Apache reverse proxy

could do with filling out more detail

A reverse proxy allows you to front multiple websites from a single public IP address, act as a load balancer and potentially defuse otherwise dangerous cyber attacks. There are different solutions, the instructions here are for an Apache server-based solution. Basic requirements are Apache, mod_ssl and mod_proxy installed and enabled.

Installation

Install apache2

apt-get install apache2

File /etc/apache2/mods-available/proxy.conf should look like this:

<IfModule mod_proxy.c>

        # If you want to use apache2 as a forward proxy, uncomment the
        # 'ProxyRequests On' line and the <Proxy *> block below.
        # WARNING: Be careful to restrict access inside the <Proxy *> block.
        # Open proxy servers are dangerous both to your network and to the
        # Internet at large.
        #
        # If you only want to use apache2 as a reverse proxy/gateway in
        # front of some web application server, you DON'T need
        # 'ProxyRequests On'.

        ProxyRequests Off

        <Proxy *>
                AddDefaultCharset off
                Order deny,allow
                Deny from all
        </Proxy>

        # Enable/disable the handling of HTTP/1.1 "Via:" headers.
        # ("Full" adds the server version; "Block" removes all outgoing Via: headers)
        # Set to one of: Off | On | Full | Block
        #ProxyVia Off

        ProxyVia On
        ProxyPreserveHost On
        ProxyRequests Off
        ProxyTimeout 600

</IfModule>

Create file /etc/apache2/mods-available/proxy_http.conf and put this inside:

ProxyVia On
ProxyPreserveHost On
ProxyRequests Off

<Proxy *>
        Order deny,allow
        Allow from all
</Proxy>

Enable modules proxy and proxy_http

a2enmod proxy
a2enmod proxy_http

And restart apache2

service apache2 restart

Adding an entry

In Apache we use vhost declarations to define each reverse proxy FQDN. In Ubuntu/Debian systems these are found in /etc/apache2/sites-available, typically one per vhost using a suitably descriptive name. They can also be wrapped into a single file, or of course into the main apache conf file. As they are effectively (includes) of the Apache conf, every change requires an Apache restart to apply:

apache2ctl restart

In the Debian/Ubuntu model you also need to enable a site one it's been defined, which is done with a link to the /etc/apache2/sites-available/ file newly created:

cd /etc/apache2/sites-enabled
ln -s ../sites-available/yournewvhost

This approach allows you to quickly and easily take a specific site offline if there's a problem, just by deleting the link in /etc/apache2/sites-enabled and restarting Apache.

Assuming your sites will be https from the proxy outwards, start with a 301 to force https:

<VirtualHost *:80>

       ServerName my.domain.name
       ServerAlias my.alias.domain

Redirect 301 / https://my.domain.name

       ProxyPass / http://my.realserver.nameorIP/
       ProxyPassReverse / http://my.realserve.nameorIP/

       CustomLog /var/log/apache2/my.domain.name.access.log combined
       ErrorLog /var/log/apache2/my.domain.name.error.log

</VirtualHost>

And then add an SSL entry

<VirtualHost *:443>
       ServerName my.domain.name

       SSLEngine on
       SSLCertificateFile /etc/apache2/ssl/mycertificate.crt
       SSLCertificateKeyFile /etc/apache2/ssl/mykey.key
       SSLCertificateChainFile /etc/apache2/ssl/myintermediatecertificateifneeded.crt

       ProxyPass / http://myrealserver.nameorIP/
       ProxyPassReverse / http://my.domain.name/
       ProxyPassReverse / http://myrealserver.nameorIP/

       CustomLog /var/log/apache2/my.domain.name.access.log combined
       ErrorLog /var/log/apache2/my.domain.name.error.log
</VirtualHost>

If you want the SSL proxy to also connect to the target as SSL, change the ProxyPass URLs appropriately and add to the vhost

SSLProxyEngine On</ssl>