that request directlyto the origin server. When Traffic Server is in reverse proxy mode, itintercepts the request before it reaches the origin server. Typically,this is done by setting up the DNS entry for the origin server (i.e.,the origin server’s advertised hostname) so it resolves to the TrafficServer IP address. When Traffic Server is configured as the originserver, the browser connects to Traffic Server rather than the originserver. For additional information, see HTTP Reverse Proxy.
Note
To avoid a DNS conflict, the origin server’s hostname and its advertisedhostname must not be the same.
HTTP Reverse Proxy¶
In reverse proxy mode, Traffic Server serves HTTP requests on behalf ofa web server. The figure below illustrates how Traffic Server in reverseproxy mode serves an HTTP request from a client browser.
The figure above demonstrates the following steps:
A client browser sends an HTTP request addressed to a host called
www.host.com
on port 80. Traffic Server receives the requestbecause it is acting as the origin server (the origin server’sadvertised hostname resolves to Traffic Server).Traffic Server locates a map rule in the
remap.config
file andremaps the request to the specified origin server (realhost.com
).If the request cannot be served from cache, Traffic Server opens aconnection to the origin server (or more likely, uses an existingconnection it has pre-established), retrieves the content, and optionallycaches it for future use.
If the request was a cache hit and the content is still fresh in the cache,or the content is now available through Traffic Server because of step 3,Traffic Server sends the requested object to the client from the cachedirectly.
Note
Traffic Server, when updating its own cache from the origin server, willsimultaneously deliver that content to the client while updating itscache database. The response to the client containing the requested objectwill begin as soon as Traffic Server has received and processed the fullresponse headers from the origin server.
To configure HTTP reverse proxy, you must perform the following tasks:
Create mapping rules in the
remap.config
file (refer to CreatingMapping Rules for HTTP Requests).Enable the reverse proxy option (refer to Enabling HTTP Reverse Proxy).
In addition to the tasks above, you can also Setting Optional HTTP Reverse Proxy Options.
Handling Origin Server Redirect Responses¶
Origin servers often send redirect responses back to browsersredirecting them to different pages. For example, if an origin server isoverloaded, then it might redirect browsers to a less loaded server.Origin servers also redirect when web pages have moved to differentlocations. When Traffic Server is configured as a reverse proxy, it mustreaddress redirects from origin servers so that browsers are redirectedto Traffic Server and not to another origin server.
To readdress redirects, Traffic Server uses reverse-map rules. Unlessyou have proxy.config.url_remap.pristine_host_hdr
enabled(the default) you should generally set up a reverse-map rule foreach map rule. To create reverse-map rules, refer to Using MappingRules for HTTP Requests.
Using Mapping Rules for HTTP Requests¶
Traffic Server uses two types of mapping rules for HTTP reverse proxy.
map rule¶
A map rule translates the URL in client requests into the URL wherethe content is located. When Traffic Server is in reverse proxy mode andreceives an HTTP client request, it first constructs a complete requestURL from the relative URL and its headers. Traffic Server then looks fora match by comparing the complete request URL with its list of targetURLs in remap.config
. For the request URL to match a target URL, thefollowing conditions must be true:
The scheme of both URLs must be the same.
The host in both URLs must be the same. If the request URL containsan unqualified hostname, then it will never match a target URL with afully-qualified hostname.
The ports in both URLs must be the same. If no port is specified in aURL, then the default port for the scheme of the URL is used.
The path portion of the target URL must match a prefix of the requestURL path.
If Traffic Server finds a match, then it translates the request URL intothe replacement URL listed in the map rule: it sets the host and path ofthe request URL to match the replacement URL. If the URL contains pathprefixes, then Traffic Server removes the prefix of the path thatmatches the target URL path and substitutes it with the path from thereplacement URL. If two mappings match a request URL, then TrafficServer applies the first mapping listed in remap.config
.
reverse-map rule¶
A reverse-map rule translates the URL in origin server redirectresponses to point to Traffic Server so that clients are redirectedto Traffic Server instead of accessing an origin server directly. Forexample, if there is a directory /pub
on an origin server atwww.molasses.com
and a client sends a request to that origin serverfor /pub
, then the origin server might reply with a redirect bysending the Header Location:http://realhost.com/pub/
to let theclient know that it was a directory it had requested, not a document (acommon use of redirects is to normalize URLs so that clients canbookmark documents properly).
Traffic Server uses reverse_map
rules to prevent clients (thatreceive redirects from origin servers) from bypassing Traffic Server anddirectly accessing the origin servers. In many cases the client would behitting a wall because realhost.com
actually does not resolve forthe client. (E.g.: Because it’s running on a port shielded by afirewall, or because it’s running on a non-routable LAN IP)
Both map and reverse-map rules consist of a target (origin) URL anda replacement (destination) URL. In a map rule, the target URLpoints to Traffic Server and the replacement URL specifies where theoriginal content is located. In a reverse-map rule, the target URLspecifies where the original content is located and the replacement URLpoints to Traffic Server. Traffic Server stores mapping rules inremap.config
located in the Traffic Server config
directory.
Creating Mapping Rules for HTTP Requests¶
To create mapping rules:
Enter the map and reverse-map rules into
remap.config
.Run the command
traffic_ctlconfigreload
to apply the configuration changes.
Enabling HTTP Reverse Proxy¶
To enable HTTP reverse proxy:
Reverse Proxy Free
Edit
proxy.config.reverse_proxy.enabled
inrecords.config
.Run the command
traffic_ctlconfigreload
to apply the configuration changes.
Setting Optional HTTP Reverse Proxy Options¶
Traffic Server provides several reverse proxy configuration options inrecords.config
that enable you to:
Configure Traffic Server to retain the client host header informationin a request during translation.See
proxy.config.url_remap.pristine_host_hdr
.Configure Traffic Server to serve requests only to the origin serverslisted in the mapping rules. As a result, requests to origin serversnot listed in the mapping rules are not served.See
proxy.config.url_remap.remap_required
.Specify an alternate URL to which incoming requests from older clients ,suchas ones that do not provide
Host
headers, are directed.Seeproxy.config.header.parse.no_host_url_redirect
.
Run the command traffic_ctlconfigreload
to apply any of these configurationchanges.
Redirecting HTTP Requests¶
Httpd Reverse Proxy
You can configure Traffic Server to redirect HTTP requests withouthaving to contact any origin servers. For example, if you redirect allrequests for http://www.ultraseek.com
tohttp://www.server1.com/products/portal/search/
, then all HTTPrequests for www.ultraseek.com
go directly towww.server1.com/products/portal/search
.
You can configure Traffic Server to perform permanent or temporaryredirects. Permanent redirects notify the browser of the URL change(by returning the HTTP status code 301
) so that the browser canupdate bookmarks. Temporary redirects notify the browser of the URLchange for the current request only (by returning the HTTP status code307
).
To set redirect rules:
For each redirect you want to set enter a mapping rule in
remap.config
.Run the command
traffic_ctlconfigreload
to apply the configuration changes.
Example¶
Apache Httpd Reverse Proxy Ssl
The following permanently redirects all HTTP requests forwww.server1.com
to www.server2.com
: