So with public IPv4 addresses running out, when moving over to my new KVM hosting setup, I had to give a Private IP 192.168.1.x to some VPSs and then setup a reverse proxy.
Assuming you have debian or ubuntu, its simple: a2enmod proxy a2enmod proxy_http
/etc/init.d/apache2 restart
The following vhost config forwards traffic over port 80 and 443 (https). Of course when a client goes to https://privatevps.website.com they will get the ssl cert of the public facing apache server which most likely will be a different domain. In any case they can choose to accept the ssl cert warning.
Features
vi /etc/apache2/sites-available/02-proxy-vps1 <VirtualHost *:80>
ProxyRequests Off ProxyPreserveHost On ProxyPass / http://192.168.1.3:80/ ProxyPassReverse / http://192.168.1.3:80/ ServerName www.domain.net ServerAlias *domain.net CustomLog /var/log/apache2/access_domain.log combined ErrorLog /var/log/apache2/error_domain.log
</VirtualHost> <VirtualHost *:443>
ProxyRequests Off ProxyPreserveHost On ProxyPass / https://192.168.1.3:443/ ProxyPassReverse / https://192.168.1.3:443/ ServerName www.domain.net ServerAlias *domain.net CustomLog /var/log/apache2/access_domain.log combined ErrorLog /var/log/apache2/error_domain.log
SSLProxyEngine On
SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key BrowserMatch "MSIE [[2-6]]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [[17-9]]" ssl-unclean-shutdown
</VirtualHost>
a2ensite 02-proxy-vps1
One of the main issues with mod_proxy and apache is that in the apache logs on the Private VPS with the private 192.168.1.x IP address, the IP address of the proxy will appear and not (by default) the clients true IP Address. As a result when tailing access.log or error.log on the backend apache server, the ip of the proxy will appear (192.168.1.1). While most people use google analytics or a javascript web traffic method, using webalizer or similar on the backend server won't work.
The Solution apt-get install libapache2-mod-rpaf a2enmod rpaf
vi /etc/apache2/mods-enabled/rpaf.conf //Change the following to (where 192.168.1.1 is the proxy IP): <IfModule mod_rpaf.c> RPAFenable On RPAFsethostname On RPAFproxy_ips 192.168.1.1 </IfModule>
/etc/init.d/apache2 restart tail /var/log/apache2/access.log
Now the true client IP address will show correctly in the access.log behind the proxy server.
Conclusion: this method works very well. I have a single vhost for each Private VPS. By default I add a wildcard domain to send traffic to the private VPS. If the client gets a new domain name, I can add it as a ServerAlias. The ProxyPreserveHost makes this easy.