Linux Proxy Server

This article describes the configuration required to setup an Ubuntu Linux server to work as a reverse proxy server. A reverse proxy server is typically used to protect an http based service or to provide https for an http service.

There are several benefits for using a reverse proxy. In this case, the reverse proxy allows a RESTful web application the ability to provide HTTPS or SSL access when the server only supports HTTP. Certificates are configured on the reverse proxy server to provide a secure or encrypted connection to the service.

Prerequisites

An Ubuntu Linux server is used for the proxy server. The Ubuntu server installation is not included in this article.

Installation

On the Ubuntu server, the first step is to update the source package list. This is done using the package tool’s update command. apt-get is the package menagement tool. It is also recommended to upgrade the installed packages to obtain the latest security updates.

sudo apt-get update
sudo apt-get upgrade

Use apt-get to install the Apache httpd server. Then use the apache a2enmod tool to enable the proxy_http and headers modules.

sudo apt-get install apache2

sudo a2enmod proxy_http

sudo a2enmod headers

The following servers are used in this example.

The reverse proxy server

mb-ncs51-rp1
ubuntu
10.63.146.52

The RESTful application server

mb-ncs4-1
win2k8r2
10.63.146.50

Configuring Apache httpd

The first step after installation is to add the following to the default site:

sudo vi sites-available/default

Then add the following section to create a virtual host:

<VirtualHost *:8080>
	ProxyPreserveHost On

	ProxyPass / http://10.63.146.50:8080/
	ProxyPassReverse / http://10.63.146.50:8080/
	
	ServerName localhost
</VirtualHost>

Next restart httpd to load the new configuration.

dev1@mb-ncs51-rp1:/etc/apache2$ sudo service apache2 restart
 * Restarting web server apache2
 ... waiting
 [ OK ]
dev1@mb-ncs51-rp1:/etc/apache2$ 

Add the port for 8080

sudo vi ports.conf

Then add the following to the file:

NameVirtualHost *:8080
Listen 8080

Configure HTTPS or SSL

In order to access the http RESTful service using https, configure the proxy server to provide the https connection.

dev1@server:/etc/apache2$ sudo a2enmod ssl
dev1@server:/etc/apache2$ sudo a2ensite default-ssl
dev1@server:/etc/apache2$ sudo service apache2 restart

The following directories store the required certificates.

/etc/ssl/certs
/etc/ssl/private

The certificates are identified in the httpd configuration file with the following directives.

SSLCertificateFile
SSLCertificateKeyFile

To check the enabled mods and sites ls the *-enabled dirs

dev1@mb-ncs51-rp1:/etc/apache2$ ls mods-enabled
alias.conf          authz_groupfile.load  cgid.conf     dir.load      negotiation.conf  reqtimeout.conf  ssl.load
alias.load          authz_host.load       cgid.load     env.load      negotiation.load  reqtimeout.load  status.conf
auth_basic.load     authz_user.load       deflate.conf  headers.load  proxy.conf        setenvif.conf    status.load
authn_file.load     autoindex.conf        deflate.load  mime.conf     proxy_http.load   setenvif.load
authz_default.load  autoindex.load        dir.conf      mime.load     proxy.load        ssl.conf

Finished default-ssl site file

<IfModule mod_ssl.c>
<VirtualHost *:443>
        ServerAdmin webmaster@localhost

        ErrorLog ${APACHE_LOG_DIR}/error.log

        LogLevel warn

        CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined

        SSLEngine on

        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        BrowserMatch "MSIE [2-6]" \
                nokeepalive ssl-unclean-shutdown \
                downgrade-1.0 force-response-1.0
        BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown

        ProxyPreserveHost On

        ProxyPass / http://mb-ncs51-mono:8080/
        ProxyPassReverse / http://mb-ncs51-mono:8080/

        ServerName mb-ncs51-rp1.qa.mda.netapp.com
        ServerAlias mb-ncs51-rp1

</VirtualHost>
</IfModule>

Finished ports file

dev1@mb-ncs51-rp1:/etc/apache2$ cat ports.conf
# If you just change the port or add more ports here, you will likely also
# have to change the VirtualHost statement in
# /etc/apache2/sites-enabled/000-default
# This is also true if you have upgraded from before 2.2.9-3 (i.e. from
# Debian etch). See /usr/share/doc/apache2.2-common/NEWS.Debian.gz and
# README.Debian.gz

NameVirtualHost *:80
Listen 80

NameVirtualHost *:8080
Listen 8080

<IfModule mod_ssl.c>
    # If you add NameVirtualHost *:443 here, you will also have to change
    # the VirtualHost statement in /etc/apache2/sites-available/default-ssl
    # to <VirtualHost *:443>
    # Server Name Indication for SSL named virtual hosts is currently not
    # supported by MSIE on Windows XP.
    NameVirtualHost *:443
    Listen 443
</IfModule>

<IfModule mod_gnutls.c>
    Listen 443
</IfModule>

Optional - Disable IPv6

sudo vi /etc/sysctl.conf

#disable ipv6
net.ipv6.conf.all.disable_ipv6 = 1
net.ipv6.conf.default.disable_ipv6 = 1
net.ipv6.conf.lo.disable_ipv6 = 1