On Thu, 24 Jul 2003, Garrett Goebel wrote: > Most everything I'm stumbled upon has been short on detail and examples. For > instance, I never found an example of how to just reverse proxy everything > for a given backend server. All the examples I saw showed how to proxy > something like http://foo/bar but not http://foo. Eventually I came up with > the following: > > [Reverse Proxy] > ... > Listen 192.168.1.1:80 > RewriteEngine on > RewriteRule ^/?(.*) http://127.0.0.1:80/$1 [P] > ProxyPassReverse / http://127.0.0.1:80/ > ... > > [Backend Server] > ... > Listen 127.0.0.1:80 > ... > > Is this kosher? > > Is there a better way to do this? > > A way to do it without mod_rewrite using only mod_proxy directives?
It can be done easy without mod_rewrite: ProxyPass / http://127.0.0.1:80/ ProxyPassReverse / http://127.0.0.1:80/ > Are there any strong arguments against using a mod_proxy/mod_rewrite httpd > accelerator? Or preferred alternatives? I can not say about Apache2's mod_proxy (I do not use Apache2) but Apache 1.3's one has several drawbacks when it serves the big responses for the slow clients. It reads the backend response and synchronously sends it to client. The maximum size of the data that can be read from backend without delay is ProxyIOBufferSize + frontend kernel TCP send buffer + frontend kernel TCP recieve buffer + backend kernel TCP send buffer. Kernel TCP buffers are usually 16K-64K but can be made bigger. To eliminate many mod_proxy drawbacks I had written more than two years ago mod_accel module to do the reverse-proxing. mod_accel allows to configure read buffer in memory but if the response is bigger then it saves it to the temporary file and frees the backend as soon as possible. mod_accel has directives to configure the caching backend responses, to limit the connections to some backend to avoid the starvation of other hosts and many other features. mod_accel is clean module and is used for two years on several Russian loaded sites. One of them serves 100 requests per seconds without any segfaults. The main mod_accel drawback for non-Russian users is that there's no complete English documentation. Here is very incomplete documentaion http://dapi.chaz.ru/articles/plain/en/mod_accel.xml Also there're some English links on http://sysoev.ru/en/ > Using the loopback for the backend has the security advantage of completely > isolating the backend from any direct communication with external hosts. How > do I keep the backend on 127.0.0.1 _and_ handle name based virtual hosts? Using mod_proxy you can set up backend listening on several loopback addresses: 127.0.0.1, 127.0.0.2, etc. Of course, you need to configure these additional addresses in OS before the use. Also backend can listen on several ports and the single address: 127.0.0.1:8000, 127.0.0.1:8001, etc. Here is example for two virtual hosts on several addresses, note that 1) the frontend servers are name based while the backend ones are IP based; 2) ServerName of the virtual server pairs are the same. [Reverse Proxy] NameVirtualHost frontend <VirtualHost frontend> ServerName name1 ProxyPass / http://127.0.0.1:80/ ProxyPassReverse / http://127.0.0.1:80/ ... </VirtualHost> <VirtualHost frontend> ServerName name2 ProxyPass / http://127.0.0.2:80/ ProxyPassReverse / http://127.0.0.2:80/ ... </VirtualHost> [Backend Server] UseCanonicalName on <VirtualHost 127.0.0.1> ServerName name1 ... </VirtualHost> <VirtualHost 127.0.0.2> ServerName name2 ... </VirtualHost> Using mod_accel you can use the same scheme and also there's another way: [PH] flag of the AccelPass directive preserves "Host" header. [Reverse Proxy] AccelPass / http://127.0.0.1/ [PH] [Backend Server] UseCanonicalName on NameVirtualHost 127.0.0.1 <VirtualHost 127.0.0.1> ServerName name1 ... </VirtualHost> <VirtualHost 127.0.0.1> ServerName name2 ... </VirtualHost> > What are the issues with regard to virtual hosting and ssl? All your SSL-enabled sites have to be IP-based. > Any tips on keeping the config files maintainable? > For instance if I'm doing a mason site with co-branding through multiple > component roots... What would minimal configurations for proxy and backend > servers look like in order to redirect an externally exposed ip address on > the proxy to a backend on 127.0.0.1 and still preserve the name based > virtual hosts? It that possible? Yes it's possible, see previous examples. > What are the variations, tradeoffs, and > issues scaling it out to multiple physical servers? etc. mod_accel supports the primitive load balancing and fault tolerance using DNS. mod_proxy in Apache 1.3 also has code that allows to connect to the next server returned by DNS but this code is broken - it uses the same socket to connect to the next backend and this always fails. Igor Sysoev http://sysoev.ru/en/