I’ve wanted to get all of our web servers at work under one umbrella in a reverse proxy setup for some time. I wanted this so that I could expose only one web server to the outside world (some of this has to do with network topology that is beyond my control), allowing me make all of our web services available under one URL (nice for things like SSL and multiple URL rewriting) and making it possible to filter web requests at one place. Today I finally sat down with the intent to make it work and plan for the switch over.
In the past I’d looked at doing this with Pound, but it fell short in one key area, URL rewriting. Everything else I needed was already there, in one convenient spot. I really wanted this to work, but in the end I couldn’t give up URL rewriting, it’s a requirement for what I’m trying to accomplish. I also looked at Squid for a time. Honestly I didn’t complete my trial of Squid, it is possible that it might me all of my requirements, but I didn’t see anything that looked like mod_security for Squid. That was another needed feature, I’m trying to protect IIS servers so I wanted all the extra help I could get.
So I eventually ended up at Apache, with mod_proxy. With the help of this how to article things went pretty smoothly. Until I tried to bring the server hosting our Squirrelmail install. No matter what I tried I could get to successfully login. Suspecting that this had to with cookies being based between the client, proxy and server I went hunting for web on the web. Turns out the how to article above mentions a couple of proxy directives for dealing with this, ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath. Unfortunately these are only available in the development version of Apache, version 2.1. I’d spent the better part day of the tweaking my install of Apache 2.0.54 and then had to go build Apache 2.1.x to get the newer version mod_proxy. Some of the module names have changed so I couldn’t just drop in my previous Apache config. I also had to rebuild the mod_proxy_html and mod_security modules for Apache 2.1.x.
The good news is that once I had that all sorted out the new proxy cookie directives did the trick. So here is my little public service announcement (PSA), if you are using mod_proxy as a reverse proxy for Squirrelmail, start with Apache 2.1.x and look into ProxyPassReverseCookieDomain and ProxyPassReverseCookiePath. I suspect this will be the case for any webapp that uses cookies.
I haven’t added mod_security and SSL to the mix yet, but I’m already familiar with those modules, so I don’t expect that to be too bad. I’d never really used mod_proxy as a reverse proxy before so this was some what new territory to me. Oh, at some point I’ll look doing some caching in combination with reverse proxy to minimize the load on the back end web servers.
UPDATE 10:45am 6 Jul 2005:: I should have mentioned the trailing slash problem also shows up in the reverse proxy setup. So if you have a reverse mapping that looks something like:
ProxyPass /webmail/ http://192.168.1.10/webmail/
then you can use mod_rewrite to send a redirect with the trailing slash:
RewriteRule ^/webmail$ webmail/ [R]