Setting up Apache as a reverse proxy

To set up a reverse proxy, you can use the Apache HTTP Server. The world’s most popular web server has various extension modules for various proxy functions and can be configured accordingly with just a few lines of code. The following step-by-step instructions show how to add the required module to an Apache installation on the Ubuntu operating system and how to create a configuration file for forwarding.

The open source Apache HTTP Server is provided free of charge by the Apache Software Foundation. An introduction to the web server software can be found in our guide.

Step 1: Installing the Apache Proxy Modules

To use an Apache HTTP Server as a reverse proxy, you need the mod_proxy module. This implements the core functionalities and can be extended by various additional modules:

  • mod_proxy_http contains all proxy functions for HTTP and HTTPS requests. The add-on module supports the protocol versions HTTP/0.9, HTTP/1.0 and HTTP/1.1.
  • mod_proxy_ftp is required to provide proxy functions for FTP requests.
  • mod_proxy_connect provides proxy functions for SSL tunneling.
  • mod_proxy_ajp implements the Apache JServ protocol (AJP). This is used in load balancing to forward requests to application servers in the background.
  • mod_cache, mod_disk_cache, and mod_mem_cache implement caching functions that allow content to be cached on the Apache server.
  • mod_proxy_html allows you to rewrite HTML links.
  • mod_headers enables the manipulation of HTTP header data.
  • mod_deflate implements a compression function.

To install the mod_proxy module including all additional modules, only the following command line is required:

sudo apt-get install libapache2-mod-proxy-html

This tutorial concentrates on the basic functions of the Apache module mod_proxy. A detailed description of the add-on modules including all required directives can be found in the official documentation of the Apache project.

Step 2: Activate the required modules

The command a2enmod is used to activate individual modules of the Apache proxy function. Already activated modules can be deactivated by a2dismod. To create a simple reverse proxy for a downstream web server, it is sufficient to load the modules mod_proxy and mod_proxy_http:

sudo a2enmod proxy
sudo a2enmod proxy_http

After the modules have been activated, the Apache HTTP Server must be restarted:

sudo apache2 reload

Step 3: Create the configuration file

In order for the reverse proxy to receive requests from the Internet and forward them to the correct server in the local network, it is necessary to deactivate the configuration file 000-default.conf in the directory /etc/apache2/sites-enabled and replace it with a virtual host file such as example.conf. It is recommended to create a separate virtual host file for each target server with its own IP according to the following scheme:

ServerName domain.tld
ServerAlias www.domain.tld
ProxyRequests Off
ProxyPass / http://123.456.7.89/
ProxyPassReverse / http://123.456.7.89/

Proxy function instructions are defined within the directive. The start tag also contains the IP address including the port number at which the Apache configured as reverse proxy should listen for requests. If all IP addresses are to be included, the placeholder * is used as in the example. Specifications within the VirtualHost tag are also specified in the form of directives. Unlike the VirtualHost tag, these arguments define how incoming requests and response packets are to be processed. The ServerName, ProxyPass and ReversePass directives are essential.

ServerName: The ServerName directive defines the primary name under which a server can be reached on the Internet. This must be resolvable either via DNS or /etc/hosts. In the example, the Apache server is instructed to accept all requests to domain.tld.

ProxyPass: The ProxyPass directive defines the destination address for forwarding. All requests directed to the public address specified under ServerName are forwarded by the reverse proxy to the internal address specified in the ProxyPass directive argument. In the example this would be the fictitious IP 123.456.7.89.

ProxyPassReverse: A proxy server not only receives requests, it also forwards the response packets from the backend server to the clients. To prevent these responses from being delivered with incorrect header information (namely that of the server in the background), the ProxyPassReverse directive rewrites the headers of the server responses so that they match the proxy server. The backend server thus remains anonymous.

The example also contains two further directives: ServerAlias and ProxyRequests. These do not provide basic functions for the proxy server and are therefore optional.

ServerAlias: The ServerAlias directive makes it possible to define an alternative name for the target server in addition to the primary server name.

ProxyRequest: The ProxyRequests directive with the Off argument prevents the Apache HTTP Server from being used as a forward proxy to prevent possible misuse.

If the rules for the proxy function have been defined, the configuration must be activated via the terminal:

sudo a2ensite example.conf

The Apache HTTP Server now accepts all requests to domain.tld or www.domain.tld and forwards them to a backend server with IP 123.456.7.89 in the form of proxy requests.