Hi All,
The other day I was asked to create a proxy. But not just any proxy. A proxy that could handle content and that could forward on and return login requests to a 3rd party.
Ok. So that bit was new. They have just asked me to configure a tiny Content Delivery Network.
So first things first. I cracked out the 12.04 server version of Ubuntu, installed it, configured it then installed Apache.
Nice and easy.
The reason why I chose Ubuntu over the other Linux builds is that the way Ubuntu package Apache makes it really, really easy to configure. I'm not going to go into which flavour of Linux is the best, neither do I care. This is because I AM A GROWN UP.
On with the show!
So you will need some bits and pieces to go with Apache. You will need the proxy, proxy_http and headers mods. You can install these by typing the following as root (or sudo):
a2enmod proxy
a2enmod proxy_http
a2enmod headers
Again, this is really easy stuff.
Now we have our mods installed lets go and configure something. First make sure that Apache is working.
sudo service apache2 restart
then point a browser at your server. You should get an 'It's Worked!' message.
Now for the config.
Go to /etc/apache2/sites-enabled
now use a text editor to edit 000-default.
Here is my config:
ProxyPreserveHost On
ProxyVia full
<proxy>
Order deny,allow
Allow from all
</proxy>
ProxyPass / http://xxx.xxx.xxx.xxx:8888/
ProxyPassReverse / http://xxx.xxx.xxx.xxx:8888/
Header edit location 192.168.1.2 192.168.1.2:81
Let's go through this bit by bit.
ProxyPreserveHost....this preserves the host IP in the headers
ProxyVia full...Adds the Via tag to the outgoing headers so we can see where the request came from
The next bit is the permissions for the proxy. Configure the permissions in this as if it was a website. Don't dump your proxy onto the internet with the settings above. It's not secure. This is instructions on how to make a proxy, not to make a secure proxy.
No we're into the fun bit.
ProxyPass / http://whateverIPorSite.com/
This makes incoming connections proxy out to whatever the target is.
ProxyPassReverse / http://whateverIPorSite.com/
This makes returning connections proxy back correctly
That is basically a proxy right there. It'll work. Restart Apache, point your browser at it and it'll work.
Now let's have some fun.
I have an authentication server somewhere up stream. It's a 3rd party service. My clients need to authenticate with that before getting the content they want. there are 2 streams to this. The authentication stream and the content stream. to make my life easier I decided that I would use 2 ports. Port 80 would handle authentication with the 3rd party provider and 81 would serve the content. to that end I created a new site on port 81 and put the content on it. Now we need to address that Header edit location line up there.
When you authenticate your 3rd party it should return a 302, in that return code you will get a header called "Location" this is where content is due to be served from. When you have a 3rd party site handling your authentication you don't necessarily want to download your content from them. You'd rather use Akamai or something. This means rewriting the header at the proxy, before it gets back to the client.
In my case I needed to change the port number. First the command:
Header edit Location
This tells the mod I want to edit one of the returning headers called Location.
Next I have: 192.168.1.2 192.168.1.2:81
What this does is tell the mod to replace the IP of the server, with the IP and the new port of the server. When the client gets the location header, it will pop off and download it from this source rather than the 3rd party authorisation provider.
Thats about it. Questions below.
thanks for reading.
Reverse proxies are great until you try to access a web application that hard codes URLs or rewrites the URLs to whatever it thinks it;s location is.
ReplyDeleteNagios and LiveLink never worked right through this setup.
Hi Cristi
ReplyDeleteThats right. this setup will only work if your upstream server returns a 302 as you need to munge the location header. Unless Livelink does that you're kind of stuck. From memory I think it just returns a 206 (partial content) or a 200(OK) depending on what URL you are using.
Apache can be configured to rewrite GET headers too, but that is a lot more....interesting, especially when it comes to CMSssss.
Trev