Fronting Application Servers with Apache HTTPd (Reverse-Proxying)

When you develop a web application in Tomcat, JBoss, Spring, Play Framework, or any other AS, it is always a good idea to protect the actual application server (or servers) with a fronting server that will simply act as a HTTP/S proxy. This not only provides an extra layer of security but in addition it might also allow for other things such as load-balancing.

In here I’ll show how you can achieve this using the Apache HTTPd server (for version 2 or higher).

Apache HTTPd 2 configuration

  • Edit httpd.conf file in APACHE_HOME/conf/httpd.conf
  • Remove comment or add required modules:
    LoadModule proxy_module modules/
    LoadModule proxy_ajp_module modules/
    LoadModule proxy_balancer_module modules/
    LoadModule proxy_connect_module modules/
    LoadModule proxy_ftp_module modules/
    LoadModule proxy_http_module modules/
    • mod_proxy: The core module deals with proxy infrastructure and configuration and managing a proxy request.
    • mod_proxy_ajp: This handles the AJP protocol for Tomcat and similar backend servers.
    • mod_proxy_balancer implements clustering and load-balancing over multiple backends.
    • mod_proxy_connect: This handles the CONNECT method for secure (SSL) tunneling.
    • mod_proxy_ftp: This handles fetching documents with FTP.
    • mod_proxy_http: This handles fetching documents with HTTP and HTTPS.
  • Add Proxy and Reverse Proxy Configuration:
    ProxyReceiveBufferSize 16384
    ProxyRequests On
    ProxyVia On
    ProxyPreserveHost On
    <Proxy *>
    	Order deny,allow
    	Allow from all
    ProxyPass /uploadmethods/form http://localhost:8080/uploadmethods/form
    ProxyPassReverse /uploadmethods/form http://localhost:8080/uploadmethods/form

    The above configuration will forward all traffic that hits http://host:80//uploadmethods/form to a back-end server found at http://localhost:8080/uploadmethods/form


  • Similarly, for HTTPS edit APACHE_HOME/conf/extra/httpd-ssl.conf and add:
    SSLProxyEngine On
    ProxyPass /uploasmethods/sslform https://ornlvm.s.vrco:8443/uploasmethods/sslform
    ProxyPassReverse /uploasmethods/sslform https://ornlvm.s.vrco:8443/uploasmethods/sslform

If under Tomcat/J2EE platform, ensure correct transportation:

<web-app ... >
		<web-resource-name>Public Access</web-resource-name>
		<web-resource-name>Confidential Access</web-resource-name>

About CrazyPenguin

Software Engineer
This entry was posted in J2EE, JBoss and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s