Using the Apache HTTP Server as a forward proxy to the Internet

./configure --prefix=/usr/local/apache2 --enable-mods-shared="all" --enable-proxy=shared

Download$ lynx http://www.apache.org/dist/httpd/httpd-2_0_NN.tar.gz
Extract$ gzip -d httpd-2_0_NN.tar.gz
$ tar xvf httpd-2_0_NN.tar
Configure$ ./configure --prefix=PREFIX
Compile$ make
Install$ make install
Customize$ vi PREFIX/conf/httpd.conf
Test$ PREFIX/bin/apachectl start

 

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a forward proxy to the Internet.

It is easy to configure mod_proxy for this purpose. Here is an example.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
##########################################################################
## Internet proxy
##########################################################################
Listen 10.10.10.1:8080
  
<VirtualHost 10.10.10.1:8080>
   ProxyRequests On
   SSLProxyEngine On
  
   ProxyPass        /revoke https: //myca .com /revoke
   ProxyPassReverse /revoke https: //myca .com /revoke
  
   <Location />
     Order Deny,Allow
     Deny from all
     Allow from 10.20.30.0 /29
   < /Location >
< /VirtualHost >

Only “ProxyRequests On” is needed for a proxy to work.

Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.

You can for example configure a browser to use the proxy.

Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass and ProxyPassReverse to proxy to specific sites.

Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.

If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.

If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access to the proxy.

Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.

I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.

Notice that you can also use the <Proxy> directive to configure your proxy.

Two-way SSL

It is also possible to get two-way SSL to work through a forward proxy. The certificates must be PEM-encoded and encrypted private keys is not supported. So it might take a bit of messing around to get it working.

Here is an example.

1
2
3
4
5
6
7
8
9
10
11
<VirtualHost 10.10.10.2:8080>
    SSLProxyEngine On
    SSLProxyVerify require
    SSLProxyVerifyDepth 10
  
    SSLProxyMachineCertificateFile /etc/httpd/conf/certs/my-machine-proxy .pem
    SSLProxyCACertificateFile /etc/httpd/conf/certs/ca .pem
  
    ProxyPass        / https: //someapp .com/
    ProxyPassReverse / https: //someapp .com/
< /VirtualHost >
Google+
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值