Apache to Reverse Proxy IIS

I suppose the first question is WHY?

Of course the first answer is because I can. I believe that this is more secure (at least a little more confusing) method of presenting a web page. Our web server is located inside our firewall and open so pages can be updated daily. Our public web server is located outside our firewall and I do not want anyone to have write access to that server. I wanted a way to keep the outside server synchronized with the inside server.

This is not wothout it's quirks. I can not pass authentication through the proxy and I have not been successful ati passing https requests through.

For this application I will be using FreeBSD 6 and Apache 2.2.0. I load FreeBSD as I normally do (minimal install with CAT and MAN pages, turn on sshd, load webmin and ports from distribution). I download the latest version of Apache from the website to the home directory, I have found that this method yields the best results. Unzip, configure and install Apache as:

  tar -zxvf /root/httpd-2.2.20.tar.gz mv httpd-2.2.0 /usr/ports/distfiles/ cd /usr/ports/distfiles/httpd-2.2.0 ./configure --prefix=/usr/apache\ --enable-cache \ --enable-disk-cache \ --enable-proxy \ --enable-ssl \ --enable-unique-id \ --enable-usertrack make make install

You will want to build your own start up script and place it in /usr/local/etc/rc.d. I have modified this script to best suit the install:

  #!/bin/sh # # Script to automatically start (and stop) the apache # web server. # (C)1999 Wayne Pollock, Tampa Florida USA. All Rights Reserved. # Revised for FreeBSD by Ron Squires 2/30/2006 PATH=/usr/bin SERVER_ROOT=/usr/apache/bin PID=/usr/apache/logs/httpd.pid if [ ! -x $SERVER_ROOT/httpd ] then echo "Can't locate httpd!" exit -1 fi case "$1" in 'start') echo -n 'Starting httpd:' $SERVER_ROOT/httpd -k start echo ;; 'restart') echo -n 'Restarting httpd: ' $SERVER_ROOT/httpd -k restart echo ;; 'stop') echo -n 'Stopping httpd: ' $SERVER_ROOT/httpd -k stop echo 'done' ;; *) echo "Usage: $0 { start | stop }" exit -1 esac

Now you can add httpd_enable="YES" to the /etc/rc.conf file.

After this is installed you can make the required configurations. Make sure the following is in your httpd.conf file

With this combination of Apache and FreeBSD I noticed an error like: " Failed to enable the 'httpready' AcceptFilter". I found this response posted on a website

on FreeBSD, you need to add a kernelmodule
kldload accf_http

grep accf /boot/defaults/loader.conf
accf_data_load="NO" # Wait for data accept filter
accf_http_load="NO" # Wait for full HTTP request accept filter

add the second to /boot/loader.conf with 'YES' to enable this permenately

To fix the problem type echo accf_http_load="YES" >> /boot/loader.conf then reboot

  <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass / http://www.oeisd.local/ ProxyRemote * http://www.oeisd.local/ ProxyPassReverse / http://www.oeisd.local/ SSLEngine off

I have set up this server to be an exact copy of the inside webserver. I have never tried to proxy a portion of the server and run the other as a regular server, nor have I had the need to proxy more than one server. I have been told that becomes a little more of a challenge.

Note that ProxyPass,ProxyRemote and ProxyPassReverse point to a server on a separate networks. This brings up the next issue, name reseloution. I have turned on the name server by adding named_enable="YES" in /etc/rc.conf. Then using webmin I configured the zones (oeisd.local and oeisd.org) with the proper addresses to the devices in both.

I have set /etc/resolv.conf to read:

Good LuckBack