Reverse Proxy (Outside Access to internal servers)

Start with a standard Web Server install...

We'll be basing our procedure on Configuring Apache To Proxy Connections

Enable the proxy modules:

• sudo a2enmod proxy proxy_ajp proxy_http rewrite deflate headers proxy_balancer proxy_connect proxy_html

(possibly add mod_authz_host to the list...)

Create the virtual host to point incoming connections at the internal server you want to proxy:

• Proxy VirtualHost Configuration
• See also: Name-based Virtual Host Support

You may have noted while setting up the VirtualHost that we're pointing at a set of cert files that need to be on both machines. I would suggest that you obtain the certs on the main web server & copy them to the machine being proxied as this will (to some extent) simplify updating them.

• Installing on a Webserver that will be proxied

Also, 2 log files in a new folder...

• sudo mkdir /var/log/apache2/Proxy

(this folder will be populated automagically when you restart Apache...)

Now, restart Apache:

• sudo service apache2 restart

At this point, you should be able to browse to Proxy.foo.bar from outside your network.

Special considerations for the ESXi WebUI

ESXi uses WebSockets

Access Control by IP / HostName

You can control who can access your proxy via the <Proxy> control block as in the following example:

<Proxy "*">
  Order deny,allow
  Deny from all
  Allow from 192.168.0.1
  Allow from 192.168.0.2
</Proxy>

Simply replace 192.168.0.1 & 192.168.0.2 with the IPs of the machines allowed to access this proxy.

Reference

In theory, You could also replace the IP addresses with hostnames (or partial hostnames). BUT, those hostnames need to be visible across the internet...

Upcoming tricks...

• Access control by User Login
  • Apache Authentication and Authorization
• Multi-Site Server Management from a Central Server

Further Reading

• Apache Module mod_proxy
• Apache Module mod_authz_host
• Apache Reverse Proxy Guide