29.18. Configuring Apache as a Proxy Server

An HTTP proxy is a server that accepts requests for web pages from browsers, retrieves the requested pages from their servers, and returns them to the browser. They are often used on networks on which clients are not allowed to connect to web servers directly so that restrictions on who can access the web and what sites they can view can be enforced. A proxy can also cache commonly accessed pages, so if many clients visit the same site its pages only have to be downloaded once. This speeds up web access and reduces bandwidth utilization.

Apache is not the best proxy server available for UNIX systems—Squid (covered in Chapter 44) takes that honor. Squid has many more configurable options, is more efficient, and can deal with much larger caches. If you want to set up a proxy on a system that is already running Apache, however, then it may make sense to use the existing web server as a proxy instead of installing and running a separate server process for Squid.

Apache's proxy support is only available if the mod_proxy module has been compiled into the web server or is available to be dynamically loaded. You can see if the module is available by clicking on the Re-Configure Known Modules icon on the main page. If mod_proxy is checked, then your server can be used as a proxy. If so, you can skip the next paragraph, which deals with loading the proxy module.

On some Linux distributions, the proxy module is included with the Apache package but not loaded by default. If this is the case on your system, you can enable it by following these steps:

1.
On the Apache Webserver module's main page, click on the Edit Config Files icon. This will bring up a page showing the contents of the primary configuration file, called httpd.conf.

2.
Look for a line starting with LoadModule proxy_module, which is currently commented out with a # at the start. If no such line exists, then the proxy module is probably not installed at all and therefore cannot be used.

3.
Delete the # at the start of the line and then click the Save button at the bottom of the page.

4.
Click the Stop Apache link on any page to shut down Apache and then the Start Apache link to start it again. This is necessary for the web server to load the enabled proxy module.

5.
On the module's main page, click on the Re-Configure Known Modules icon and then on the Save button at the bottom of its page. This tells Webmin to reanalyze the Apache configuration so that it detects that the mod_proxy module is now available.

If Apache was compiled on your system from source, then you will need to recompile it with mod_proxy enabled in order to use the proxy features. If you do, Webmin will detect that a new version of the Apache server executable has been installed and will redisplay the form shown in Figure 29.1 when you next visit the module's main page. The proxy module will be automatically selected, so you should be able to just click the Configure button to tell Webmin that proxy features are now available.

Once mod_proxy has been enabled, you can set your system up as a proxy server by following these steps:

1.
On the module's main page, click on the icon for the virtual server that you want to use as a proxy. This must be an IP-based virtual server or the default, as it is impossible to turn on proxying for just a single name-based virtual server. The normal operation of whichever server you choose, however, will not be affected.

2.
Click on the Proxying icon that should be visible on the virtual server options page. If the icon does not exist, then the proxy module has not been detected by Webmin.

3.
Change the Act as proxy server? field to Yes.

4.
By default, Apache will not cache any pages that are requested through it when acting as a proxy server. To change this, create a directory that is writeable by the web server user (usually httpd) and enter it into the Cache directory field.

5.
To limit the amount of data that will be cached, enter a number of kilobytes into the Cache size field. If this is left set to Default, Apache will only cache 5 Kb of pages.

6.
To turn off caching for particular websites, enter a space-separated list of hostnames and domains into the Domains not to cache field. This can be useful for avoiding the caching of sites that frequently change.

7.
To stop users of the proxy from accessing certain domains, enter a space-separated list of full or partial hostnames into the Block requests to domains field. For example, to deny access to all sites in the foo.com domain you could just enter foo.com.

8.
If you have another proxy server on your network and want to pass all requests on to that proxy, enter its URL (like http://proxy.example.com:8080/) into the empty field under Forward to in the Requests to pass to another proxy table and leave the All option selected. You can also have just a few requests passed on by selecting the Matching option and entering a partial URL or URL type (like http://www.foo.com/ or ftp) into the field next to it.

Like other tables in the Apache module, this one only displays one blank row at a time. If you want to set up several other proxies to which to forward different requests, you will need to re-edit this page after saving and fill in the next blank row. For example, you might want to forward all FTP requests to one proxy, but all other types of requests to another.

9.
To exclude some requests from being passed to the other proxies (for example, if they are on your local network), you can fill in the Don't pass requests to another proxy for table. In each empty row you can choose from one of the following types:

IP address If this type is chosen, you must enter a complete IP address into the field next to it. Any requests to the web server with this IP will not be passed on to another proxy.

Hostname When this type is chosen, any requests to the web server whose hostname is entered into the adjacent field will not be passed on.

Domain Any requests to websites in the domain entered into the field next to the menu will be retrieved directly and not passed on.

IP network Any requests to websites in the specified IP network (entered as a partial IP address, like 192.168) will not be passed on to another proxy.

Network/bits Any requests to websites in the IP network (entered in address/prefix, like 192.168.1.0/24 format into the adjacent field) will not be passed on.

To add more than one row, you will need to save the form and edit it again so that a new blank row is displayed.

10.
Most of the other options on the form control the layout of the cache directory and the amount of time for which pages are cached. In most cases, the defaults will work fine so you can just leave them set to Default.

11.
When done, click the Save button to update the Apache configuration file with the proxy settings, then the Apply Changes link to make them active.

You should now be able to try your settings by configuring a web browser to use your Apache server as a proxy and visiting some web pages. All proxy requests that Apache processes will be written to the access log file for the virtual server in the usual format, but with the full URL recorded instead of just the page.

You may sometimes want to limit who has access to proxy, either by client IP address or by username and password. This can be done by following the instructions in Section 29.14 “Restricting Access by Client Address” and Section 29.13 “Password Protecting a Directory” and substituting the special directory proxy:*. If you set up client address access control, then only hosts with allowed addresses will be able to use your server as a proxy. They will, however, still be able to access normal web pages, as IP address restrictions for the special proxy:* directory only apply to proxy requests.

If you set up username and password authentication for your proxy server, then any web browsers that attempt to use it will be forced to log in first. This login is to the proxy server, not to any website that is being accessed through it. If a user visits a password-protected website using the proxy, he will have to log in separately to that site.

It is also possible to set up IP or password restrictions that apply only to some protocols or sites accessed through the proxy, by creating them for special directories like proxy:http or proxy:http://www.example.com/. Only requests for URLs that start with the text after proxy: will be effected by restrictions like these. They can be useful for blocking or limiting access to certain sites or preventing the proxy from being used to request certain protocols like http or ftp.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.143.5.154