From 66021c48874d524af4d9b1d5807a8e1f3078980b Mon Sep 17 00:00:00 2001 From: Henning Brauer Date: Mon, 17 Nov 2003 18:57:07 +0000 Subject: merge apache 1.3.29 and mod_ssl 2.8.16 ok brad@ --- usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html | 118 +++++++++++++++++++++++- 1 file changed, 113 insertions(+), 5 deletions(-) (limited to 'usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html') diff --git a/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html b/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html index 1a31de93967..6e0b7e19c32 100644 --- a/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html +++ b/usr.sbin/httpd/htdocs/manual/mod/mod_proxy.html @@ -102,6 +102,10 @@ topics +

Forward and Reverse Proxies

+

Apache can be configured in both a forward and + reverse proxy mode.

+ +

An ordinary forward proxy is an intermediate + server that sits between the client and the origin + server. In order to get content from the origin server, + the client sends a request to the proxy naming the origin server + as the target and the proxy then requests the content from the + origin server and returns it to the client. The client must be + specially configured to use the forward proxy to access other + sites.

+ +

A typical usage of a forward proxy is to provide Internet + access to internal clients that are otherwise restricted by a + firewall. The forward proxy can also use caching to reduce + network usage.

+ +

The forward proxy is activated using the ProxyRequests directive. + Because forward proxys allow clients to access arbitrary sites + through your server and to hide their true origin, it is + essential that you secure your server so + that only authorized clients can access the proxy before + activating a forward proxy.

+ +

A reverse proxy, by contrast, appears to the + client just like an ordinary web server. No special + configuration on the client is necessary. The client makes + ordinary requests for content in the name-space of the reverse + proxy. The reverse proxy then decides where to send those + requests, and returns the content as if it was itself the + origin.

+ +

A typical usage of a reverse proxy is to provide Internet + users access to a server that is behind a firewall. Reverse + proxies can also be used to balance load among several back-end + servers, or to provide caching for a slower back-end server. + In addition, reverse proxies can be used simply to bring + several servers into the same URL space.

+ +

A reverse proxy is activated using the ProxyPass directive or the + [P] flag to the RewriteRule + directive. It is not necessary to turn + ProxyRequests on in + order to configure a reverse proxy.

+ +

Basic Examples

+ +

The examples below are only a very basic idea to help you + get started. Please read the documentation on the individual + directives.

+ +

Forward Proxy

+ ProxyRequests On
+ ProxyVia On
+
+ <Directory proxy:*>
+ + Order deny,allow
+ Deny from all
+ Allow from internal.example.com
+ + </Directory>
+
+ CacheRoot "/usr/local/apache/proxy"
+ CacheSize 5
+ CacheGcInterval 4
+ CacheMaxExpire 24
+ CacheLastModifiedFactor 0.1
+ CacheDefaultExpire 1
+ NoCache a-domain.com another-domain.edu joes.garage-sale.com +

+ +

Reverse Proxy

+ ProxyRequests Off
+
+ ProxyPass /foo http://foo.example.com/bar
+ ProxyPassReverse /foo http://foo.example.com/bar +

+

Controlling access to your proxy

You can control who can access your proxy via the normal @@ -149,6 +236,18 @@ Allow from yournetwork.example.com

For more information, see mod_access.

+

Strictly limiting access is essential if you are using a + forward proxy (using the ProxyRequests directive). + Otherwise, your server can be used by any client to access + arbitrary hosts while hiding his or her true identity. This is + dangerous both for your network and for the Internet at large. + When using a reverse proxy (using the ProxyPass directive with + ProxyRequests Off), access control is less critical + because clients can only contact the hosts that you have + specifically configured.

+

Using Netscape hostname shortcuts

There is an optional patch to the proxy module to allow @@ -201,7 +300,7 @@ application/octet-stream bin dms lha lzh exe class tgz taz To log in to an FTP server by username and password, Apache uses different strategies. In absense of a user name and password in the URL altogether, - Apache sends an anomymous login to the FTP server, i.e., + Apache sends an anonymous login to the FTP server, i.e.,
user: anonymous
password: apache_proxy@ @@ -262,7 +361,10 @@ application/octet-stream bin dms lha lzh exe class tgz taz useful for an intranet proxy server?

An Apache proxy server situated in an intranet needs to - forward external requests through the company's firewall. + forward external requests through the company's firewall + (for this, configure the ProxyRemote + directive to forward the respective scheme to + the firewall proxy). However, when it has to access resources within the intranet, it can bypass the firewall when accessing hosts. The NoProxy directive is useful for specifying @@ -304,7 +406,7 @@ application/octet-stream bin dms lha lzh exe class tgz taz rel="Help">Compatibility: ProxyRequests is only available in Apache 1.1 and later. -

This allows or prevents Apache from functioning as a proxy +

This allows or prevents Apache from functioning as a forward proxy server. Setting ProxyRequests to 'off' does not disable use of the ProxyPass directive.

@@ -391,10 +493,16 @@ application/octet-stream bin dms lha lzh exe class tgz taz 
    ProxyPass /mirror/foo/ http://foo.com/
- will cause a local request for the +

will cause a local request for the <http://wibble.org/mirror/foo/bar> to be internally converted into a proxy request to - <http://foo.com/bar>. + <http://foo.com/bar>.

+ +

Warning: The ProxyRequests directive should + usually be set off when using ProxyPass. +