4.7 Setting the reverse proxy

Whenever a client cannot directly connect to the Internet, client requests are sent to the Web server via another server called a proxy server. The proxy server is usually installed at a connection point between the clients and the Internet. A proxy server that is installed at a connection point between the Internet and the Web server is called a reverse proxy. The reverse proxy processes requests received from clients on behalf of the Web server.

The following figure shows the difference between a normal proxy server and a reverse proxy.

Figure 4-7 Difference between a normal proxy server and a reverse proxy

[Figure]

You can use the reverse proxy for following operations:

Organization of this section
(1) Embedding proxy module
(2) How to set directives
(3) Example of system building
(4) Note

(1) Embedding proxy module

To use the reverse proxy, you need to embed a proxy module. To embed the proxy module, specify the following directives in the configuration file (httpsd.conf). For UNIX version, always specify the LoadModule directive in the following sequence:

(2) How to set directives

The following example describes the settings for each directive that sets the reverse proxy.

Each address is as follows:

Reverse proxy: www.example.com
Backend server: backend.example.com
(a) Reallocating the request URL and the request header

If you set the ProxyPass directive as shown below, the request http://www.example.com/news/oct-2001 received from client changes to the request http://backend.example.com/oct-2001:

ProxyPass /news/ http://backend.example.com/

The Host:Header is reallocated from "Host:www.example.com" to "Host:backend.example.com". After that, the reverse proxy sends the response from the backend server to the client.

(b) Reallocating the response header

If a Redirect directive is executed from a backend server and the directive uses an image map or contains a directory request that does not end with a backslash (/), the Location header in the backend server response will contain the backend server address. If the response is sent to the client as is, the client will request a redirect from the backend server directly, instead of from the reverse proxy. As a result, you must specify the ProxyPassReverse directive as follows, so that the redirect request also passes through the reverse proxy:

ProxyPassReverse /news/ http://backend.example.com/

The location header is changed to the reverse proxy address.

(c) Reassigning the Set-Cookie header

The domain name and path name are sometimes placed in a Set-Cookie header that is returned to the client from the backend server. By doing so, cookies are sent by the client only when the request matches the domain name and the path name in the Set-Cookie header.

Examples of when the Set-Cookie header is reassigned and when the Set-Cookie header is not reassigned are explained below.

Example of not reassigning the Set-Cookie header

The figure below illustrates an example of a reverse proxy sending a Set-Cookie header with a domain name and path name response from the backend server to the client as is. Note that the numbers in the following figure correspond to the explanation below.

Figure 4-8 Example of not reassigning the Set-Cookie header

[Figure]

  1. The client sends an http://www.example.com/front/cgi-bin/test-cgi.pl request to the reverse proxy.
  2. The reverse proxy converts the URL, and then forwards it to the backend server.
  3. The reverse proxy receives a Set-Cookie header from the backend server in which the domain name is set to domain=backend.example.com, and the path name is set to path=/cgi-bin/.
  4. The reverse proxy returns the Set-Cookie header received from the backend server to the client as is.

In the above case, the client does not send the cookie received from the Set-Cookie header when the client sends a request to anything at or below /front/cgi-bin/ via the reverse proxy. This is because the domain name in the Set-Cookie header received by the client is backend.example.com, but the domain name of the reverse proxy is www.example.com. In the same way, the path names will also not match.

Example of reassigning the Set-Cookie header

The HWSProxyPassReverseCookie directive must be specified for a client to receive a cookie sent via the Set-Cookie header from the backend server. The figure below shows an example of reassigning the Set-Cookie header by specifying the HWSProxyPassReverseCookie directive. Note that the numbers in the following figure correspond to the explanation below.

Figure 4-9 Example of reassigning the Set-Cookie header

[Figure]

  1. The client sends an http://www.example.com/front/cgi-bin/test-cgi.pl request to the reverse proxy.
  2. The reverse proxy converts the URL, and then forwards it to the backend server.
  3. The reverse proxy receives a Set-Cookie header from the backend server in which the domain name is set to domain=backend.example.com and the path name is set to path=/cgi-bin/.
  4. The reverse proxy returns the reassigned Set-Cookie header to the client.

In the above case, the client receives a Set-Cookie header whose path name (/front/cgi-bin/) matches the beginning of the path in the request URL (/front/cgi-bin/test-cgi.pl). Also, there was no domain name in the Set-Cookie header received by the client. This is essentially the same as the domain name of the URL requested by the client (www.example.com) being specified in the Set-Cookie header. As such, cookies set by the Set-Cookie header can be sent with requests that go through reverse proxies to get to backend servers.

(3) Example of system building

This subsection shows examples of configuring a system by using Cosminexus HTTP Server on the reverse proxy and the backend server.

You must be aware of the redirect process and specify the appropriate settings when configuring the system. If the client accesses the URL of a directory on the backend server without adding a forward slash (/) at the end of the URL, the backend server sends a redirect request with the Location header. In this case, the Location header value must be changed from the backend server address to the reverse proxy address to ensure that all client re-requests go through the reverse proxy.

The system network configuration is shown in the following figure. Also, each address is as follows:

Reverse proxy: www.example.com
Backend server: backend.example.com

Figure 4-10 Network configuration

[Figure]
(a) Recommended configuration

The host name and path name specified in the ProxyPass directive is the same as the host name and path name specified in the ProxyPassReverse directive. The ServerName directive is specified in all of the virtual hosts on the backend server, and the specification value is the same as the host name specified in the ProxyPassReverse directive on the reverse proxy.

The redirect process flow is shown in Table 4-6 when the reverse proxy and the backend server are configured as shown in Table 4-7 under the network configuration as illustrated in Figure 4-10.

Table 4-6 Example to set the recommended configuration

Setting locationSetting contents
Reverse proxyServerName www.example.com
ProxyPass /before/ http://backend.example.com/after/
ProxyPassReverse /before/ http://backend.example.com/after/
Backend serverServerName backend.example.com

Table 4-7 Redirect process flow of recommended configuration

Location in the figureExplanation
1Access "http://www.example.com/before/dir".
2Access "http://backend.example.com/after/dir" as per the ProxyPass directive value. Change and forward the Host header value in the backend.example.com.
3Generate a URL that ends with a forward slash (/) because a forward slash (/) was not added to the end of the URL, set the URL in the Location header, and then return the redirect request.
4Change and forward the Location header in the "http://www.example.com/before/dir/" as per the ProxyPassReverse directive value.
5Access the "http://www.example.com/before/dir/" again as per the Location header.
AHost header value is "www.example.com".
BHost header value is "backend.example.com".
CLocation header value is "http://backend.example.com/after/dir/".
DLocation header value is "http://www.example.com/before/dir/".
#
When the backend server responds with a status code such as 302 Found or 404 Not found, the reverse proxy forwards the HTML document to the client without any changes. The backend server name mentioned in the HTML documents, such as 404 Not found and the redirect destination link address mentioned in 302 Found, are not changed to the reverse proxy information. Use the ErrorDocument directive on the backend server, or use the ProxyErrorOverride directive on the reverse proxy to prevent the client from seeing the backend server information.

(b) Configuration with the ProxyPreserveHost directive set to "On" in the reverse proxy

Normally, the reverse proxy converts the Host header value received from the client according to the ProxyPass directive value, and then forwards the converted value to the backend server. If you want to obtain the Host header value sent by the client as the Host header value in the backend server, set the value of the ProxyPreserveHost directive to On in the reverse proxy. Note the following points:

Table 4-8 shows the redirect process flow performed when the reverse proxy and the backend server are set as shown in Table 4-9 under the network configuration shown in the figure 4-10.

Table 4-8 Example configuration where the ProxyPreserveHost is set to On in the reverse proxy

Setting locationSetting contents
Reverse proxyServerName www.example.com
ProxyPass /before/ http://backend.example.com/after/
ProxyPassReverse /before/ http://www.example.com/after/
ProxyPreserveHost On
Backend serverServerName www.example.com

Table 4-9 Redirect process flow of configuration where the ProxyPreserveHost is set to On in the reverse proxy

Location in the figureExplanation
1Access "http://www.example.com/before/dir".
2Access "http://backend.example.com/after/dir" as per the ProxyPass directive. As the ProxyPreserveHost directive is set to On, the Host header value will remain as www.example.com.
3Generate a URL that ends with a forward slash (/), because a forward slash (/) was not added to the end of the URL, set the URL in the Location header, and then return the redirect request.
4Change and forward the Location header in "http://www.example.com/before/dir/" as per the value of ProxyPassReverse directive.
5Access the "http://www.example.com/before/dir/" again, as per the Location header.
AThe value of Host header is "www.example.com".
BThe value of Host header is "www.example.com".
CThe value of Location header is "http://www.example.com/after/dir/".
DThe value of Location header is "http://www.example.com/before/dir/".

(4) Note

(a) Basic points to be noted
(b) Points to be noted for the ProxyPass directive
(c) Notes for the ProxyPassReverse directive
(d) Notes for the HWSProxyPassReverseCookie directive
(e) Points to be noted for performance

When the document name or the host name is specified in the ProxyPass directive, a DNS query is generated. If you already know the IP address of the backend server, you can reduce the time for resolving the name by mentioning the IP address in the hosts file in advance.