Table of Contents
So with public IPv4 addresses running out, when moving over to my new KVM hosting setup, I had to give a Private IP 192.168.1.x to some VPSs and then setup a reverse proxy.
Setup of mod_proxy
Assuming you have debian or ubuntu, its simple: a2enmod proxy a2enmod proxy_http
Config of mod_proxy with a vhost
The following vhost config forwards traffic over port 80 and 443 (https). Of course when a client goes to https://privatevps.website.com they will get the ssl cert of the public facing apache server which most likely will be a different domain. In any case they can choose to accept the ssl cert warning.
- ProxyPreserveHost On means that on apache on the VPS they can setup vhosts as normal and it will work as normal.
- ServerAlias *domain.net means that any subdomains the client creates, it will just work with the proxy and traffic will be sent to the private VPS.
- https traffic can be sent. This requires ssl setup on apache first. See Apache2_SSL_PHP5_MySQL5
vi /etc/apache2/sites-available/02-proxy-vps1 <VirtualHost *:80>
ProxyRequests Off ProxyPreserveHost On ProxyPass / http://192.168.1.3:80/ ProxyPassReverse / http://192.168.1.3:80/ ServerName www.domain.net ServerAlias *domain.net CustomLog /var/log/apache2/access_domain.log combined ErrorLog /var/log/apache2/error_domain.log
</VirtualHost> <VirtualHost *:443>
ProxyRequests Off ProxyPreserveHost On ProxyPass / https://192.168.1.3:443/ ProxyPassReverse / https://192.168.1.3:443/ ServerName www.domain.net ServerAlias *domain.net CustomLog /var/log/apache2/access_domain.log combined ErrorLog /var/log/apache2/error_domain.log
SSLEngine on SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key BrowserMatch "MSIE [[2-6]]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 # MSIE 7 and newer should be able to use keepalive BrowserMatch "MSIE [[17-9]]" ssl-unclean-shutdown
Optional Config on Private VPS
The Solution apt-get install libapache2-mod-rpaf a2enmod rpaf
vi /etc/apache2/mods-enabled/rpaf.conf //Change the following to (where 192.168.1.1 is the proxy IP): <IfModule mod_rpaf.c> RPAFenable On RPAFsethostname On RPAFproxy_ips 192.168.1.1 </IfModule>
/etc/init.d/apache2 restart tail /var/log/apache2/access.log
Now the true client IP address will show correctly in the access.log behind the proxy server.
Conclusion: this method works very well. I have a single vhost for each Private VPS. By default I add a wildcard domain to send traffic to the private VPS. If the client gets a new domain name, I can add it as a ServerAlias. The ProxyPreserveHost makes this easy.