Reverse Proxy / ProxyPassReverse on Mountain Lion Server

Question

Reverse Proxy / ProxyPassReverse on Mountain Lion Server

Hello everyone!

I just purchased a new Mac Mini Server running Mountain Lion 10.8.2, to replace my old Mac Mini running Snow Leopard Server. On Snow Leopard Server, configuring a reverse proxy was simple via the GUI. In Mountain Lion Server (MLS), that option is no longer in the GUI. Here's what I want to accomlish.

I want to keep MLS's web services enabled. I have other software running, that contains it's own web server, running on a different port, say, 8080. I want to use MLS's web apache as the "front end" via port 443 (SSL) and have MLS's apache reverse proxy to the URL for my other application. This worked perfectly under Snow Leopard Server.

https://example.com <--- Should be the default website from Mountain Lion Server

https://app.example.com <--- Should be a reverse proxy to http://example.com:8080

I would sincerenly appreciate it if someone could help me out. I found this site (http://grahamgilbert.com/blog/2011/11/22/kerio-connect-vs-web-servies-in-lion-se rver/) accomplishing something similar for Lion Server; however, it does not seem to work on Mountain Lion Server (I put the config files I created below).

Thanks so much! Happy New Year!

com.example.app.plist

<?xml version="1.0" encoding="UTF-8"?>

<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">

<dict>

<key>includeFiles</key>

<string>/Library/Server/Web/Config/apache2/httpd_app.conf</string>

</array>

<key>launchKeys</key>

</array>

<string>com.example.app</string>

<key>requiredModuleNames</key>

<string>proxy_module</string>

</array>

<key>requiredWebAppNames</key>

</array>

<key>sslPolicy</key>

</dict>

</plist>

httpd_bt2.conf

ProxyVia On

ProxyRequests Off

ProxyPass / http://localhost:8080/

ProxyPassReverse / http://localhost:8080/

ProxyPreserveHost on

Options FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

</Proxy>

</IfModule>

At per the instructions via Graham's URL above, I first created a "app.example.com" website. The problem is I get the following error when trying to start the webapp, and, server.app is complaining about a corrupt web configuration.

mls:~ admin$ sudo webappctl start com.example.app app.example.com

Password:

2012-12-29 10:46:37.263 serveradmin[7303:707] xswebconfig failed: Exception:

undefined method `to_ruby' for nil:NilClass

web:error = "CANNOT_START_SERVICE_ERR"

MAC MINI SERVER (LATE 2012), OS X Server, Mountain Lion Server

Posted on Dec 29, 2012 9:47 AM

Reply

Answer 1

Dec 29, 2012 5:12 PM in response to Bryan Schramm

-- UPDATE --

All,

I am not sure if this is the correct way or not, please provide feedback on a better / official way. At any rate, I managed to make this work by editing ONLY the conf file for the virtual host as follows:

FILE: /Library/Server/Web/Config/apache2/sites/0000_any_443_app.example.com.conf

I added the following to the file:

ProxyVia On

ProxyRequests Off

ProxyPass / http://localhost:8080

ProxyPassReverse / http://localhost:8080/

ProxyPreserveHost on

Options FollowSymLinks MultiViews

AllowOverride All

Order allow,deny

allow from all

</Proxy>

</IfModule>

Reply

Answer 2

Jan 3, 2013 7:19 AM in response to Bryan Schramm

Hi!

I am still searching for an official way to configure reversy proxy.

Who can help?

Reply

Answer 3

Jan 3, 2013 10:23 AM in response to Bryan Schramm

I have changed the way I am doing reverse proxy on Mountain Lion Server. On my old Snow Leopard Server system, I looked at how it set-up Reverse Proxy. Configuring Reverse Proxy from the GUI, in Snow Leopard Server, added the following to the site configuration file (after the <IfModule mod_ssl.c> ~ </IfModule> section):

ProxyPass / balancer://balancer-group/

ProxyPassReverse / balancer://balancer-group

BalancerMember http://my.example.com:8080

</Proxy>

</IfModule>

Here's how I configured this. Via the GUI on Mountain Lion Server, I created a new site my.example.com and associated it to port 443; I left all the defaults. I then edited the configuration file (/Library/Server/Web/Config/apache2/sites/0000_any_443_my.example.com.conf) via the CLI, and added the lines above.

In this example, my server name is server.example.com and the website I am proxying is called my.example.com. my.example.com is running on the server.example.com host on TCP 8080 via HTTP; however, I am using the apache service to proxy https://my.example.com to http://my.example.com:8080. Completely transparant to the end user. This also allows me to ONLY open TCP 443 to the Internet and not TCP 8080. Both server.example.com and my.example.com are valid DNS records on my DNS server, obviously.

As far as an "official way", there is none that I know of... When Apple decided to simplify server management and went to Server.app vs. Server Admin, there were numerous services and configuration settings left out in favor of simplicity. This is very unfortunate, and I hope, Apple decides to add many of them back for more advanced users. DHCP was initially left out; however, was recently added back in, so, there is some promise there. Please Apple!?

Reply

Answer 4

Jan 3, 2013 10:24 AM in response to StephanHH

I have changed the way I am doing reverse proxy on Mountain Lion Server. On my old Snow Leopard Server system, I looked at how it set-up Reverse Proxy. Configuring Reverse Proxy from the GUI, in Snow Leopard Server, added the following to the site configuration file (after the <IfModule mod_ssl.c> ~ </IfModule> section):

ProxyPass / balancer://balancer-group/

ProxyPassReverse / balancer://balancer-group

BalancerMember http://my.example.com:8080

</Proxy>

</IfModule>

Here's how I configured this. Via the GUI on Mountain Lion Server, I created a new site my.example.com and associated it to port 443; I left all the defaults. I then edited the configuration file (/Library/Server/Web/Config/apache2/sites/0000_any_443_my.example.com.conf) via the CLI, and added the lines above.

In this example, my server name is server.example.com and the website I am proxying is called my.example.com. my.example.com is running on the server.example.com host on TCP 8080 via HTTP; however, I am using the apache service to proxy https://my.example.com to http://my.example.com:8080. Completely transparant to the end user. This also allows me to ONLY open TCP 443 to the Internet and not TCP 8080. Both server.example.com and my.example.com are valid DNS records on my DNS server, obviously.

As far as an "official way", there is none that I know of... When Apple decided to simplify server management and went to Server.app vs. Server Admin, there were numerous services and configuration settings left out in favor of simplicity. This is very unfortunate, and I hope, Apple decides to add many of them back for more advanced users. DHCP was initially left out; however, was recently added back in, so, there is some promise there. Please Apple!?

Reply

Answer 5

Jun 12, 2013 5:29 AM in response to Bryan Schramm

Hi Bryan,

I just upgraded from Snow Leopard Server to Mountain Lion Server. Most everything is in place now on Mountain Lion Server except web sites where I was using reverse proxies.

Are you still happy with the approach you outlined above? I was hoping by now that Server.app would have added GUI setup of reverse proxies, but that hasn't happend as of 10.8.4.

I've noticed Apple has a way to provide feedback on server.app under the "server" menu when server.app is running. I'll send in a request for this feature. Maybe if you and others also need the feature a little lobbying for this missing feature might get noticed.

Reply

Answer 6

Jun 12, 2013 8:59 AM in response to Paul Derby

This set-up has continued to work for me in Mountain Lion. Unfortunately, the functionality has not yet made it into Server.app. I've submittted the request, and hopefully others have too, so they bring it back.

Reply

Answer 7

Jun 16, 2013 12:49 PM in response to Bryan Schramm

Hi Bryan,

I tried your approach and didn't have much luck. Probably something I missed doing in the steps. For some reason the "sites" got jumbled up and when I would try to retrieve a proxy site the URL would come back a mix of both a proxy and non-proxy site. None of the sites were SSL so it wasn't certificate issues but something else kept the virtual proxy from working.

I tired another approach that is simple just 3 lines of easy code in the site config file, and seems to work:

Let's say you have a server, mini3.myserver.com as the external internet URL for your server, mini3, on your myserver.com domain. mini3.myserver.mylan is the internal URL for your server, mini3 on your internal domain myserver.mylan. (It is highly recommended to use a domain that you own for the internal LAN domain)

Add a DNS entry using the Server App to define an alias for the virtual site. Use the external Zone name of the server in the "Zone" drop down. For the example that would be "myserver.com". Specify the virtual host name in the "Host Name" box, in this case "vacation". Specify the server's external name in the "Destination" box which in the example is "mini3.myserver.com". So if you wanted to have a virtual site: vacation.myserver.com that runs on server mini3.myserver.com you would set the Zone drop down to myserver.com, the Host Name to vacation and the Destination to mini3.myserver.com

If you use an external DNS service, like DNS Made Easy, add a CNAME record for your virtual server for your external domain to match the DNS record you just set up on your own server's DNS.

Use Server App to define a new virtual site. In the Websites area, set the Domain Name to the desired virtual site name, in this example that would be vacation.myserver.com. Everything else leave as set to the defaults by server.app.

On the server, use BBEDIT or TextWrangler to open up the resulting site configuration file located in /Library/Server/Web/Config/apache2/sites/ the site file should be 0000_any_80_vacation.myserver.com.conf

In the file you will see something similar to this at the top of the file:

ServerName vacation.myserver.com

ServerAdmin admin@example.com

DocumentRoot "/Library/Server/Web/Data/Sites/vacation.myserver.com"

DirectoryIndex index.html index.php /wiki/ default.html

CustomLog /var/log/apache2/access_log combinedvhost

ErrorLog /var/log/apache2/error_log

Insert these 3 lines to the config file at this point.

ProxyPreserveHost on

ProxyPass / http://vacation.mini3.myserver.mylan/

ProxyPassReverse / http://mini3.myserver.mylan/

Leave the rest of the config file the same.

Then save the config file, turn DNS and Websites off, then back on, using server.app.

Go to a client machine (iPad, iPhone, Mac, PC or whatever) and use the web browser to access your virtual site. If your web browser can't find the newly defined DNS records, go into terminal and flush out the DNS cache with this command: sudo killall -HUP mDNSResponder

Access the virtual URL with FireFox, Safari and Chrome to make sure it works for all the browsers. If there are problems one of the 3 browsers will often give a clue to the problem. You can also check the LOG for the new site in the server.app.

It doesn't matter if the real site used in the two ProxyPass configuration statements are on your web server or on another device, like an IP web cam or maybe a power monitor like the TED 5000 gateway. Just list the URL for the device on your internal network in the two ProxyPass statements and you will then be able to access that device externally from your external internet URL.

Would be nice to get the "reverse proxy" configuration capability back into server.app that was so handy to have in Snow Leopard Server!

I don't know if your approach or the one I'm listing above is better. For some reason I couldn't get your approach to work on my machine. I probably overlooked some step. I just wanted to put out this alternative approach in case someone hits the same snag that I did.

Paul

Reply

Answer 8

Jun 16, 2013 10:47 PM in response to Paul Derby

Paul,

Thanks for documenting your solution too. Hopefully between these two methods, we can help others in the same situation. Ideally, I continue to hope Apple will add this functionality into the Server.app GUI; however, I am not holding my breath.

Bryan

Reply

Answer 9

Jun 17, 2013 4:20 AM in response to Paul Derby

In my previous posting in the section shown below I messed up the entry when I did some copy/paste entry for defining the ProxyPass. My apologies.... The corrected code is listed below.

<VirtualHost *:80>

ServerName vacation.myserver.com

ServerAdmin admin@example.com

DocumentRoot "/Library/Server/Web/Data/Sites/vacation.myserver.com"

DirectoryIndex index.html index.php /wiki/ default.html

CustomLog /var/log/apache2/access_log combinedvhost

ErrorLog /var/log/apache2/error_log

Insert these 3 lines to the config file at this point.

ProxyPreserveHost on

ProxyPass / http://vacation.mini3.myserver.mylan/

ProxyPassReverse / http://mini3.myserver.mylan/

Leave the rest of the config file the same.

ServerName vacation.myserver.com

ServerAdmin admin@example.com

DocumentRoot "/Library/Server/Web/Data/Sites/vacation.myserver.com"

DirectoryIndex index.html index.php /wiki/ default.html

CustomLog /var/log/apache2/access_log combinedvhost

ErrorLog /var/log/apache2/error_log

Insert these 3 lines to the config file at this point.

ProxyPreserveHost on

ProxyPass / http://vacation.myserver.mylan/

ProxyPassReverse / http://vacation.myserver.mylan/

Leave the rest of the config file the same.

Also note: For this proxy to work, make sure you have a DNS entry for both the LAN and WAN names. In this example you would have a "machine" DNS record for vacation.myserver.mylan as well as an "alias" DNS record for vacation.myserver.com

Reply

Answer 10

Apr 17, 2016 12:15 PM in response to Paul Derby

Reverse Proxy / ProxyPassReserver on El Capitan

I tried it in El Capitan and it works!

created a subdomain home.myserver.com in my dns (cname @)

created the virtual website pointing to an new empty folder home.myserver.com

edited /Library/Server/Web/Config/apache2/sites/

0000_127.0.0.1_34580_home.myserver.com.conf

I add the 3 lines

ProxyPreserveHost on

ProxyPass / http://server.local:8090/

ProxyPassReverse / http://server.local:8090/

which runs my domoticz website...

and remove the directory part to get it working! So do not leave it intact remove the <Directory ... stuff...

removed the empty folder...

Thanks for the post i googled for 3 days...

Reply