Reverse proxy

Question

Level 1

143 points

Reverse proxy

I have a TED device (The Energy Detective) that has an embedded web server. This device resides on my LAN at LAN address 10.6.18.23 and listens on port 80. My Snow Leopard Server has an external IP address.

I would like access the TED device from the internet by using a "reverse proxy". I've read through the "Snow Leopard Server Developer Reference" and the "Mac OS X Server Essentials v10.6" and can not find a good example of how to configure the settings using Server Admin.

I think the steps are:

Define a DNS A record for the web site: ted.mydomain.com
with the same IP address as the server: xserve.mydomain.com

In Server Admin:

Define a SITE, ted mydomain.com
IP address same as xserve.mydomain.com
Port 80
Not sure what to do about "Web Folder" since this the Xserve doesn't serve any web pages. Should I enter the path one the reverse proxy server? /Footprints.html or just put / in this space?

In Default Index FIles: put Footprints.html ?

The other Site tabs-

In OPTIONS leave everything unchecked.
In REALMS leave everything empty.
In LOGGING enable access log
Leave SECURITY empty
Leave ALIASES with default values? Or remove the 3 Alias values OS X Server preloaded?
In PROXY where it really gets confusing to me:

Check "Enable Reverse Proxy"

Do I put http://10.6.18.23 as the PROXY PATH?
For the Sticky Session Identifier: Would I make up an identifier, such as TEDID ?

Is that enough or do I have to set up Balancer Members? I'm not trying to load balance. All I want to do is have Apache on the Snow Leopard Server accept web page requests and pass the requests off to the TED device, and when the TED device answers, send the results to the requester.

Has anyone done something simple like this? I've looked and looked and can't find a good set of documentation or an example showing a simple reverse proxy setup for Snow Leopard Server.

I've tried a number of shoot in the dark settings but each time Apache aborts with various messages pointing back the the Apache config file. I'd like to use the Snow Leopard Server Admin if that will work without having to dig into and learn the internals of configuring Apache at the config file level.

Thanks for any help.

Several minis running os x server, Mac OS X (10.6.2)

Posted on Mar 14, 2010 4:17 PM

Reply

Answer 1

Paul Derby Author

Level 1

143 points

Mar 16, 2010 4:02 PM in response to Paul Derby

Thanks to a good friend that knows more about Apache than I, the reverse proxy is set up and running using Server Admin to generate the configuration file. With this setup you can use the same domain name whether you are accessing your device connected to your LAN or from the Internet.

The "problem" that I initially had is that when you set up a "site" in Server Admin, and then you change around the settings in that "site" using the settings panel below a selected site, not all the info in the config file are changed. So the only way to get a clean config file each time that reflects the desire settings is to delete the site, save, then define the site and the desired settings.

Here is the "cookbook" to set up a reverse proxy so you can use an external domain address to access a web device residing on your LAN:

Define a DNS A record or C record with your ISP or wherever you set up your DNS records for the web site: mydevice.mydomain.com
with the same IP address as the server: myserver.mydomain.com

In Server Admin WEB, SITES:

Define a SITE, mydevice.mydomain.com
IP address same as myserver.mydomain.com
Port 80
The "Web Folder:" setting doesn't seem to matter, I left the default of /Library/WebServer/Documents

Specify the file name in the "Default Index Files:" for the device. For the TED device I set up it is Footprints.html

The other tabs-

In OPTIONS leave everything unchecked.
In REALMS leave everything empty.
In LOGGING enable access log
Leave SECURITY empty
Leave ALIASES with default values
In PROXY
- Web Services tab - unchecked everything. Left Web Folder as the default.
- Proxy tab
- check "Enable Reverse Proxy"
- Proxy path - leave as /
- Sticky Session Identifier, left as empty.
- Balancer Members, click the + and add a new SERVER URL.
http://xx.xx.xx.xx TheLAN IP address of your device or the whatever.local domain name of your device. Leave the ROUTE and LOAD FACTOR fields empty. When you finish the entry the SERVER URL will be in a column called "Worker URL". They appear to be the same thing, despite the two different names in Server Admin.

- Click SAVE
- Wait a minute and test

Reply

Answer 2

Apr 13, 2010 4:17 PM in response to Paul Derby

THANK YOU SO MUCH! You're a life saver! I've been looking for the past week trying to figure out how to do something similar. Basically, I am running Kerio Connect 7, on a Mac Mini for a mail server. On that same server, I am also running Apache. I've only got one public IP address, and, can only use port 443 (80 is blocked). Basically, I wanted to use SLS Web Server to host websites, but, allow "webmail.domain.com" to point to the Kerio Connect webmail interface. I set Kerio to use port 8443 (for HTTPS) and 8800 (for HTTP). Apache on SLS is using port 443. The default website I gave a name (host.domain.com), I then made another site called (webmail.domain.com). Both are set to use port 443 and SSL. I then modified webmail.domain.com, using the instructions you provided. As for the worker URL, I entered "http://mini.aftshock.com:8800".

Again, thank you and I hope these directions help someone else out!

My original post:
http://discussions.apple.com/thread.jspa?threadID=2399257

Reply

Answer 3

May 19, 2010 5:45 AM in response to Bryan Schramm

I'm not sure this actually works as you intended. HTTPS establishes encryption before the server name is sent, so https://virtual-one and https://virtual-two are the same site if they have the same IP address.

Reply