Yet another proxying question
Hello
I have a problem which is driving me insane.
I have three (possibly more to come) backend servers running JBoss/tomcat and I have an Apache server running in front of these servers. What I need is for my users to connect to Apache which is supposed to act as a proxy.
This means that user must connect to Apache and recieve answers from my backend servers through Apache, so that the users cannot directly access the backend servers.
But! furthermore users must log in through apache and based on the username entered, the proxy must contact the corresponding backendserver since they are running different applications.
The username provided must be sent along with the request to the backendserver and on top of all this I wish to hide the URL from the user so that he/she cannot see request-paramters.
So what I end up with is a user requsting something like :
http://apacheserver/somepath
recieving response from one of the backendservers without the URL being changed.
The request which the proxy server needs to send to the backendservers are on the form :
http://backendserver:someport/app/app?paramter1=somevalue&userID=user
where user is the username from the loginpage.
That is, I need three things from this setup :
user login
proxy functionality
URL hiding
I have been examining mod_proxy, but that is kind of limited.
Then I have been examining mod_rewrite but I cant seem to be getting it to work correctly.
What I have tried is something like :
in a .htaccess file in e.g.
http://apacheserver/somepath
I have :
RewriteEngine on
RewriteRule ^(.*)$ http://backendserver:someport/app/app?paramter1=somevalue&userID=%{REMOTE_USER} [R]
This actually works although the long URL of the backend server is shown to the user :-(
If I change the [R] flag to [P] the user recieves an URL looking like :
http://apacheserver/somepath/?paramter1=value&user=someuser
which does not work as intended, and the URL is showing.
-that got pretty long i must admit, does it make sense to you...
Does anyone know whether the setup I am requesting is at all possible?
Maybe it is not mod_rewrite I need to be looking at -maybe a PHP solution is needed, or something completely different??
Any suggestions, faint ideas or guidelines would be greatly appreciated!!
Regards
Lars Hammer
I have a problem which is driving me insane.
I have three (possibly more to come) backend servers running JBoss/tomcat and I have an Apache server running in front of these servers. What I need is for my users to connect to Apache which is supposed to act as a proxy.
This means that user must connect to Apache and recieve answers from my backend servers through Apache, so that the users cannot directly access the backend servers.
But! furthermore users must log in through apache and based on the username entered, the proxy must contact the corresponding backendserver since they are running different applications.
The username provided must be sent along with the request to the backendserver and on top of all this I wish to hide the URL from the user so that he/she cannot see request-paramters.
So what I end up with is a user requsting something like :
http://apacheserver/somepath
recieving response from one of the backendservers without the URL being changed.
The request which the proxy server needs to send to the backendservers are on the form :
http://backendserver:someport/app/app?paramter1=somevalue&userID=user
where user is the username from the loginpage.
That is, I need three things from this setup :
user login
proxy functionality
URL hiding
I have been examining mod_proxy, but that is kind of limited.
Then I have been examining mod_rewrite but I cant seem to be getting it to work correctly.
What I have tried is something like :
in a .htaccess file in e.g.
http://apacheserver/somepath
I have :
RewriteEngine on
RewriteRule ^(.*)$ http://backendserver:someport/app/app?paramter1=somevalue&userID=%{REMOTE_USER} [R]
This actually works although the long URL of the backend server is shown to the user :-(
If I change the [R] flag to [P] the user recieves an URL looking like :
http://apacheserver/somepath/?paramter1=value&user=someuser
which does not work as intended, and the URL is showing.
-that got pretty long i must admit, does it make sense to you...
Does anyone know whether the setup I am requesting is at all possible?
Maybe it is not mod_rewrite I need to be looking at -maybe a PHP solution is needed, or something completely different??
Any suggestions, faint ideas or guidelines would be greatly appreciated!!
Regards
Lars Hammer
ASKER
Hej Samri
Thanks for your answer -sorry about not accepting your answer on the last question -I totally forgot about :-(
Hiding the URL using frames does actually work, but the drawback is that when using the [R] flag with mod_rewrite I get no proxy functionality as the backend servers answers directly to the client without going through the apache machine -so this setup wont do the job.
What I need is something like :
http://www.mycompanyserver.com/customer1 -> http://internalserver:port/paramter?value=user
http://www.mycompanyserver.com/customer2 -> http://internalserver:otherport/paramter?value=user
so there must be a login before the rewriting is done to get the apache variable REMOTE_USER assigned to value=user. This is why i up until now has been trying per-directory solutions
Using only ProxyPass makes it difficult to do this REMOTE_USER thing -or at least I havn't figured out how to do it yet.
I think the problem is the same when using the proxy+vhost solution....
And I still need to hide the long ugly URL containing the request parameters, so that the client only sees http://www.mycompanyserver.com/customer1.
I don't even know if I'm investigating the right technology here, maybe I need to be looking at other proxy-products like Squid....
/Lars Hammer
Thanks for your answer -sorry about not accepting your answer on the last question -I totally forgot about :-(
Hiding the URL using frames does actually work, but the drawback is that when using the [R] flag with mod_rewrite I get no proxy functionality as the backend servers answers directly to the client without going through the apache machine -so this setup wont do the job.
What I need is something like :
http://www.mycompanyserver.com/customer1 -> http://internalserver:port/paramter?value=user
http://www.mycompanyserver.com/customer2 -> http://internalserver:otherport/paramter?value=user
so there must be a login before the rewriting is done to get the apache variable REMOTE_USER assigned to value=user. This is why i up until now has been trying per-directory solutions
Using only ProxyPass makes it difficult to do this REMOTE_USER thing -or at least I havn't figured out how to do it yet.
I think the problem is the same when using the proxy+vhost solution....
And I still need to hide the long ugly URL containing the request parameters, so that the client only sees http://www.mycompanyserver.com/customer1.
I don't even know if I'm investigating the right technology here, maybe I need to be looking at other proxy-products like Squid....
/Lars Hammer
Lars,
The last time I'm working with squid, it would need an external redirector engine. I've tried Squirm, and it works fine. However I'm not sure whether it would work as you wish it would.
Have your tried using Proxy throughput [P] option. try using [R,P], or [P,R] switch. The is a bunch of discussion on Apache module docs http://httpd.apache.org/docs/ (or you localcopy would be under http://localhost/manual/)
I would have believe that if you use VirtualHost, and ProxyPass feature, you should be able to do user authentication as well. But it would not be as flexible since you might need to add the authentication directive in the httpd.conf. It might be possible to have the .htaccess in the DocumentRoot for the VHost, but I really could not confirm this.
I have to apologize for not having much machine to test, but I would believe, if you had maanged to get it via [R], try adding the [P] option.
I'll see what I can think of any other approach.
The last time I'm working with squid, it would need an external redirector engine. I've tried Squirm, and it works fine. However I'm not sure whether it would work as you wish it would.
Have your tried using Proxy throughput [P] option. try using [R,P], or [P,R] switch. The is a bunch of discussion on Apache module docs http://httpd.apache.org/docs/ (or you localcopy would be under http://localhost/manual/)
I would have believe that if you use VirtualHost, and ProxyPass feature, you should be able to do user authentication as well. But it would not be as flexible since you might need to add the authentication directive in the httpd.conf. It might be possible to have the .htaccess in the DocumentRoot for the VHost, but I really could not confirm this.
I have to apologize for not having much machine to test, but I would believe, if you had maanged to get it via [R], try adding the [P] option.
I'll see what I can think of any other approach.
ASKER
Hi again
I've been snooping around the Internet a bit, and I've located a module name Apache::ProxyRewrite -I think this might be able to do the job.
-Do you have any experience with this module??
Currently I am running Apache on a Windows platform -would it be beneficial to migrate to Linux instead?
/Lars Hammer
I've been snooping around the Internet a bit, and I've located a module name Apache::ProxyRewrite -I think this might be able to do the job.
-Do you have any experience with this module??
Currently I am running Apache on a Windows platform -would it be beneficial to migrate to Linux instead?
/Lars Hammer
Lars,
That was great. I could not confirm much on Apache::ProxyRewrite. The best I could do is try, and feedback the result here.
If you can afford to migrate, YES I would recommend that. However, if you have minimal UNIX/Linux experience, it would be another learning-curve to go thru.
Most people would say move to Unix. price, performnace, feature, etc. etc. But if you would need to migrate just for this reaason (specific to current problem), then rethink.
I will check out Apache::ProxyRewrite in a while.
That was great. I could not confirm much on Apache::ProxyRewrite. The best I could do is try, and feedback the result here.
If you can afford to migrate, YES I would recommend that. However, if you have minimal UNIX/Linux experience, it would be another learning-curve to go thru.
Most people would say move to Unix. price, performnace, feature, etc. etc. But if you would need to migrate just for this reaason (specific to current problem), then rethink.
I will check out Apache::ProxyRewrite in a while.
ASKER
Hi
used most of the day figuring out if Apache::ProxyRewrite could help me out -but it doesn't seem so :-(
Well, I've installed Debian on my machine now, and apache is running fine.
I haven't tried out Squid yet, but that is my next goal -hopefully that will turn out rigth.
I've come to wonder if I might end up writing my own perl module for apache wich does exactly what i need -do you think that is a little "over the edge" or could this be the solution in the end??
Regards
Lars Hammer
used most of the day figuring out if Apache::ProxyRewrite could help me out -but it doesn't seem so :-(
Well, I've installed Debian on my machine now, and apache is running fine.
I haven't tried out Squid yet, but that is my next goal -hopefully that will turn out rigth.
I've come to wonder if I might end up writing my own perl module for apache wich does exactly what i need -do you think that is a little "over the edge" or could this be the solution in the end??
Regards
Lars Hammer
Lars,
Having enought knowledge in coding (especially C) would be an added advantage, and YES, it would be great if we all could share the modules. Take a look at http://modules.apache.org/, I bet they have some tips/hints for apache module developer. Some tips I knew - modules for apache 1.3.x, and apache 2.x are not portable. I bet that is due to major overhaul in apache 2.
The is another Q (https://www.experts-exchange.com/questions/20319838/Proxy-to-multiple-servers-getting-images-to-work.html) that talks *almost* the same thing. Maybe you might get some ideas there.
I would pretty much stuck on the Vhost suggestion. I guess, it is much *trickier* (<-- is this English) than I thought it would be. Maybe due to some requirement on the Tomcat side.
Squid would be a great proxy server, but when it come to Reverse Proxy (as we are looking here), it would be trick as well. One approach that I would be looking at would be having Apache to have two Vhost, and each one of them would be a proxy pass to the two backend squid (two instance of squid running on two separate port). This is one approach.
Another would be totally Squid standalone (one instance, and no apache, and listening on port 80), however, you would be needing a redirector/rewrite plugins that will channeld the request to your two internal webserver (tomcat).
So far, I haven't get much time to test Apache::ProxyRewrite, mainly due to lack of Unix machine to try, and another is locating the module (for ActivePerl win32). Any chance of sharing the location (URL).
cheers.
Having enought knowledge in coding (especially C) would be an added advantage, and YES, it would be great if we all could share the modules. Take a look at http://modules.apache.org/, I bet they have some tips/hints for apache module developer. Some tips I knew - modules for apache 1.3.x, and apache 2.x are not portable. I bet that is due to major overhaul in apache 2.
The is another Q (https://www.experts-exchange.com/questions/20319838/Proxy-to-multiple-servers-getting-images-to-work.html) that talks *almost* the same thing. Maybe you might get some ideas there.
I would pretty much stuck on the Vhost suggestion. I guess, it is much *trickier* (<-- is this English) than I thought it would be. Maybe due to some requirement on the Tomcat side.
Squid would be a great proxy server, but when it come to Reverse Proxy (as we are looking here), it would be trick as well. One approach that I would be looking at would be having Apache to have two Vhost, and each one of them would be a proxy pass to the two backend squid (two instance of squid running on two separate port). This is one approach.
Another would be totally Squid standalone (one instance, and no apache, and listening on port 80), however, you would be needing a redirector/rewrite plugins that will channeld the request to your two internal webserver (tomcat).
So far, I haven't get much time to test Apache::ProxyRewrite, mainly due to lack of Unix machine to try, and another is locating the module (for ActivePerl win32). Any chance of sharing the location (URL).
cheers.
ASKER
Hi Samri
Well, I tried out the solution posted by M in the Q you mentioned above and it actually did help somewhat.
When using the solution posted and I access :
http://bogusname1.proxy.mydomain.com
I get the following URL :
http://bogusname1.proxy.mydomain.com/app/app?something=someparamter
which is very close to my goal. The only thing wrong with this is that I only want to display :
http://bogusname1.proxy.mydomain.com
without the ugly paramters -as mentioned earlier.
Then i tried the following :
<VirtualHost proxy.mydomain.com>
ServerName server1.proxy.mydomain.com
ProxyRequests on
ProxyVia On
ProxyPass / http://proxy.mydomain.com/test1/
ProxyPassReverse / http://proxy.mydomain.com/test1/
</VirtualHost>
where the directory /test1/ contains a simple html file containing a hidden frame reffering to :
http://backendserver/app/app?something=someparamter
This actually does the trick and I _think_ I am happy.
The only thing I wonder about now is whether this setup still provides proxy functionality.
That is -when the user request is proxied to /test1/ and the html frame gets the backendserver response -is this response sent directly to the user or does it go through the proxy??
I havn't found a way to test this right now but I am working on it...
/Lars Hammer
Well, I tried out the solution posted by M in the Q you mentioned above and it actually did help somewhat.
When using the solution posted and I access :
http://bogusname1.proxy.mydomain.com
I get the following URL :
http://bogusname1.proxy.mydomain.com/app/app?something=someparamter
which is very close to my goal. The only thing wrong with this is that I only want to display :
http://bogusname1.proxy.mydomain.com
without the ugly paramters -as mentioned earlier.
Then i tried the following :
<VirtualHost proxy.mydomain.com>
ServerName server1.proxy.mydomain.com
ProxyRequests on
ProxyVia On
ProxyPass / http://proxy.mydomain.com/test1/
ProxyPassReverse / http://proxy.mydomain.com/test1/
</VirtualHost>
where the directory /test1/ contains a simple html file containing a hidden frame reffering to :
http://backendserver/app/app?something=someparamter
This actually does the trick and I _think_ I am happy.
The only thing I wonder about now is whether this setup still provides proxy functionality.
That is -when the user request is proxied to /test1/ and the html frame gets the backendserver response -is this response sent directly to the user or does it go through the proxy??
I havn't found a way to test this right now but I am working on it...
/Lars Hammer
Lars,
It's great to actually come to some *possible* approach.
It pretty much depends of which version of Apache you are running. If yours are Apache 1.3.x, then the whole directive for caching would be available/configured in the mod_proxy portion. But if you are running 2.x, then the proxy and caching has been splitted into two portion - proxy and cache. And even caching has two types : disk and memory.
Apache 1.3x
http://httpd.apache.org/docs/mod/mod_proxy.html
and concentrace on the Directive started with "Proxy"
Btw, there should be some default config that comes with the server (default httpd.conf).
For Apache 2.x, following links might be of some info.
http://httpd.apache.org/docs-2.0/mod/
http://httpd.apache.org/docs-2.0/mod/mod_proxy.html
http://httpd.apache.org/docs-2.0/mod/mod_cache.html
Some sample config are included.
Btw, I managed to test Apache::ProxyRewrite for ActivePerl (Win2K), and it looks quite straight forward. I'm not sure about parameter passing, but I copy and paste the sample config (from perldoc Apache::ProxyRewrite), it's just runs fine - just like Proxy and ProxyPass is doing.
Back to your frame-trick. It should work for most cases, and in fact I've seen many places did this. But I had one problem with this approach -- what happened if the proxied internal server also has frames, and incidently, the frame name is the same as the one that you are using. We would be running into trouble. Well, one approach would be main frame to be something very uniq.
Cheers.
- It's just something that I came across though.
It's great to actually come to some *possible* approach.
It pretty much depends of which version of Apache you are running. If yours are Apache 1.3.x, then the whole directive for caching would be available/configured in the mod_proxy portion. But if you are running 2.x, then the proxy and caching has been splitted into two portion - proxy and cache. And even caching has two types : disk and memory.
Apache 1.3x
http://httpd.apache.org/docs/mod/mod_proxy.html
and concentrace on the Directive started with "Proxy"
Btw, there should be some default config that comes with the server (default httpd.conf).
For Apache 2.x, following links might be of some info.
http://httpd.apache.org/docs-2.0/mod/
http://httpd.apache.org/docs-2.0/mod/mod_proxy.html
http://httpd.apache.org/docs-2.0/mod/mod_cache.html
Some sample config are included.
Btw, I managed to test Apache::ProxyRewrite for ActivePerl (Win2K), and it looks quite straight forward. I'm not sure about parameter passing, but I copy and paste the sample config (from perldoc Apache::ProxyRewrite), it's just runs fine - just like Proxy and ProxyPass is doing.
Back to your frame-trick. It should work for most cases, and in fact I've seen many places did this. But I had one problem with this approach -- what happened if the proxied internal server also has frames, and incidently, the frame name is the same as the one that you are using. We would be running into trouble. Well, one approach would be main frame to be something very uniq.
Cheers.
- It's just something that I came across though.
Lars,
Any luck.
Btw; take a look at this Q, you might have a better luck to help: https://www.experts-exchange.com/questions/20324403/RewriteEngine-and-RewriteRule-HELP.html
Any luck.
Btw; take a look at this Q, you might have a better luck to help: https://www.experts-exchange.com/questions/20324403/RewriteEngine-and-RewriteRule-HELP.html
ASKER
Hi Samri
I'm just on-line for a few moments. I had surgery done in my right eye yesterday, so I'm not going to work for some days.
But I'll get back to you as soon as I get well.
Regards
Lars Hammer
I'm just on-line for a few moments. I had surgery done in my right eye yesterday, so I'm not going to work for some days.
But I'll get back to you as soon as I get well.
Regards
Lars Hammer
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Samri,
-my eye is getting better, so I'm back to work again.
I have combined the solution posted in Q_20319838 by 'M', as pointed out by you, with a nice little HTML posting form. The form sends the parameters through hidden input fields -that works great.
This enables me to do the proxying and hide the long ugly URL.
It actually works pretty great, so now I'm off to make a user login in PHP.
-thank you very much for all of your input, couldn't have done it without it.
/Hammer
-my eye is getting better, so I'm back to work again.
I have combined the solution posted in Q_20319838 by 'M', as pointed out by you, with a nice little HTML posting form. The form sends the parameters through hidden input fields -that works great.
This enables me to do the proxying and hide the long ugly URL.
It actually works pretty great, so now I'm off to make a user login in PHP.
-thank you very much for all of your input, couldn't have done it without it.
/Hammer
Lars,
That is great. To be frank, I kinda learn alot from these two questions.
take care.
That is great. To be frank, I kinda learn alot from these two questions.
take care.
Sounds like your previous question (well I might be wrong!): https://www.experts-exchange.com/questions/20318144/A-proxy-question.html
Back to this Q:
mod_rewrite is quite powerful in the sense that it can do wonders. It's just getting it done (getting the rewrite rule) - is tricky, very tricky.
Since the first rewrite works, One option is to you frame to hide the url. I do not have much knowledge in HTML/Frames. But it should work. Make the top frame (of left to be 0 in size), have your target url in the bottom frame. This trick works.
Next Option would be Proxy+ProxyPass method.
add the following
ProxyPass /somepath1 http://backend1.domain.com/somepath/
ProxyPassReverse /somepath1 http://backend1.domain.com/somepath/
ProxyPass /somepath2 http://backend2.domain.com/somepath/
ProxyPassReverse /somepath2 http://backend2.domain.com/somepath/
OR:
Another option is to try using VirtualHost + Proxy module.
What I can suggest is to have two virtualhost
Basicall the concept would be having two additional Vhost
NameVirtualHost *
<VirtualHost *>
Your default server config here
ServerName www.yourdomain.com
</VirtualHost>
<VirtualHost *>
Servername a.domain.com
ProxyRequest on
ProxyPass / http://theactual-backend1.domain.com/
ProxyPassReverse / http://theactual-backend1.domain.com/
</VirtualHost>
I could not say which one is the best (or worked) as I do not have the stuff to test it:
I had this config on my notebook which a sort of (mirrorring) EE. It works, the only problem if, if the site is doing hard-link (http://site.com/docs.html, insteal of just /docs/html), then I would be in trouble.
Reason for doing this - our proxy is is "a WAN away", and I believe saving some static docs locally would save a few bytes :)
This is the config.
-----
NameVirtualHost *
<VirtualHost *>
ServerAdmin admin@a.b.c
DocumentRoot /www/docs/dummy-host.examp
DocumentRoot "C:/Program Files/Apache Group/Apache2/Sites/Defaul
ServerName localhost
</VirtualHost>
<VirtualHost *>
ServerAdmin admin@a.b.c
DocumentRoot "C:/Program Files/Apache Group/Apache2/Sites/EE"
ServerName ee
ProxyRequests On
ProxyPreserveHost Off
ProxyRemote * http://myrealproxy:8080
# NoProxy .batgen.com my.net/16
<Proxy *>
Order deny,allow
Deny from all
Allow from 127.0.0.1
</Proxy>
ProxyPass / https://www.experts-exchange.com/
ProxyPassReverse / https://www.experts-exchange.com/
</VirtualHost>