Apache Reverse Proxy to Tomcat – What is reverse proxying and how to configure it on Linux

Monday, 4th November 2013

Reverse proxy diagram Apache and Tomcat webserver diagram how to make reverse proxy of tomcat behind Apache

Reverse Proxy is a Proxy server which routes all incoming traffic to secondary Webserver situated behind the Reverse Proxy site. Then all incoming replies from secondary webserver (which is not visible) from the internet gets routed back to Reverse Proxy service. The result is it seems like all incoming and outgoing HTTP requests are served from Reverse Proxy host where in reality, reverse proxy host just does traffic redirection. Problem with reverse proxies is it is one more point of failure the good side of it can protect and route only certain traffic to your webserver, preventing the behind reverse proxy located server from crackers malicious HTTP requests.

Very common use of Reverse Proxy is whether traffic has to be served by Tomcat webservers. Probably one of most common configuration is Apache (configured to serve traffic) as reverse proxy and one or more Tomcat Webservers to which web traffic is re-routed.
By default Tomcat listens for client connections on port 8082 (-. http://localhost:8082), Apache is then used to route all requests serving as Reverse Proxy incoming on port

Reverse Proxy:80 to -> Tomcat server (secondary host):8082

  • So what are benefits (PROS) of Reverse Proxy?

        a) Webservers in Internal Network will be less vulnerable to attacks from the Internet
        b) Reduces risk to sensitive data – Only existent resources on Proxied server will available
        c) Enables makes easy Load Balancing and Fail Over

  • What are disadvantages (CONS) of Reverse Proxy?

         a) If a single instalce of Reverse Proxy is available, this creates a single point of failure

To have reverse proxy it is necessary that Apache server is configured with enabled mod_proxy
Creating a reverse proxy is being done as follows (Assuming you have to do it for a Virtualhost)

Open Apache config with VirtualHost for which Reverse Proxy has to be set, whether only one domain is set on server there is no need for <VirtualHost *:80> opening and close directives but same rules has to be set for primary domain.

<VirtualHost *:80>
ServerName your-domain.com
ServerAlias *.your-domain.com
ProxyRequests off 
ProxyPassMatch /server-status !
ProxyPassMatch /server-info !
ProxyPassMatch /ldap-status !
ProxyPass / http://10.10.10.1:8082/ keepalive=on timeout=30 connectiontimeout=60 retry=20
ProxyPassReverse / http://10.10.10.1:8082/ 
</VirtualHost>

In above example is 10.10.10.1 is local IP address of DMZed host running Tomcat server. That's all necessary assuming that on port 8082 Catalina Tomcat is running. Of course same scenario can be used not only with Tomcat but with DMZ-ed Webservers with Apache, Nginx or Lighttpd.

Share this on:

Download PDFDownload PDF

Tags: , , , ,

4 Responses to “Apache Reverse Proxy to Tomcat – What is reverse proxying and how to configure it on Linux”

  1. hip0 says:
    Firefox 24.0 Firefox 24.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0

    P.S. I read further Reverse proxy can be configured also using mod_jk2.
    On Debian Linux its necessary to have enabled modules
    proxy and proxy_http

    In Debian Linux make sure you have also run:
    # sudo a2enmod proxy
    # sudo a2enmod proxy_http

     
     

    View CommentView Comment
  2. admin says:
    Firefox 30.0 Firefox 30.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

    One note to make:

    In order for ReverseProxy to work you need to have configured in Apache:

    • mod_proxy
    • mod_proxy_http
    • mod_proxy_connect

    To check whether Apache has been compiled with support for this modules issue:
     

    ./apachectl -t -D DUMP_MODULES
    Loaded Modules:
     core_module (static)
     authn_file_module (static)
     authn_default_module (static)
     authz_host_module (static)
     authz_groupfile_module (static)
     authz_user_module (static)
     authnz_ldap_module (static)
     authz_default_module (static)
     auth_basic_module (static)
     dumpio_module (static)
     include_module (static)
     filter_module (static)
     ldap_module (static)
     log_config_module (static)
     log_forensic_module (static)
     logio_module (static)
     env_module (static)
     expires_module (static)
     headers_module (static)
     usertrack_module (static)
     unique_id_module (static)
     setenvif_module (static)
     proxy_module (static)
     proxy_connect_module (static)
     proxy_ftp_module (static)
     proxy_http_module (static)
     proxy_scgi_module (static)
     proxy_ajp_module (static)
     proxy_balancer_module (static)
     ssl_module (static)
     mpm_prefork_module (static)
     http_module (static)
     mime_module (static)
     status_module (static)
     asis_module (static)
     info_module (static)
     dir_module (static)
     actions_module (static)
     userdir_module (static)
     alias_module (static)
     rewrite_module (static)
     so_module (static)
     php5_module (shared)
     deflate_module (shared)
     auth_certificate_module (shared)
     proxy_add_user_module (shared)
    Syntax OK

     

    View CommentView Comment
  3. admin says:
    Firefox 30.0 Firefox 30.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0

    Also if there are troubles with ProxyPass and ProxyPassReverse directives to load or for some reason Reverse proxy is not working.


    Make sure in your Virtualhost you have;
     

        SSLEngine On
        SSLProxyEngine on

     

    View CommentView Comment
  4. admin says:
    Firefox 54.0 Firefox 54.0 Windows 7 x64 Edition Windows 7 x64 Edition
    Mozilla/5.0 (Windows NT 6.1; WOW64; rv:54.0) Gecko/20100101 Firefox/54.0

    It is interesting to mention also that some clients prefer forward proxy to make possible access from Internal network clients via Forward Proxy to the Internet pretty much the opposite of Reverse Proxy

    Forward Proxy

    A forward proxy brokerages the request of the client and forwards the request to the destination of the client’s choice contingent on the configuration of the forward proxy.

    Most common uses are to

    Bypass firewall restrictions.
    Cache static resources and save bandwidth.
    Control what resources clients can access.

    Reverse Proxy

    A reverse proxy brokerages the request of the client and forwards the request to the destination purely based on the configuration of the reverse proxy.

    Most common uses of a reverse proxy are to

    Redirect traffic to machines on the internal network.
    Keep the client unaware of which machine they are accessing.
    Perform load balancing.
    A central point for Web Application Firewall monitoring.

    View CommentView Comment

Leave a Reply

CommentLuv badge