Configure a reverse proxy with Apache on Ubuntu

   -     -   (0)  -    4 minutes
  1. Introducing the Reverse Proxy
  2. Install Apache2 on Ubuntu
  3. Enable Reverse Proxy on Apache2
  4. Creating and configuring virtualhosts

Introducing the Reverse Proxy

In this tutorial, I will explain how to configure a reverse proxy with Apache on Ubuntu (By adapting the Apache installation commands, this tutorial can easily be transposed to other distributions).

Before getting into the technical part, let’s take a look at what a Reverse proxy is?

A reverse proxy is a (web) server that is placed before the destination web server where the web service (website) is hosted.

When computers consult a web service that uses a reverse proxy, they do not directly access the server where the application is located, the HTTP request arrives first on the reverse proxy, which then makes the request itself to the destination server.

It is the same principle as a proxy server that is found in companies to go on the Internet.

Using a reverse proxy has several advantages:

  • IP address saving (v4), the websites website1 and website2 will have the same IP address on the Internet, that of the reverse proxy.
  • Increase security level (Mod Security, Crowdsec, Fail2ban)
  • Reduce web server load with a cache system and/or SSL offload
  • Rewrite HTML content
  • Centralize SSL certificate management

For this tutorial I used a single computer with Ubuntu 22.04, to simulate the web servers where the websites are hosted I used Docker.

Install Apache2 on Ubuntu

By default Apache2 is available in the Ubuntu repositories, to benefit from the latest version of Apache or a more recent version of Apache2, I will go through the ppa:ondrej/apache2 repository.

Using the ppa:ondrej/apache2 repository is not mandatory.

Add the ppa:ondrej/apache2 repository:

sudo add-apt-repository ppa:ondrej/apache2

Confirm adding the repository by pressing the Enter key.

The deposit is added.

Update the package list:

sudo apt update

Install Apache2:

sudo apt install apache2 -y

Wait while Apache2 is installed on the server:

Apache2 is installed.

Enable Reverse Proxy on Apache2

By default Apache2 does not have the ability to be configured as a Reverse proxy, because Apache2 is mainly used as a web server.

In order for Apache2 to be used as a Reverse Proxy, you must activate the proxy_http module which is located in the folder : /etc/apache2/mods-available.

To view the list of active Apache2 modules, we can see them by listing the contents of the folder /etc/apache2/mods-enabled.

To enable the proxy_http mod enter the following command:

sudo a2enmod proxy_http

By enabling the proxy_http mod, the proxy mod was enabled as well.

To take into account the new modules, you must restart Apache2.

sudo systemctl restart apache2

If we look again in the /etc/apache2/mods-enabled folder, we can see the two modules proxy and proxy_http.

Creating and configuring virtualhosts

The operation of virtualhosts is the same whether you use Apache2 as a web server or as a reverse proxy, only the instructions will be different in the configuration file.

The virtualhosts files are created first in the folder /etc/apache2/sites-available.

Go to the folder:

cd /etc/apache2/sites-available

We will now create a file for the configuration of the Website1 site:

sudo nano reverse-proxy-website1.conf

Here is the content of the file:

The settings must be adapted to your environment

Explanations of the parameters:

SettingExplanation
ServerNameDomain name associated with virtualhost
ProxyPreserveHostOn|Off allows to keep the Host header when transferring the request to the destination server, if you use virtualhosts on the destination web server, it is imperative to leave this parameter at On.
ProxyRequestsOff If this directive is passed On, this allows Apache2 to act as a Proxy to go to the Internet like Squid.

For security reasons it must be set to Off otherwise it is possible to use the Apache2 service as a proxy to spoof an IP address.
ProxyPassAllows to match between the path in the url and the destination server.
Here we send all requests / to the web server http://127.0.0.1:20001/
ProxyPassReverseUsually we find the same value as ProxyPass, this allows to adjust the URL in the HTTP header

Now that the virtualhost configuration is complete, we will create a symbolic link in the /etc/apache2/sites-enabled folder to enable the configuration.

sudo ln -s /etc/apache2/sites-available/reverse-proxy-website1.conf /etc/apache2/sites-enabled/

Before reloading the configuration, we will test the configuration to ensure that there are no blocking errors:

apachectl configtest

If the syntax is OK, we can reload the configuration:

sudo systemctl reload apache2

We will now be able to test the configuration, before doing a test, make sure that the domain (url) points to the reverse proxy and not to the destination web server. This verification done, launch a browser went to the URL of the virtualhost.

We can ensure the passage through the Apache2 Reverse proxy by looking at the logs which are located/var/log/apache2/other_vhosts_access.log

sudo tail -f /var/log/apache2/other_vhosts_access.log

I won’t go into detail, just put the screenshots, but I will do the same thing for the Website2 site.

In the logs, I can validate the passage through the Reverse proxy.

For better readability of the logs, it is possible to separate the logs into different files for each virtualhost.

In the virtualhost configuration, we will add the LogLevel, ErrorLog and CustomLog parameters.

Reload the configuration to take the changes into account:

sudo systemctl reload apache2.

In the /var/log/apache2 folder, we can see the files:

Navigation logs are now recorded in the file dedicated to the virtualhost:

Now you know how to configure Apache as a Reverse proxy to protect your web servers.

Leave a Comment

 
© 2024