Using the Apache HTTP Server as a forward proxy to the Internet

Peter Lorenzen
23/04-2013

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a forward proxy to the Internet.

It is easy to configure mod_proxy for this purpose. Here is an example.

##########################################################################
## Internet proxy
##########################################################################
Listen 10.10.10.1:8080

<VirtualHost 10.10.10.1:8080>
  ProxyRequests On
  SSLProxyEngine On

  ProxyPass        /revoke https://myca.com/revoke
  ProxyPassReverse /revoke https://myca.com/revoke

  <Location />
    Order Deny,Allow
    Deny from all
    Allow from 10.20.30.0/29
  </Location>
</VirtualHost>

Only “ProxyRequests On” is needed for a proxy to work.

Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.

You can for example configure a browser to use the proxy.

Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass and ProxyPassReverse to proxy to specific sites.

Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.

If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.

If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access to the proxy.

Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.

I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.

Notice that you can also use the <Proxy> directive to configure your proxy.

Two-way SSL

It is also possible to get two-way SSL to work through a forward proxy. The certificates must be PEM-encoded and encrypted private keys is not supported. So it might take a bit of messing around to get it working.

Here is an example.

<VirtualHost 10.10.10.2:8080>
   SSLProxyEngine On
   SSLProxyVerify require
   SSLProxyVerifyDepth 10

   SSLProxyMachineCertificateFile /etc/httpd/conf/certs/my-machine-proxy.pem
   SSLProxyCACertificateFile /etc/httpd/conf/certs/ca.pem

   ProxyPass        / https://someapp.com/
   ProxyPassReverse / https://someapp.com/
</VirtualHost>

{ 1 comment… read it below or add one }

serg February 20, 2014 at 22:55

Thanks for the post! I’ve just configured proxy.

Leave a Comment

Previous post:

Next post: