Using the Apache HTTP Server as a forward proxy to the Internet
2013-11-07 22:26
591 查看
./configure --prefix=/usr/local/apache2 --enable-mods-shared="all" --enable-proxy=shared
Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a
forward proxy to the Internet.
It is easy to configure mod_proxy for this purpose. Here is an example.
Only “ProxyRequests On” is needed for a proxy to work.
Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.
You can for example configure a browser to use the proxy.
Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass
and ProxyPassReverse to proxy to specific sites.
Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.
If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.
If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access
to the proxy.
Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.
I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.
Notice that you can also use the
<Proxy> directive to configure your proxy.
Here is an example.
Google+
ae5e
|
Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a
forward proxy to the Internet.
It is easy to configure mod_proxy for this purpose. Here is an example.
Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.
You can for example configure a browser to use the proxy.
Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass
and ProxyPassReverse to proxy to specific sites.
Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.
If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.
If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access
to the proxy.
Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.
I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.
Notice that you can also use the
<Proxy> directive to configure your proxy.
Two-way SSL
It is also possible to get two-way SSL to work through a forward proxy. The certificates must be PEM-encoded and encrypted private keys is not supported. So it might take a bit of messing around to get it working.Here is an example.
ae5e
相关文章推荐
- Make my home's PC as proxy server to surf internet
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable解决方法
- 服务器Tomcat启动 访问出现Can't connect to X11 window server using 'localhost:0.0' as the value of the DISPLA
- Unable to print reports as PDF files on the server using batch processing AX
- Jmeter返回org.apache.http.NoHttpResponseException: The target server failed to respond解决办法
- 继续摘抄:How to fix Apache – “Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName”
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
- Linux上 Can't connect to X11 window server using XX as the value of the DISPLAY 错误解决方法
- linux异常系列:Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
- ORACLE EBS:Can't connect to X11 window server using '**' as the value of the DISPLAY variable.
- jmeter运行报错:org.apache.http.NoHttpResponseException: The target server failed to respond
- How To Use Proxy Server To Access Internet at Shell Prompt With http_proxy Variable. [reprint]
- 【ABAP】Creat a client-server demo to process a http request using SAP Web AS
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
- Apache HttpServer Installing the apache2.2 service <OS 5>拒绝访问. :Failed to open the WinNT service manager
- 93.You are using flat files as the data source for one of your data warehousing applications. To opt
- Android4.0之前HttpClient的问题The target server failed to respond
- 转-Quick guide to setting up SSL using Domino as the Certificate Authority
- Suffer Less By Using Django Dev Server as a Proxy
- MySQL not using SSL the verifyServerCertificate property is set to 'false'