How to configure a proxy host in Apache

How to configure a proxy host in Apache

Proxy virtual hosts are very handy when you need to access a tertiary system from your local network from the outside and you only have one IP address but there’s a master web server already configured.

If that server is running Apache, adding a proxy vhost to pass outside requests to the correct LAN system is as simple as defining/adding a new virtual host to the configuration.

The simplest proxy host is one that listens on (insecure) HTTP only and passes any requests to host 192.168.1.5 on the local network:

<VirtualHost *:80>
   ServerName server.domain.tld
   ServerAlias www.server.domain.tld
   ProxyPreserveHost On
   ProxyPass / http://192.168.1.5:80/
   ProxyPassReverse / http://192.168.1.5:80/
</VirtualHost>

A more complex setup allows for secure HTTPS connections from the open internet to be forwarded to the local host at 192.168.1.5 (also running on HTTPS although plain insecure HTTP is supported with http://192.168.1.5/):

<VirtualHost 12.34.56.78:443>
   ServerName server.domain.tld:443
   ServerAlias www.server.domain.tld:443
   SSLEngine On
   SSLProtocol -all +TLSv1.1 +TLSv1.2
   SSLCertificateFile /etc/pki/tls/server-cert.pem
   SSLCertificateKeyFile /etc/pki/tls/server-key.pem
   SSLCACertificateFile /etc/pki/tls/server-ca.pem
   SSLProxyEngine On
   SSLProxyProtocol -all +TLSv1.1 +TLSv1.2
   ProxyPreserveHost On
   ProxyPass / https://192.168.1.5/
   ProxyPassReverse / https://192.168.1.5/
</VirtualHost>

This will require a (valid) certificate to be obtained for the (www.)server.domain.tld hostname. To simplify obtaining a certificate from Let’s Encrypt, for example, the virtualhost can be configured to skip proxying specific requests and serve them from the local filesystem instead (so that a certificate request for the main hostname can include the proxied domain as well as an ALT name):

   [...rest of the configuration as above...]
   ProxyPass /.well-known !
   ProxyPass / https://192.168.1.5/
   ProxyPassReverse / https://192.168.1.5/
   Alias /.well-known /var/www/path/to/local/.well-known
</VirtualHost>

If needed, specific subfolders can be proxied to different ports (for example for different software running on the same system).

   [...rest of the configuration as above...]
   # rpimonitor service
   ProxyPass /status http://192.168.1.5:8888
   ProxyPassReverse /status http://192.168.1.5:8888
   # main site catch-all, needs to be last
   ProxyPass / 
   ProxyPassReverse / 
</VirtualHost>

Beware that the target application needs to be path-relative or be aware of the URL it’s accessed on (otherwise its link building will most likely fail).

Leave a Reply