Apache Reverse Proxy / http>https Redirect with multiple IP addresses

Yesterday I had the issue, that I configured 3 NIC¬īs for an Apache Reverse Proxy, but only for one IP the redirect for http >> https worked.

I did some investigation and found out, that the entry “HWADDR” with the corresponding MAC address was missing in the additional NIC configuration for “eth1”, “eth2” and “eth3”. So I added the information in the ifcfg-eth1, … file and restarted the network services and also the httpd service.

But >> did not work at all… ūüė¶

Today I did some further investigation and figured out the problem: checking, which IP is listening on port 80 I received the following information:

[root@ibmpxy.company.com sites-available]# netstat -an | grep “:80”
tcp 0 0 172.18.0.15:80 0.0.0.0:* LISTEN

This was the IP address of eth0… But why did the Apache server not listen on port 80 for the additional IP addresses bound to the other NIC¬īs ??

The problem was located in the httpd.conf:

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
Listen 172.18.0.15:80

Only eth0 was listed in here !! After adding the additional IP addresses

#
# Listen: Allows you to bind Apache to specific IP addresses and/or
# ports, in addition to the default. See also the <VirtualHost>
# directive.
#
# Change this to Listen on specific IP addresses as shown below to
# prevent Apache from glomming onto all bound IP addresses (0.0.0.0)
#
Listen 172.18.0.9:80
Listen 172.18.0.10:80
Listen 172.18.0.15:80

and restarting the httpd service, it looked much better:

[root@ibmpxy.company.com conf]# netstat -an | grep “:80”
tcp 0 0 172.18.0.15:80 0.0.0.0:* LISTEN
tcp 0 0 172.18.0.10:80 0.0.0.0:* LISTEN
tcp 0 0 172.18.0.9:80 0.0.0.0:* LISTEN

And now the redirection of http >> https also is working for the other connect requests with a simple configuration:

<VirtualHost 172.18.0.10:80>
ServerName connect.company.com

ErrorLog /var/www/virtual/logs/connect.company.com_error.log
CustomLog /var/www/virtual/logs/connect.company.com_access.log common

# Redirect all requests to SSL
Redirect permanent / https://connect.company.com/

</VirtualHost>

Advertisements

Apache – Redirect based on IP tables

Some days ago I received the question of a customer, if it¬īs possible to use a Reverse Proxy to either redirect to an internal or an external server based on IP ranges. After some searches and help from Martin Leyrer ( thanks a lot for your suggestions ), I figured out the complete configuration file for this special customer.

If you need some URL redirection/rewriting, feel free to use this code ( suggestions for better ways to accomplish this request are highly welcome ):

ServerName server01.company.com

# Redirect all requests to SSL
Redirect permanent / https://server01.company.com

ErrorLog /var/www/virtual/logs/portal.company.com_error.log
CustomLog /var/www/virtual/logs/server01.company.com_access.log common

ServerName server01.company.com
SSLEngine On
SSLProxyEngine On
ProxyVia On
ProxyRequests Off
ProxyPreserveHost On
ProxyErrorOverride On
RewriteEngine On

# Added due to HTTP 502 errors:
# https://serverfault.com/questions/206738/intermittent-error-when-using-mod-proxy-to-do-reverse-proxy-to-soap-service
SetEnv force-proxy-request-1.0 1
SetEnv proxy-nokeepalive 1

SSLCipherSuite ALL:!ADH:!EXPORT:!SSLv2:RC4+RSA:+HIGH:+MEDIUM
SSLHonorCipherOrder On
SSLProtocol -All +TLSv1 +TLSv1.1 +TLSV1.2

### Thawte Wildcard Certificate
SSLCertificateKeyFile /var/www/virtual/certs/wildcard_company.pem
SSLCertificateFile /var/www/virtual/certs/ssl_certificate.crt
SSLCACertificateFile /var/www/virtual/certs/IntermediateCA.crt

RewriteLogLevel 4
RewriteLog “/var/www/virtual/logs/rewrite.log”

# Those requests – Company internal – are routed to internalserver.company.com
RewriteCond %{REMOTE_ADDR} ^10\.10\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.10\.25\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.21\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.23\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.24\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.25\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.26\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.28\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.29\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.30\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.31\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.32\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.33\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.34\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.35\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.38\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.43\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.44\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.46\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.48\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.49\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.51\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.52\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.53\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.56\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.61\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.64\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.65\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.66\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.67\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.68\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.69\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.70\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.71\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.72\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.73\.10\. [OR]
RewriteCond %{REMOTE_ADDR} ^10\.74\.10\. [OR]
RewriteCond %{REMOTE_ADDR} 192\.168\.002\.
RewriteRule ^/(.*) https://internalserver.company.com/$1 [P]

# All other requests are routed to externalserver.company.com
RewriteRule ^/(.*) https://externalserver.company.com/$1 [P]

ErrorLog /var/www/virtual/logs/server01.company.com_error.log
CustomLog /var/www/virtual/logs/server01.company.com_access.log common

ServerSignature Off
AllowEncodedSlashes On

Performance problems on Apache Reverse Proxy

Yesterday I had massive performance troubles after going online with an Apache Reverse Proxy running on CentOS 6.9 for IBM Notes Traveler.

The customer has about 1.250 users and approx. 1.650 devices.

After some investigation and a great site, where the performance parameters are described very good:

( https://www.linode.com/docs/web-servers/apache-tips-and-tricks/tuning-your-apache-server )

I figured out, that the default configuration of the HTTP server was causing this issues, because the settings are much too low/high for this amount of devices. I did some modifications in the httpd.conf and now it¬īs working fine – feel free to use them:

#
# Timeout: The number of seconds before receives and sends time out.
#

# Default Value: Timeout 60
New Value: Timeout 10


#
# KeepAlive: Whether or not to allow persistent connections (more than
# one request per connection). Set to “Off” to deactivate.
#
# Default Value: KeepAlive Off
New Value: KeepAlive On

#
# MaxKeepAliveRequests: The maximum number of requests to allow
# during a persistent connection. Set to 0 to allow an unlimited amount.
# We recommend you leave this number high, for maximum performance.
#
# Default Value: MaxKeepAliveRequests 100
New Value: MaxKeepAliveRequests 50

#
# KeepAliveTimeout: Number of seconds to wait for the next request from the
# same client on the same connection.
#
# Default Value: KeepAliveTimeout 15
New Value: KeepAliveTimeout 5


# prefork MPM

# Default Value: StartServers 8
New Value: StartServers    1000
# Default Value: MinSpareServers 5
New Value: MinSpareServers 1000
# Default Value: MaxSpareServers   20
New Value: MaxSpareServers 1000
# Default Value: ServerLimit 500
New Value: ServerLimit      1000
New Value: MaxClients       1000
# Default Value: MaxRequestsPerChild  400
New Value: MaxRequestsPerChild 4000

# worker MPM

# Default Value: StartServers 4
New Value: StartServers         8
# Default Value: MaxClients 500
New Value: MaxClients         1000
# Default Value: MinSpareThreads 25
New Value: MinSpareThreads    100
# Default Value: MaxSpareThreads 75
New Value: MaxSpareThreads    750
New Value: ThreadsPerChild     25
# Default Value: MaxRequestsPerChild 0
New Value: MaxRequestsPerChild 0


# Enabled HTTP Compression
AddOutputFilterByType DEFLATE text/plain
AddOutputFilterByType DEFLATE text/html
AddOutputFilterByType DEFLATE text/xml
AddOutputFilterByType DEFLATE text/css
AddOutputFilterByType DEFLATE application/xml
AddOutputFilterByType DEFLATE application/xhtml+xml
AddOutputFilterByType DEFLATE application/rss+xml
AddOutputFilterByType DEFLATE application/javascript
AddOutputFilterByType DEFLATE application/x-javascript



If you also need the configuration flie for the Traveler site with the load balancing configuration, feel free to contact me…