Using the Apache HTTP Server as a forward proxy to the Internet
来源:互联网 发布:网站生成app软件 编辑:程序博客网 时间:2024/05/22 00:45
./configure --prefix=/usr/local/apache2 --enable-mods-shared="all" --enable-proxy=shared
Download$ lynx http://www.apache.org/dist/httpd/httpd-2_0_NN.tar.gz
Extract$ gzip -d httpd-2_0_NN.tar.gz
$ tar xvf httpd-2_0_NN.tar
Configure$ ./configure --prefix=PREFIX
Compile$ make
Install$ make install
Customize$ vi PREFIX/conf/httpd.conf
Test$ PREFIX/bin/apachectl start
Often you do not want servers in your internal network segments to be able to access the Internet directly.
One way to get controlled access to the Internet is to place an Apache HTTP Server in a DMZ network segment. Internal servers can then use the Apache server as aforward proxy to the Internet.
It is easy to configure mod_proxy for this purpose. Here is an example.
##########################################################################
## Internet proxy
##########################################################################
Listen 10.10.10.1:8080
<VirtualHost 10.10.10.1:8080>
ProxyRequests On
SSLProxyEngine On
ProxyPass
/revoke
https:
//myca
.com
/revoke
ProxyPassReverse
/revoke
https:
//myca
.com
/revoke
<Location />
Order Deny,Allow
Deny from all
Allow from 10.20.30.0
/29
<
/Location
>
<
/VirtualHost
>
Only “ProxyRequests On” is needed for a proxy to work.
Applications that know how to communicate with a proxy can be configured to use 10.10.10.1 on port 8080.
You can for example configure a browser to use the proxy.
Not all applications know how to use a proxy. In some project they could not get the BEA AquaLogic Service Bus to use a proxy. I am not a developer so I don’t know the details and if it is still a problem with the OSB. To get around this you can use ProxyPass and ProxyPassReverse to proxy to specific sites.
Here it is possible to use http://10.10.10.1:8080/revoke/getRevokeList to get a certificate revocation list from a CA.
If you need to access sites via HTTPS you need “SSLProxyEngine On”. SSL will be terminated at the proxy and the communication from the internal network segment to the proxy is HTTP.
If anybody gets access to the proxy they will be able to access any site on the Internet masqueraded as you. If the wrong people get access, your site might end up being black listed because of their mischievous deeds. So it is important to limit the access to the proxy.
Here only servers in the PROD (10.20.30.0/29) network segment can use the proxy. Servers in the DMZ segment does not have access.
I assume that the firewall between the PROD and DMZ segments will only allow certain PROD servers to access the proxy.
Notice that you can also use the <Proxy> directive to configure your proxy.
Two-way SSL
It is also possible to get two-way SSL to work through a forward proxy. The certificates must be PEM-encoded and encrypted private keys is not supported. So it might take a bit of messing around to get it working.
Here is an example.
<VirtualHost 10.10.10.2:8080>
SSLProxyEngine On
SSLProxyVerify require
SSLProxyVerifyDepth 10
SSLProxyMachineCertificateFile
/etc/httpd/conf/certs/my-machine-proxy
.pem
SSLProxyCACertificateFile
/etc/httpd/conf/certs/ca
.pem
ProxyPass / https:
//someapp
.com/
ProxyPassReverse / https:
//someapp
.com/
<
/VirtualHost
>
- Using the Apache HTTP Server as a forward proxy to the Internet
- Using a socks proxy with git for the http transport
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
- Using a LotusScript agent to reply to mail from the Internet
- Using a hacked Wordpress site to pwn the web server
- 【ABAP】Creat a client-server demo to process a http request using SAP Web AS
- A problem displaying [localhost] caused Internet Explorer to refresh the webpage using Compatibility
- Turning an HTTP Proxy Server into a Wireless Internet Gateway
- Unable to print reports as PDF files on the server using batch processing AX
- Configure ubuntu apache to forward the request to tomcat app
- The server failed to respond with a valid HTTP response
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable解决办法
- linux异常系列:Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable.
- Linux上 Can't connect to X11 window server using XX as the value of the DISPLAY 错误解决方法
- ORACLE EBS:Can't connect to X11 window server using '**' as the value of the DISPLAY variable.
- Can't connect to X11 window server using ':0.0' as the value of the DISPLAY variable解决方法
- Using the Basic Internet Protocols
- Memory Management of Instance Variables (Non-ARC)
- Android传感器---Motion Sensor(一)
- 通过VM Workstation内的Linux系统和开发板的串口连接出现的问题
- Android传感器---Motion Sensor(二)
- Android传感器---Motion Sensor(三)
- Using the Apache HTTP Server as a forward proxy to the Internet
- 标准【wpa_supplicant】到【神州数码】 认证的修改记录(上)——准备工作
- 从Oracle到MySQL,余额宝云实践分享
- 数据处理工具用户手册(二)
- Android传感器---Motion Sensor(四)
- (转)安装完Fedora 18后需要做的事情
- Android传感器---Position Sensor(一)
- Android传感器---Position Sensor(二)
- Android传感器---Environment Sensor