Proxy virtual hosts are very handy when you need to access a tertiary system from your local network from the outside and you only have one IP address but there’s a master web server already configured.
If that server is running Apache, adding a proxy vhost to pass outside requests to the correct LAN system is as simple as defining/adding a new virtual host to the configuration.
The simplest proxy host is one that listens on (insecure) HTTP only and passes any requests to host 192.168.1.5 on the local network:
<VirtualHost *:80> ServerName server.domain.tld ServerAlias www.server.domain.tld ProxyPreserveHost On ProxyPass / http://192.168.1.5:80/ ProxyPassReverse / http://192.168.1.5:80/ </VirtualHost>
A more complex setup allows for secure HTTPS connections from the open internet to be forwarded to the local host at 192.168.1.5 (also running on HTTPS although plain insecure HTTP is supported with http://192.168.1.5/):
<VirtualHost 188.8.131.52:443> ServerName server.domain.tld:443 ServerAlias www.server.domain.tld:443 SSLEngine On SSLProtocol -all +TLSv1.1 +TLSv1.2 SSLCertificateFile /etc/pki/tls/server-cert.pem SSLCertificateKeyFile /etc/pki/tls/server-key.pem SSLCACertificateFile /etc/pki/tls/server-ca.pem SSLProxyEngine On SSLProxyProtocol -all +TLSv1.1 +TLSv1.2 ProxyPreserveHost On ProxyPass / https://192.168.1.5/ ProxyPassReverse / https://192.168.1.5/ </VirtualHost>
This will require a (valid) certificate to be obtained for the (www.)server.domain.tld hostname. To simplify obtaining a certificate from Let’s Encrypt, for example, the virtualhost can be configured to skip proxying specific requests and serve them from the local filesystem instead (so that a certificate request for the main hostname can include the proxied domain as well as an ALT name):
[...rest of the configuration as above...] ProxyPass /.well-known ! ProxyPass / https://192.168.1.5/ ProxyPassReverse / https://192.168.1.5/ Alias /.well-known /var/www/path/to/local/.well-known </VirtualHost>
If needed, specific subfolders can be proxied to different ports (for example for different software running on the same system).
[...rest of the configuration as above...] # rpimonitor service ProxyPass /status http://192.168.1.5:8888 ProxyPassReverse /status http://192.168.1.5:8888 # main site catch-all, needs to be last ProxyPass / ProxyPassReverse / </VirtualHost>
Beware that the target application needs to be path-relative or be aware of the URL it’s accessed on (otherwise its link building will most likely fail).