Re: reverse proxy best solution?

From: Merton Campbell Crockett <[email protected]>
Date: Tue, 20 Jul 1999 06:36:40 -0700 (PDT)

On Tue, 20 Jul 1999, Nick Urbanik wrote:

NU} Merton Campbell Crockett wrote:
NU}
NU} > Apache configured as a reverse proxy provides access to web servers (IIS,
NU} > Netscape, Apache, CERN, etc.) on the LAN behind the firewall.
NU}
NU} Can you give me any pointers as to how to set up Apache as a reverse proxy?

Look at the documentation at http://www.apache.org. You want to look at
the discussions on virtual hosting and, in particular, the discussions of
mod_rewrite. You, also, want to read Ralph Engelschall's papers at his
home page, http://www.engelschall.com, in addition to those published on
the Apache web site.

Squid in http-accellerator mode may be an adequate solution for you. JPL
uses a Network Appliance "Squid" box to provide access to web sites within
their campus. Network Appliance went to a great deal of effort to try and
sell me their "Squid in a box" solution. They couldn't come up with a
solution that would satisfy the requirements.

In my environment, campus users had to be able to freely access all web
sites without requiring separate logins and without requiring encryption.
Campus users who traveled to another site with their laptops had to be
able to use their existing bookmarks.

In addition, for external users, all web content including logins and
passwords had to be encrypted while traversing the public Internet. I
used two reverse proxies to accomplish this. An external proxy that
provided a "virtual host" for all web servers visible to the Internet and
that negotiated the cipher algorithms and performed authentication.

It proxied the user requests to an internal proxy using a single defined
port. The internal reverse proxy issued the requests to the campus web
servers. If it weren't for problems with the size of the firewall rule
set, I would probably have omitted the internal proxy.

Omitting the internal proxy would have made life simpler as I could have
used Apache's ProxyPass and ProxyPassReverse to accomplish the same thing.
As it is, the external proxy has to make extensive use of mod_rewrite to
rewrite requests to the port and rules of the internal proxy.

Any further discussion should be taken offline as this has little to do
with Squid. If you aren't faced with similar restrictions, I would
recommend using either Apache in a proxy mode or Squid in an accellerator
mode.

                             Merton Campbell Crockett
+---------------------------------------------------------------------------+
| Manager, Network Operations & Services | Senior Network/Security Engineer |
| GTE Government Systems Corporation | Naval Surface Warfare Center |
| Electronic Systems Division | Port Hueneme Division |
| Intelligence Systems Organization | IT/TIS Program |
| Thousand Oaks, CA | Port Hueneme, CA |
+---------------------------------------------------------------------------+
Received on Tue Jul 20 1999 - 08:27:17 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:47:28 MST