Reverse Proxy is a Proxy server which routes all incoming traffic to secondary Webserver situated behind the Reverse Proxy site. Then all incoming replies from secondary webserver (which is not visible) from the internet gets routed back to Reverse Proxy service. The result is it seems like all incoming and outgoing HTTP requests are served from Reverse Proxy host where in reality, reverse proxy host just does traffic redirection. Problem with reverse proxies is it is one more point of failure the good side of it can protect and route only certain traffic to your webserver, preventing the behind reverse proxy located server from crackers malicious HTTP requests.
Very common use of Reverse Proxy is whether traffic has to be served by Tomcat webservers. Probably one of most common configuration is Apache (configured to serve traffic) as reverse proxy and one or more Tomcat Webservers to which web traffic is re-routed.
By default Tomcat listens for client connections on port 8082 (-. http://localhost:8082), Apache is then used to route all requests serving as Reverse Proxy incoming on port
Reverse Proxy:80 to -> Tomcat server (secondary host):8082
- So what are benefits (PROS) of Reverse Proxy?
a) Webservers in Internal Network will be less vulnerable to attacks from the Internet
b) Reduces risk to sensitive data – Only existent resources on Proxied server will available
c) Enables makes easy Load Balancing and Fail Over
- What are disadvantages (CONS) of Reverse Proxy?
a) If a single instalce of Reverse Proxy is available, this creates a single point of failure
To have reverse proxy it is necessary that Apache server is configured with enabled mod_proxy
Creating a reverse proxy is being done as follows (Assuming you have to do it for a Virtualhost)
Open Apache config with VirtualHost for which Reverse Proxy has to be set, whether only one domain is set on server there is no need for <VirtualHost *:80> opening and close directives but same rules has to be set for primary domain.
<VirtualHost *:80> ServerName your-domain.com ServerAlias *.your-domain.com ProxyRequests off ProxyPassMatch /server-status ! ProxyPassMatch /server-info ! ProxyPassMatch /ldap-status ! ProxyPass / http://10.10.10.1:8082/ keepalive=on timeout=30 connectiontimeout=60 retry=20 ProxyPassReverse / http://10.10.10.1:8082/ </VirtualHost>
In above example is 10.10.10.1 is local IP address of DMZed host running Tomcat server. That's all necessary assuming that on port 8082 Catalina Tomcat is running. Of course same scenario can be used not only with Tomcat but with DMZ-ed Webservers with Apache, Nginx or Lighttpd.