I understand that varnish caches “GET” and “HEAD” requests by default.

My backend servers fail when I do a get request that is too long, so I made them respond to POST instead of GET. This works great, but I need a reverse proxy which can be configured to cache POST responses just like GET.

Are there any reverse proxies that can cache these post requests?

It seems nginx does cache POST requests if you specify it.

proxy_cache_methods POST; # GET HEAD
proxy_cache_key "$uri|$request_body";
client_max_body_size 10k; # 413

Check more discussion of this question.

I see that varnish can be configured to set -smalloc or -sfile with a certain size.

I want to set a file cache of 1G such that least requested files are deleted first when cache is full. Is this possible in varnish? Is there another reverse proxy tool that can do this?

Varnish uses “least recently used” (LRU), for more information see: https://www.varnish-cache.org/trac/wiki/ArchitectureLRU

Check more discussion of this question.

I’m using nginx as a reverse proxy in front of an apache with mod_php. My site is on https, and it would require the variable $_SERVER['HTTPS'] to be set ‘on’ to assemble some of the links correctly. My site is on drupal, so it is not an option to fix the code and check an other variable when deciding if the site runs under https.

Is there a way to fix the issue only with tweaking the nginx or apache configuration?

I found other people asking similar questions, but I did not found a solution that suits me, neither a clear statement that what I want is not possible.

(e.g.: HTTPS server/php variable not available,
Nginx : strip header on HTTP, add header on HTTPS)

You can use a directive SetEnv HTTPS "on" in Apache main configuration or in .htaccess to set the required variable to on unconditionally.

Or better – set it only if client address equals the address of Nginx frontend. In this case the variable won’t be set if clients request Apache directly without SSL:

SetEnvIf Remote_Addr "NGINX_IP_ADDRESS" HTTPS=on

Check more discussion of this question.

I’m using nginx as a reverse proxy for website running on IIS 7.5. Website is bound to sub-1.foo.bar. Nginx configuration looks like this:

server {
    listen 80;    server_name sub.foo.bar;    location / {
        proxy_pass http://sub-1.foo.bar;
        proxy_set_header Host $host;
        proxy_set_header X-Accel-Expires 0;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

What I want to do is forward requests which come to sub.foo.bar (linux machine with nginx) to sub-1.foo.bar (windows machine with IIS and my website). However what happens is

• when I access sub.foo.bar, I get 404 page
• when I access sub-1.foo.bar directly I get my website served normally from IIS
• nginx seems to forward requests normally to windows machine
• I can’t see any incoming requests from IIS logs when I access sub.foo.bar
• when I add binding for sub.foo.bar on IIS, website gets proxied normally with nginx

I would appreciate any ideas on what might be wrong with my setup. Thanks!

Try to manually add proxy_set_header Host “sub-1.foo.bar”

Check more discussion of this question.

I have a python application listening on port 9001 for HTTP traffic.

I’m trying to configure Apache (or anything, really) to listen on port 443 for HTTPS connections, and then forward the connection, sans encryption, to port 9001 on the same machine. My application would then reply via the proxy, where the encryption would be reapplied, and returned to the client transparently.

I’m not doing anything crazy with the site names and SSL certs, I have one public IP, one hostname, and one SSL cert. Stripping the encryption at the proxy doesn’t seem to be a common requirement.

Is what I’m asking for a normal requirement? Are there other concerns with this sort of configuration?

Pretty simple, really. You want a virtual host with encryption, then a proxy to a non-encrypted HTTP endpoint.

<VirtualHost *:443>
    ServerName www.example.com
    SSLEngine On
    SSLCertificateFile /path/to/cert.pem
    SSLCertificateKeyFile /path/to/cert.key
    ProxyPass / http://localhost:9091/
    ProxyPassReverse / http://localhost:9091/
</VirtualHost>

Check more discussion of this question.

I need a static IP address that handles SSL traffic from a known source (a partner). The reason the IP needs to be static is that the partner requires this in order to maintain the PCI compliance.

Our servers are behind an AWS Elastic Load Balancer (ELB), which cannot provide a static IP address; many threads about this here.

My thought is to create an instance in EC2 whose sole purpose in life is to be a reverse proxy server having it’s own IP address; accepting HTTPS requests and forwarding them to the load balancer.

Are there better solutions?

In the end, I implemented the requirement of our partner as follows:

• launch an instance in AWS
• allocate and attach an Elastic IP (EIP) to it
• Installed Apache
• (in our case, installed our SSL certificate)
• Configured Apache as a reverse proxy server, forwarding to a CNAME that pointed to our ELB

Here’s a sample Apache virtual host configuration. I turned off NameVirtualHost and specified the address of our EIP. I also disabled a default host. If the partner desires, I will add a <Directory> block that accepts requests only from their IP range.

<IfModule mod_ssl.c>
# Catch non-SSL requests and redirect to SSL
<VirtualHost 12.34.567.890:80>
  ServerName our-static-ip-a-record.example.com
  Redirect / https://our-elb-cname.example.com       
</VirtualHost>
# Handle SSL requests on the static IP
<VirtualHost 12.34.567.890:443>
  ServerAdmin monitor@example.com
  ServerName our-static-ip-a-record.example.com  # SSL Configuration
  SSLEngine on
  SSLProxyEngine on
  SSLProxyCACertificateFile /etc/apache2/ssl/gd_bundle.crt
  SSLCertificateFile    /etc/apache2/ssl/example.com.crt    
  SSLCertificateKeyFile /etc/apache2/ssl/private.key
  # Additional defaults, e.g. ciphers, defined in apache's ssl.conf  # Where the magic happens
  ProxyPass / https://our-elb-cname.example.com/
  ProxyPassReverse / https://our-elb-cname.example.com/  # Might want this on; sets X-Forwarded-For and other useful headers
  ProxyVia off  # This came from an example I found online, handles broken connections from IE
  BrowserMatch "MSIE [2-6]" \
    nokeepalive ssl-unclean-shutdown \
    downgrade-1.0 force-response-1.0
  # MSIE 7 and newer should be able to use keepalive
  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
</VirtualHost>
</IfModule>

Hope this saves someone else some time in the future

Check more discussion of this question.

First off, this is my first go at apache, so please forgive my beginingingismness

My basic setup is as such: mysub.domain.com gets sent to my static IP via a CNAME entry at godaddy’s DNS manager. It hits my Ubuntu 10 LTS server running Apache2.

I have a virtual host entry that directs that request to the proper /var/www/mysub folder. I don’t have any content in there, but I added a line to the “It Works” page so I’d know if I got there successfully. I also have a Mac Mini running a wiki server on the same local network as the Ubuntu server.

I’d like mysub.domain.com to hit my Mini server instead of the /var/www/mysub folder.

After much reading on this site and others, I’ve managed to do it… kind of.

I have the following in my /var/www/mysub/.htacess, which I found in another SF question (forgot to copy the link).

RewriteEngine on
RewriteCond %{HTTP_HOST} ^mysub.domain.com/*
RewriteRule .* http://192.168.x.x/ [P,L]

This works insomuch as it does redirect mysub.domain.com to the Mini’s front page. But of course, so does every subsequent link click on the Mini page. I think I understand why it’s doing it (anything that starts with mysub.domain.com gets directed to what is essentially the front page of the wiki server, and since subsequent links on the wiki server also include mysub.domain.com, it always ends up in the same place)

I just don’t know what to do different. To be perfectly honest, I don’t actually understand the syntax of those Rewrite lines.

I’ve seen countless examples of config entries and tried some of them, but without really understanding the syntax, it’s kind of shooting in the dark.

This was a useful post, and after reading this question, I tried adding this to my /apache2/httpd.conf file

<Location />
   ProxyPass http://192.168.x.x
   ProxyPassReverse http://192.168.x.x
</Location>

No luck.

Clearly, I have some learning to do, but it would seem to me that what I want to do is probably quite simple. What am I missing?

EDIT PER COMMENTS

My /etc/apache2/httpd.conf file

ServerName localhost<VirtualHost *:80>
   ServerName domain.com
   ServerAlias www.domain.com
   DocumentRoot /var/www/domain
</VirtualHost><VirtualHost *:80>
   ServerName mysub.domain.com
   DocumentRoot /var/www/mysub
   <Location />
      ProxyPass http://192.168.x.x/
      ProxyPassReverse http://192.168.x.x/
   </Location>
</VirtualHost>

… and my sites-available/mysub file…

<VirtualHost *:80>
        ServerAdmin me@domain.com
        ServerName mysub.domain.com
        DocumentRoot /var/www/mysub        #ProxyRequests Off
        <Location />
                ProxyPass http://192.168.1.50/
                ProxyPassReverse http://192.168.1.50/
        </Location>
        <Directory />
                Options FollowSymLinks
                AllowOverride None
        </Directory>
        <Directory /var/www/mysub>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride None
                Order allow,deny
                allow from all
        </Directory>        ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
        <Directory "/usr/lib/cgi-bin">
                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all
        </Directory>        ErrorLog /var/log/www/mysub/error.log        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn        CustomLog /var/log/apache2/access.log combined    Alias /doc/ "/usr/share/doc/"
    <Directory "/usr/share/doc/">
        Options Indexes MultiViews FollowSymLinks
        AllowOverride None
        Order deny,allow
        Deny from all
        Allow from 127.0.0.0/255.0.0.0 ::1/128
    </Directory>

Output of apache2ctl -S

VirtualHost configuration:
wildcard NameVirtualHosts and _default_ servers:
*:80                   is a NameVirtualHost
         default server 66-152-109-110.tvc-ip.com (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost 66-152-109-110.tvc-ip.com (/etc/apache2/sites-enabled/000-default:1)
         port 80 namevhost domain.com (/etc/apache2/sites-enabled/domain:1)
         port 80 namevhost mysub.domain.com (/etc/apache2/sites-enabled/mysub:1)
Syntax OK

You’re very close!

A couple notes:

• RewriteCond %{HTTP_HOST} ^mysub.domain.com/* – The HTTP_HOST variable only contains mysub.domain.com, not the rest of the path.

  This rule actually matches, but accidentally – there’s no / character there, but the * modifier applies to the / character, meaning “repeat the / 0 to infinite times”.

  Apache uses perl-compatible regex – to match the exact host, it should look like this:

  RewriteCond %{HTTP_HOST} ^mysub\.domain\.com$
  

• RewriteRule .* http://192.168.x.x/ [P,L] – This is only loading the home page since it’s not including the rest of the passed path – this must be manually done when using the [P] flag of RewriteRule.

  This should work:

  RewriteRule (.*) http://192.168.x.x/$1 [P,L]
  

• The ProxyPass setup is almost right, except it’s being overridden by the setup in the .htaccess file, so it’s not being used. Using .htaccess is bad for performance and potentially problematic for security – see the recommendation in the Apache documentation here.

  Probably the best approach is to delete the .htaccess file outright, and just use ProxyPass. Change your config a small bit…

  <Location />
     ProxyPass http://192.168.x.x/
     ProxyPassReverse http://192.168.x.x/
  </Location>
  

  …and move it from your httpd.conf over to within the <VirtualHost> block that’s serving the subdomain.

  With the matching trailing slashes and no more .htaccess, this should do the trick!

Check more discussion of this question.

Here’s the setup. I’ve got one server running apache/php hosting ownCloud. Among other things, I’m using to do CardDAV contact syncing. In order to make things work with my domain I have an nginx server running on the frontend as a reverse-proxy to the ownCloud server. My nginx config is as follows:

server {
    listen       80;
    server_name  cloud.mydomain.com;    location / {
        proxy_set_header X-Forwarded-Host cloud.mydomain.com;
        proxy_set_header X-Forwarded-Proto http;
        proxy_set_header X-Forwarded-For $remote_addr;
        client_max_body_size 0;
        proxy_redirect off;
        proxy_pass      http://server;
    }
}

The problem is that when my phone does a PROPFIND on the server, nginx adds extra characters to the content body that throw the phone off. Specifically, it prepends d611\r\n at the front of the body and appends 0\r\n\r\n to the end of the content. (I got this from wireshark.) It also re-chunks the result. How do I get nginx to send the original content as-is?

The additional characters you are seeing is the chunked transfer encoding format. The number is the length of the chunk, and the \r\n‘s are delimiters. It seems that the phone does not support chunked transfer encoding (although if it declares that it supports HTTP 1.1 it is supposed to). You can disable chunked transfer encoding with the chunked_transfer_encoding directive.

chunked_transfer_encoding off;

Check more discussion of this question.

For a website I’m developing all my static content is hosted offsite on a combination of S3/Cloudfront. I’ve been looking over a lot of tutorials for deploying a Django app into production and a lot of them recommend a combination of Nginx (reverse proxy) + Apache. This is stated under the assumption that Ngnix will be used for serving static contents and Apache will do all the heavy lifting. Are there any other reasons to have a reverse proxy when I don’t have any static contents to serve? Or in this case could I simplify my server setup and just use Apache?

Nginx will help in your use case as well. Generally, like any reverse proxy, it helps to utilize server resources more optimally with two major techniques:

1. As you correctly pointed out, it serves static content, thus freeing a heavy-weight web server from doing this.
2. But it also solves the problem of “slow clients”, i.e. those clients who use slow connections (dial-up or mobile). Since Apache generates a dynamic page pretty fast, Nginx gets it, stores to the temporary file and serves it to the client at the client’s speed (much like it would serve a static content), freeing Apache to serve another request.

Check more discussion of this question.

I’ve been trying this for a long time and I have not yet found a good solution. I have several servers behind a NAT that all run an SSH daemon. One of the machines is my main server which gets the SSH port forwarded to it. What I want is basically open a connection to other NATed servers by going through the main server similar to what I can achieve by opening a connection to the main server and then SSHing in to the destination. Since there are some applications that run on top of SSH I’d like to make automate this in order to run rsync or git on top of the connection itself.

Is there a reverse proxy for SSH?

You can do this using ProxyCommand and netcat in .ssh/config:

# Your 'gateway' server.
Host gateway# Any other server.
Host server1
  ProxyCommand ssh gateway /bin/netcat %h %p

If you do ssh server1, you will open an SSH connection from your current location to your ‘gateway’ server, which will open a TCP connection to server1. This TCP connection will serve as the connection for SSH between your current location and server1.

Edit: This technique is commonly called ‘ssh jumphost’.

Check more discussion of this question.