Web server as reverse proxy

Setting up a gateway for websites that are hosted on a workstation computer

A web server on the Internet can be configured as a reverse proxy in order to make websites hosted on any workstation available on the Internet. Access also works to a computer in the home network.

Another article in this blog described how remote port forwarding can be used to make services in the home network available for access from the Internet. The solution described there only works if the required SSH server can be configured as an open gateway on the Internet.

If this is not the case, there would be a possible alternative with a combination of remote and local port forwarding, which in turn only works if the client accessing the Internet has access to the SSH server itself.

However, this is usually not the case if the client is, for example, a customer for whom a website is being developed and who only occasionally wants to see the current status of the development. Normally one does not want or cannot provide the customer with SSH access to our own server on the Internet and one cannot assume that the customer is familiar with setting up a local port forwarding on his computer.

A solution is therefore required that can be used for any external client without great effort and this solution consists of a combination of remote port forwarding and a reverse proxy which is described here.

Prerequisites

You need a server on the Internet that can be accessed with SSH and that runs a web server that can be configured as a proxy. For the Apache web server used in this example, the modules mod_proxy and mod_proxy_http must already be activated or at least could be activated.

Knowledge of bash and the configuration of the Apache web server are helpful for understanding this article. In addition, reference is made to the three articles mentioned above in this blog for information on setting up port forwarding.

Working Environment

A laptop called Caboto is used below to develop a website for a customer. The website should be accessible at the address http://customer1.mydomain.de/ both on the laptop and customer's computer.

Most of the time you are on the home network with your computer, but sometimes you are also on the go and logged into another network or you connect to the Internet via your cellular provider. Regardless of where one works, the website under development should be accessible to the customer when required.

In addition to a development environment, Caboto also has a web server (on port 80) which can be used to locally view and test the website under development.

Furthermore, a server on the Internet - a so-called VPS - called Cayenne is used, which can be accessed with SSH and on which a web server also runs. This server should have the host name server.example.com below.

Setting up Name Resolution

So that the website with the name http://customer1.mydomain.de/ can be displayed in a browser, it must be ensured that this name is resolved both from the local computer and from any computer outside the home network and converted into an IP Address. To do this, the name customer1.mydomain.de must be entered in the DNS with the IP address of the VPS Cayenne.

As soon as this is done, however, the Cayenne computer will also be contacted on the Caboto computer on which the website is hosted when calling http://customer1.mydomain.de/. However, this is not desirable, because it should be possible to access the website locally even if the Caboto computer has no connection to the Internet for whatever reason or if access from the Internet is not activated.

The best way to resolve the name on Caboto is in the /etc/hosts file. This has priority over the resolution via the DNS and would then look like this:

127.0.0.1	localhost
127.0.0.1	customer1.mydomain.de

While the name customer1.mydomain.de now resolves to the IP address of the VPS Cayenne from every computer in the world, on Caboto the local network interface is addressed with the IP 127.0.0.1.

Configuration of the Local Web Server

The web server on Caboto or a virtual host resp. must receive and answer requests to the address 127.0.0.1:80 for the name customer1.mydomain.de:

<VirtualHost 127.0.0.1:80>
  ServerName customer1.mydomain.de

  DocumentRoot "/srv/vhosts/customer1/htdocs"

  <Directory "/srv/vhosts/customer1/htdocs">
    AllowOverride All
  </Directory>
</VirtualHost>

After restarting the web server, this virtual host is active.

Activate Port Forwarding

Caboto must also be able to set up remote port forwarding using SSH. The best way to do this is to use the ReverseTunnel bash script presented in this article, in which you only need to change the value of the RPORT variable to 8881 for the current application, because we assume that the web server on Cayenne already serves other websites on port 80:

#!/bin/bash
...
RPORT="8881" # Remote Port on Remote Host
...

All other variable values from the above script can be retained.

The activation of the remote port forwarding would then look like this:

uwe@Caboto:~$ ReverseTunnel start
Reverse tunnel from server.example.com:8881 -> localhost:80 established
PID 11266
uwe@Caboto:~$

This means that port 80 on the local Caboto computer can be reached by the Cayenne server on port 8881. The forwarding can be ended with ReverseTunnel stop.

Zwischenergebnis

  1. The web server or a virtual host on Caboto listens to the address 127.0.0.1 and port 80 and accepts requests for the name customer1.mydomain.de.
  2. On the Caboto laptop, the website under development can be seen in a browser with the URL http://customer1.mydomain.de/.
  3. In the background, a reverse port forwarding is activated on Caboto, which forwards network requests on the VPS Cayenne from localhost port 8881 to port 80 of the Caboto computer.

Calling the URL http://customer1.mydomain.de/ from a computer other than Caboto - regardless of whether it is in the same network or somewhere else - still leads to an error message because the web server on Cayenne or the virtual host for the address customer1.mydomain.de is not yet configured.

Configuration of the Reverse Proxy

The task of the web server on Cayenne is now to forward requests on its external network interface (the IP) on port 80 to Caboto. However, this does not just work because the remote port forwarding only forwards requests that are received on Cayenne's local network interface and port 8881 to Caboto.

What is missing on Cayenne is the connection between the request on the external network interface on port 80 and the local network interface on port 8881.

This is where the reverse proxy comes in. It does exactly this forwarding from a request to the external network interface to the internal network interface. This is completely transparent for the external visitor to the website, i.e. she cannot see whether the website is provided on Cayenne or is from elsewhere.

The configuration of the web server or the virtual host has only a few instructions:

<VirtualHost <IP>:80>
 ServerName customer1.mydomain.de

 ProxyRequests Off
 ProxyPass / http://localhost:8881/
 ProxyPassReverse / http://localhost:8881/
 ProxyPreserveHost On

</VirtualHost>

The configuration must take into account that the request comes via the IP of the Cayenne computer on port 80 but with the name customer1.mydomain.de. The placeholder <IP> must of course be replaced with the correct IP of the Cayenne computer.

The instructions are in detail:

  • ProxyRequests Off switches off the functionality of a forward proxy. This is important so that the proxy cannot be misused to temporarily store and distribute any content. ProxyRequests Off does not switch off the functionality of a reverse proxy.
  • ProxyPass / http://localhost:8881/ activates the proxy. All incoming requests (/) are forwarded to the specified address (http://localhost:8881/). Since this is the address of the SSH tunnel to the web server on Caboto, the requests are forwarded there.
  • ProxyPassReverse / http://localhost:8881/ ensures that URLs that are written by the web server on Caboto in the HTTP response header Location, Content-Location and URI are rewritten by the proxy so that they contain the address valid on the proxy before they are returned to the requesting client .
  • ProxyPreserveHost On forwards the name customer1.mydomain.de requested on Cayenne to Caboto, since Caboto may also serve several virtual hosts and otherwise would not know which virtual host the request is for.

After restarting the web server on Cayenne, the website hosted on the Caboto computer can be accessed by the customer with the address http://customer1.mydomain.de, regardless of the networks in which the Caboto computer and the customer are located.

Summary and Outlook

With the help of a server on the Internet, it is relatively easy to make websites under development that are provided on a workstation accessible to external visitors. Only the SSH program and a web server such as Apache are needed. Access can be switched on and off from the workstation computer as required.

This relatively simple setup will be expanded upon in later articles. Topics include:

  • Authentication and SSL encryption of the connection
  • Make multiple websites available
  • Caching of content on the reverse proxy
  • Content filter for complex websites
Top