Reverse Proxy Guide

Available Languages: en | fr | ja | ko | tr

In addition to being a "basic" web server, and providing static and dynamic content to end-users, Apache httpd (as well as most other web servers) can also act as a reverse proxy server, also-known-as a "gateway" server.

In such scenarios, httpd itself does not generate or host the data, but rather the content is obtained by one or several backend servers, which normally have no direct connection to the external network. As httpd receives a request from a client, the request itself is proxied to one of these backend servers, which then handles the request, generates the content and then sends this content back to httpd, which then generates the actual HTTP response back to the client.

There are numerous reasons for such an implementation, but generally the typical rationales are due to security, high-availability, load-balancing and centralized authentication/authorization. It is critical in these implementations that the layout, design and architecture of the backend infrastructure (those servers which actually handle the requests) are insulated and protected from the outside; as far as the client is concerned, the reverse proxy server is the sole source of all content.

A typical implementation is below:

reverse-proxy-arch

Reverse Proxy
Simple reverse proxying
Clusters and Balancers
Balancer and BalancerMember configuration
Failover

Comments

Reverse Proxy

Related Modules	Related Directives
`mod_proxy` `mod_proxy_balancer` `mod_proxy_hcheck`	`ProxyPass` `BalancerMember`

Simple reverse proxying

The ProxyPass directive specifies the mapping of incoming requests to the backend server (or a cluster of servers known as a Balancer group). The simpliest example proxies all requests ("/") to a single backend:

ProxyPass "/"  "http://www.example.com"

To ensure that and Location: headers generated from the backend are modified to point to the reverse proxy, instead of back to itself, the ProxyPassReverse directive is most often required:

      ProxyPass "/"  "http://www.example.com"
      ProxyPassReverse "/"  "http://www.example.com"

Only specific URIs can be proxied, as shown in this example:

      ProxyPass "/images"  "http://www.example.com"
      ProxyPassReverse "/images"  "http://www.example.com"

In the above, any requests which start with the /images path with be proxied to the specified backend, otherwise it will be handled locally.

Clusters and Balancers

As useful as the above is, it still has the deficiencies that should the (single) backend node go down, or become heavily loaded, that proxying those requests provides no real advantage. What is needed is the ability to define a set or group of backend servers which can handle such requests and for the reverse proxy to load balance and failover among them. This group is sometimes called a cluster but Apache httpd's term is a balancer. One defines a balancer by leveraging the Proxy and BalancerMember directives as shown:

      <Proxy balancer://myset>
        BalancerMember http://www2.example.com:8080
        BalancerMember http://www3.example.com:8080
        ProxySet lbmethod=bytraffic
      </Proxy>

      ProxyPass "/images"  "balancer://myset"
      ProxyPassReverse "/images"  "balancer://myset"

The balancer:// scheme is what tells httpd that we are creating a balancer set, with the name myset. It includes 2 backend servers, which httpd calls BalancerMembers. In this case, any requests for /images will be proxied to one of the 2 backends. The ProxySet directive specifies that the myset Balancer use a load balancing algorithm that balances based on I/O bytes.

Hint

BalancerMembers are also sometimes referred to as workers.

Balancer and BalancerMember configuration

You can adjust numerous configuration details of the balancers and the workers via the various parameters defined in ProxyPass. For example, assuming we would want http://www3.example.com:8080 to handle 3x the traffic with a timeout of 1 second, we would adjust the configuration as follows:

      <Proxy balancer://myset>
        BalancerMember http://www2.example.com:8080
        BalancerMember http://www3.example.com:8080 loadfactor=3 timeout=1
        ProxySet lbmethod=bytraffic
      </Proxy>

      ProxyPass "/images"  "balancer://myset"
      ProxyPassReverse "/images"  "balancer://myset"

Failover

You can also fine-tune various failover scenarios, detailing which workers and even which balancers should accessed in such cases. For example, the below setup implements 2 failover cases: In the first, http://hstandby.example.com:8080 is only sent traffic if all other workers in the myset balancer are not available. If that worker itself is not available, only then will the http://bkup1.example.com:8080 and http://bkup2.example.com:8080 workers be brought into rotation:

      <Proxy balancer://myset>
        BalancerMember http://www2.example.com:8080
        BalancerMember http://www3.example.com:8080 loadfactor=3 timeout=1
        BalancerMember http://hstandby.example.com:8080 status=+H
        BalancerMember http://bkup1.example.com:8080 lbset=1
        BalancerMember http://bkup2.example.com:8080 lbset=1
        ProxySet lbmethod=byrequests
      </Proxy>

      ProxyPass "/images"  "balancer://myset"
      ProxyPassReverse "/images"  "balancer://myset"

The magic of this failover setup is setting http://hstandby.example.com:8080 with the +H status flag, which puts it in hot standby mode, and making the 2 bkup# servers part of the #1 load balancer set (the default set is 0); for failover, hot standbys (if they exist) are used 1st, when all regular workers are unavailable; load balancer sets are always tried lowest number first.