Q: Reverse Proxy / ProxyPassReverse on Mountain Lion Server
Hello everyone!
I just purchased a new Mac Mini Server running Mountain Lion 10.8.2, to replace my old Mac Mini running Snow Leopard Server. On Snow Leopard Server, configuring a reverse proxy was simple via the GUI. In Mountain Lion Server (MLS), that option is no longer in the GUI. Here's what I want to accomlish.
I want to keep MLS's web services enabled. I have other software running, that contains it's own web server, running on a different port, say, 8080. I want to use MLS's web apache as the "front end" via port 443 (SSL) and have MLS's apache reverse proxy to the URL for my other application. This worked perfectly under Snow Leopard Server.
https://example.com <--- Should be the default website from Mountain Lion Server
https://app.example.com <--- Should be a reverse proxy to http://example.com:8080
I would sincerenly appreciate it if someone could help me out. I found this site (http://grahamgilbert.com/blog/2011/11/22/kerio-connect-vs-web-servies-in-lion-se rver/) accomplishing something similar for Lion Server; however, it does not seem to work on Mountain Lion Server (I put the config files I created below).
Thanks so much! Happy New Year!
com.example.app.plist
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<!-- See man pages for webapp.plist(5) and webappctl(8) for information about this example webapp.plist -->
<plist version="1.0">
<dict>
<key>includeFiles</key>
<array> <!-- Include files are activated in virtual host when webapp is started -->
<string>/Library/Server/Web/Config/apache2/httpd_app.conf</string>
</array>
<key>launchKeys</key>
<array> <!-- Launchd plists in /System/Library/LaunchDaemons are loaded when webapp is started -->
<!-- <string>com.example.mywebapp</string> -->
</array>
<key>name</key>
<string>com.example.app</string>
<key>requiredModuleNames</key>
<array> <!-- Apache plugin modules are enabled when webapp is started -->
<string>proxy_module</string>
</array>
<key>requiredWebAppNames</key>
<array> <!-- Required web apps are started when this webapp is started -->
<!-- <string>com.example.webapp.myotherwebapp</string> -->
</array>
<key>sslPolicy</key> <!-- Determines webapp SSL behavior -->
<integer>1</integer> <!-- 0: default, UseSSLWhenEnabled -->
<!-- 1: UseSSLAlways -->
<!-- 2: UseSSLOnlyWhenCertificateIsTrustable -->
<!-- 3: UseSSLNever -->
<!-- 4: UseSSLAndNonSSL -->
</dict>
</plist>
httpd_bt2.conf
<IfModule mod_proxy.c>
ProxyVia On
ProxyRequests Off
ProxyPass / http://localhost:8080/
ProxyPassReverse / http://localhost:8080/
ProxyPreserveHost on
<Proxy *>
Options FollowSymLinks MultiViews
AllowOverride All
Order allow,deny
allow from all
</Proxy>
</IfModule>
At per the instructions via Graham's URL above, I first created a "app.example.com" website. The problem is I get the following error when trying to start the webapp, and, server.app is complaining about a corrupt web configuration.
mls:~ admin$ sudo webappctl start com.example.app app.example.com
Password:
2012-12-29 10:46:37.263 serveradmin[7303:707] xswebconfig failed: Exception:
undefined method `to_ruby' for nil:NilClass
web:error = "CANNOT_START_SERVICE_ERR"
MAC MINI SERVER (LATE 2012), OS X Server, Mountain Lion Server
Posted on Dec 29, 2012 9:49 AM
I have changed the way I am doing reverse proxy on Mountain Lion Server. On my old Snow Leopard Server system, I looked at how it set-up Reverse Proxy. Configuring Reverse Proxy from the GUI, in Snow Leopard Server, added the following to the site configuration file (after the <IfModule mod_ssl.c> ~ </IfModule> section):
<IfModule mod_proxy_balancer.c>
ProxyPass / balancer://balancer-group/
ProxyPassReverse / balancer://balancer-group
<Proxy "balancer://balancer-group">
BalancerMember http://my.example.com:8080
</Proxy>
</IfModule>
Here's how I configured this. Via the GUI on Mountain Lion Server, I created a new site my.example.com and associated it to port 443; I left all the defaults. I then edited the configuration file (/Library/Server/Web/Config/apache2/sites/0000_any_443_my.example.com.conf) via the CLI, and added the lines above.
In this example, my server name is server.example.com and the website I am proxying is called my.example.com. my.example.com is running on the server.example.com host on TCP 8080 via HTTP; however, I am using the apache service to proxy https://my.example.com to http://my.example.com:8080. Completely transparant to the end user. This also allows me to ONLY open TCP 443 to the Internet and not TCP 8080. Both server.example.com and my.example.com are valid DNS records on my DNS server, obviously.
As far as an "official way", there is none that I know of... When Apple decided to simplify server management and went to Server.app vs. Server Admin, there were numerous services and configuration settings left out in favor of simplicity. This is very unfortunate, and I hope, Apple decides to add many of them back for more advanced users. DHCP was initially left out; however, was recently added back in, so, there is some promise there. Please Apple!?
Posted on Jan 3, 2013 10:23 AM