Using the Apache HTTP Server as a forward proxy to the Internet

Peter Lorenzen
23/04-2013

Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as a forward proxy to the Internet.

It is easy to configure mod_proxy for this purpose. Here is an example.

##########################################################################
## Internet proxy
##########################################################################
Listen 10.10.10.1:8080

<VirtualHost 10.10.10.1:8080>
  ProxyRequests On
  SSLProxyEngine On

  ProxyPass        /revoke https://myca.com/revoke
  ProxyPassReverse /revoke https://myca.com/revoke

  <Location />
    Order Deny,Allow
    Deny from all
    Allow from 10.20.30.0/29
  </Location>
</VirtualHost>

Only “ProxyRequests On” is needed for a proxy to work.

Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.

You can for example configure a browser to use the proxy.

Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass and ProxyPassReverse to proxy to specific sites.

Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.

If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.

If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access to the proxy.

Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.

I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.

Notice that you can also use the <Proxy> directive to configure your proxy.

Two-way SSL

It is also possible to get two-way SSL to work through a forward proxy. The certificates must be PEM-encoded and encrypted private keys is not supported. So it might take a bit of messing around to get it working.

Here is an example.

<VirtualHost 10.10.10.2:8080>
   SSLProxyEngine On
   SSLProxyVerify require
   SSLProxyVerifyDepth 10

   SSLProxyMachineCertificateFile /etc/httpd/conf/certs/my-machine-proxy.pem
   SSLProxyCACertificateFile /etc/httpd/conf/certs/ca.pem

   ProxyPass        / https://someapp.com/
   ProxyPassReverse / https://someapp.com/
</VirtualHost>

{ 5 comments… read them below or add one }

serg February 20, 2014 at 22:55

Thanks for the post! I’ve just configured proxy.

ias May 2, 2014 at 17:16

Thanks for the post!. It is really helpful

piyu009 June 6, 2014 at 14:50

Hi, thank for the blog entry. Can you please let know if we have SSL enabled at F5 does this SSLProxyEngine On is still required in virtual host reverse proxying the request to backend severs.

Also , is there any time out value associated with http request reaching the proxy sevrer when SSLProxyEngine On is not included in the configuration which is ssl enabled at F5

Peter Lorenzen June 12, 2014 at 14:54

Hi,
I believe that if you use SSL between the Apache proxy and F5 you need SSLProxyEngine On.
You can see any timeout directives here:
http://httpd.apache.org/docs/2.2/mod/mod_ssl.html
http://httpd.apache.org/docs/2.2/mod/mod_proxy.html
Regards Peter

A. Daniel King March 21, 2018 at 21:03

Good stuff, thanks.

Leave a Comment

Previous post:

Next post: