Whenever a client cannot directly connect to the Internet, client requests are sent to the Web server via another server called a proxy server. The proxy server is usually installed at a connection point between the clients and the Internet. A proxy server that is installed at a connection point between the Internet and the Web server is called a reverse proxy. The reverse proxy processes requests received from clients on behalf of the Web server.
The following figure shows the difference between a normal proxy server and a reverse proxy.
Figure 4-7 Difference between a normal proxy server and a reverse proxy
You can use the reverse proxy for following operations:
To use the reverse proxy, you need to embed a proxy module. To embed the proxy module, specify the following directives in the configuration file (httpsd.conf). For UNIX version, always specify the LoadModule directive in the following sequence:
LoadModule proxy_module libexec/mod_proxy.so |
LoadModule proxy_module modules/mod_proxy.so |
The following example describes the settings for each directive that sets the reverse proxy.
Each address is as follows:
If you set the ProxyPass directive as shown below, the request http://www.example.com/news/oct-2001 received from client changes to the request http://backend.example.com/oct-2001:
ProxyPass /news/ http://backend.example.com/ |
The Host:Header is reallocated from "Host:www.example.com" to "Host:backend.example.com". After that, the reverse proxy sends the response from the backend server to the client.
If a Redirect directive is executed from a backend server and the directive uses an image map or contains a directory request that does not end with a backslash (/), the Location header in the backend server response will contain the backend server address. If the response is sent to the client as is, the client will request a redirect from the backend server directly, instead of from the reverse proxy. As a result, you must specify the ProxyPassReverse directive as follows, so that the redirect request also passes through the reverse proxy:
ProxyPassReverse /news/ http://backend.example.com/ |
The location header is changed to the reverse proxy address.
The domain name and path name are sometimes placed in a Set-Cookie header that is returned to the client from the backend server. By doing so, cookies are sent by the client only when the request matches the domain name and the path name in the Set-Cookie header.
Examples of when the Set-Cookie header is reassigned and when the Set-Cookie header is not reassigned are explained below.
The figure below illustrates an example of a reverse proxy sending a Set-Cookie header with a domain name and path name response from the backend server to the client as is. Note that the numbers in the following figure correspond to the explanation below.
Figure 4-8 Example of not reassigning the Set-Cookie header
In the above case, the client does not send the cookie received from the Set-Cookie header when the client sends a request to anything at or below /front/cgi-bin/ via the reverse proxy. This is because the domain name in the Set-Cookie header received by the client is backend.example.com, but the domain name of the reverse proxy is www.example.com. In the same way, the path names will also not match.
The HWSProxyPassReverseCookie directive must be specified for a client to receive a cookie sent via the Set-Cookie header from the backend server. The figure below shows an example of reassigning the Set-Cookie header by specifying the HWSProxyPassReverseCookie directive. Note that the numbers in the following figure correspond to the explanation below.
Figure 4-9 Example of reassigning the Set-Cookie header
In the above case, the client receives a Set-Cookie header whose path name (/front/cgi-bin/) matches the beginning of the path in the request URL (/front/cgi-bin/test-cgi.pl). Also, there was no domain name in the Set-Cookie header received by the client. This is essentially the same as the domain name of the URL requested by the client (www.example.com) being specified in the Set-Cookie header. As such, cookies set by the Set-Cookie header can be sent with requests that go through reverse proxies to get to backend servers.
This subsection shows examples of configuring a system by using Cosminexus HTTP Server on the reverse proxy and the backend server.
You must be aware of the redirect process and specify the appropriate settings when configuring the system. If the client accesses the URL of a directory on the backend server without adding a forward slash (/) at the end of the URL, the backend server sends a redirect request with the Location header. In this case, the Location header value must be changed from the backend server address to the reverse proxy address to ensure that all client re-requests go through the reverse proxy.
The system network configuration is shown in the following figure. Also, each address is as follows:
Figure 4-10 Network configuration
The host name and path name specified in the ProxyPass directive is the same as the host name and path name specified in the ProxyPassReverse directive. The ServerName directive is specified in all of the virtual hosts on the backend server, and the specification value is the same as the host name specified in the ProxyPassReverse directive on the reverse proxy.
The redirect process flow is shown in Table 4-6 when the reverse proxy and the backend server are configured as shown in Table 4-7 under the network configuration as illustrated in Figure 4-10.
Table 4-6 Example to set the recommended configuration
Setting location | Setting contents |
---|---|
Reverse proxy | ServerName www.example.com ProxyPass /before/ http://backend.example.com/after/ ProxyPassReverse /before/ http://backend.example.com/after/ |
Backend server | ServerName backend.example.com |
Table 4-7 Redirect process flow of recommended configuration
Location in the figure | Explanation |
---|---|
1 | Access "http://www.example.com/before/dir". |
2 | Access "http://backend.example.com/after/dir" as per the ProxyPass directive value. Change and forward the Host header value in the backend.example.com. |
3 | Generate a URL that ends with a forward slash (/) because a forward slash (/) was not added to the end of the URL, set the URL in the Location header, and then return the redirect request. |
4 | Change and forward the Location header in the "http://www.example.com/before/dir/" as per the ProxyPassReverse directive value. |
5 | Access the "http://www.example.com/before/dir/" again as per the Location header. |
A | Host header value is "www.example.com". |
B | Host header value is "backend.example.com". |
C | Location header value is "http://backend.example.com/after/dir/". |
D | Location header value is "http://www.example.com/before/dir/". |
Normally, the reverse proxy converts the Host header value received from the client according to the ProxyPass directive value, and then forwards the converted value to the backend server. If you want to obtain the Host header value sent by the client as the Host header value in the backend server, set the value of the ProxyPreserveHost directive to On in the reverse proxy. Note the following points:
Table 4-8 shows the redirect process flow performed when the reverse proxy and the backend server are set as shown in Table 4-9 under the network configuration shown in the figure 4-10.
Table 4-8 Example configuration where the ProxyPreserveHost is set to On in the reverse proxy
Setting location | Setting contents |
---|---|
Reverse proxy | ServerName www.example.com ProxyPass /before/ http://backend.example.com/after/ ProxyPassReverse /before/ http://www.example.com/after/ ProxyPreserveHost On |
Backend server | ServerName www.example.com |
Table 4-9 Redirect process flow of configuration where the ProxyPreserveHost is set to On in the reverse proxy
Location in the figure | Explanation |
---|---|
1 | Access "http://www.example.com/before/dir". |
2 | Access "http://backend.example.com/after/dir" as per the ProxyPass directive. As the ProxyPreserveHost directive is set to On, the Host header value will remain as www.example.com. |
3 | Generate a URL that ends with a forward slash (/), because a forward slash (/) was not added to the end of the URL, set the URL in the Location header, and then return the redirect request. |
4 | Change and forward the Location header in "http://www.example.com/before/dir/" as per the value of ProxyPassReverse directive. |
5 | Access the "http://www.example.com/before/dir/" again, as per the Location header. |
A | The value of Host header is "www.example.com". |
B | The value of Host header is "www.example.com". |
C | The value of Location header is "http://www.example.com/after/dir/". |
D | The value of Location header is "http://www.example.com/before/dir/". |
ProxyPass / http://forwarding-destination-backend-server-address/ |
Table 4-10 Relationship between the coding method and accessibility of link
Coding of link | Accessibility when link is clicked |
---|---|
<A HREF="index2.html">link</A> | Y |
<A HREF="/before/index2.html">link</A> | Y |
<A HREF="http://reverse proxy address/before/index2.html">link</A> | Y |
<A HREF="/after/index2.html">link</A> | N |
Table 4-11 Relationship between specifications of ProxyPass directive and request
Example of ProxyPass directive specification | Request | Match | Location where request is forwarded |
---|---|---|---|
ProxyPass /abc/ http://backend.example.com/ | http://reverse proxy address/abc/ | Y | http://backend.example.com/ |
http://reverse proxy address/abc | N | -- | |
http://reverse proxy address/abc/def | Y | http://backend.example.com/def | |
ProxyPass /abc http://backend.example.com/ | http:// reverse proxy address /abc | Y | http://backend.example.com/ |
http:// reverse proxy address /abc/ | Y | http://backend.example.com// | |
http:// reverse proxy address /abc/def | Y | http://backend.example.com//def |
ProxyPass /abc/def/ http://backend1.example.com/ |
ProxyPass /front/ http://backend.example.com/ |
Table 4-12 Conversion rules of the Set-Cookie header
# | Set-Cookie header sent to the client as a response | Set-Cookie header sent by the backend server as a response | Explanation for the conversion rule |
---|---|---|---|
1 | Set-Cookie: ~; path=/front/ | Set-Cookie: ~; path=/ | When the domain name is not specified in the Set-Cookie header received from the backend server, the reverse proxy replaces the forward slash (/) of the path name in the Set-Cookie header with /front/. |
2 | Set-Cookie: ~; path=/front/ | Set-Cookie: ~; domain=backend.example.com; path=/ | When the domain name in the Set-Cookie header received from the backend server matches the domain name of the forwarding destination URL specified in the ProxyPass directive exactly, the reverse proxy replaces the forward slash (/) of the path name in the Set-Cookie header to /front/. The reverse proxy deletes the domain name in the Set-Cookie header, and then sends the Set-Cookie header to the client. |
3 | Set-Cookie: ~; domain=.example.com; path=/ | Set-Cookie: ~; domain=.example.com; path=/ | When the domain name in the Set-Cookie header received from the backend server starts with a period (.), the reverse proxy sends the Set-Cookie header received from the backend server to the client without any change. |
4 | Set-Cookie: ~; domain=other.example.com; path=/ | Set-Cookie: ~; domain=other.example.com; path=/ | When the domain name in the Set-Cookie header received from the backend server differs from the domain name of the forwarding destination URL specified in the ProxyPass directive, the reverse proxy sends the Set-Cookie header received from the backend server to the client without any changes. |
5 | Set-Cookie: ~ | Set-Cookie: ~ | When the domain name and the path name are not specified in the Set-Cookie header, the reverse proxy sends the Set-Cookie header received from the backend server without any changes. |
ProxyPass /front/ http://backend.example.com/abc/def/ |
When the document name or the host name is specified in the ProxyPass directive, a DNS query is generated. If you already know the IP address of the backend server, you can reduce the time for resolving the name by mentioning the IP address in the hosts file in advance.