From: André Malo This module implements a proxy/gateway for Apache. It implements
-proxying capability for
- This module was experimental in Apache 1.1.x. Improvements and bugfixes
-were made in Apache v1.2.x and Apache v1.3.x, then the module underwent a major
-overhaul for Apache v2.0. The protocol support was upgraded to HTTP/1.1,
-and filter support was enabled. Please note that the caching function present in
-mod_proxy up to Apache v1.3.x has been removed from
-mod_proxy and will be incorporated into a new module, mod_cache. In other words:
-the Apache 2.0.x-Proxy doesn't
-cache at all - all caching functionality has been moved into mod_cache,
-which is capable of caching any content, not only content from proxy.
- If you need to use SSL when contacting remote servers, have a look at the
- Do not enable proxying with Do not enable proxying with This module implements a proxy/gateway for Apache. It implements
+ proxying capability for This module was experimental in Apache 1.1.x. Improvements and bugfixes
+ were made in Apache v1.2.x and Apache v1.3.x, then the module underwent a
+ major overhaul for Apache v2.0. The protocol support was upgraded to
+ During the overhaul process the Please note that the caching function present in If you need to use SSL when contacting remote servers, have a look at the
+ Apache can be configured in both a forward and reverse
-proxy configuration. A forward proxy is an intermediate system that enables a browser to connect to a
-remote network to which it normally does not have access. A forward proxy
-can also be used to cache data, reducing load on the networks between the
-forward proxy and the remote webserver. Apache's mod_proxy can be figured to behave like a forward proxy
-using the A reverse proxy is a webserver system that is capable of serving webpages
-sourced from other webservers - in addition to webpages on disk or generated
-dynamically by CGI - making these pages look like they originated at the
-reverse proxy. When configured with the mod_cache module the reverse
-proxy can act as a cache for slower backend webservers. The reverse proxy
-can also enable advanced URL strategies and management techniques, allowing
-webpages served using different webserver systems or architectures to
-coexist inside the same URL space. Reverse proxy systems are also ideal for
-implementing centralised logging websites with many or diverse website
-backends. Complex multi-tier webserver systems can be constructed using an
-Apache mod_proxy frontend and any number of backend webservers. The reverse proxy is configured using the
- You can control who can access your proxy via the
- When configuring a reverse proxy, access control takes on the
-attributes of the normal server You probably don't have that particular file type defined as
-application/octet-stream in your proxy's mime.types configuration
-file. A useful line can be In the rare situation where you must download a specific file using the FTP
-ASCII transfer method (while the default transfer is in
-binary mode), you can override mod_proxy's default by
-suffixing the request with
-An FTP URI is interpreted relative to the home directory of the user
-who is logging in. Alas, to reach higher directory levels you cannot
-use /../, as the dots are interpreted by the browser and not actually
-sent to the FTP server. To address this problem, the so called "Squid
-%2f hack" was implemented in the Apache FTP proxy; it is is a solution
-which is also used by other popular proxy servers like the Squid Proxy Cache. By
-prepending /%2f to the path of your request, you can make such a proxy
-change the FTP starting directory to / (instead of the home
-directory). Example: To retrieve the file
-
-To log in to an FTP server by username and password, Apache
-uses different strategies.
-In absense of a user name and password in the URL altogether,
-Apache sends an anomymous login to the FTP server, i.e., This works for all popular FTP servers which are configured for
-anonymous access. For a personal login with a specific username, you can embed
-the user name into the URL, like in:
- If you're using the An Apache proxy server situated in an intranet needs to forward
-external requests through the company's firewall. However, when it has
-to access resources within the intranet, it can bypass the firewall
-when accessing hosts. The Users within an intranet tend to omit the local domain name from their
-WWW requests, thus requesting "http://somehost/" instead of
-"http://somehost.my.dom.ain/". Some commercial proxy servers let them get
-away with this and simply serve the request, implying a configured
-local domain. When the For circumstances where you have a application server which doesn't implement
-keepalives or HTTP/1.1 properly, there are 2 environment variables which when
-set send a HTTP/1.0 with no keepalive. These are set via the These are the 'force-proxy-request-1.0' and 'proxy-nokeepalive' notes. Apache can be configured in both a forward and
+ reverse proxy configuration. A forward proxy is an intermediate system that enables a
+ browser to connect to a remote network to which it normally does not have
+ access. A forward proxy can also be used to cache data, reducing load on
+ the networks between the forward proxy and the remote webserver. Apache's A reverse proxy is a webserver system that is capable of
+ serving webpages sourced from other webservers - in addition to webpages
+ on disk or generated dynamically by CGI - making these pages look like
+ they originated at the reverse proxy. When configured with the mod_cache module the reverse proxy can act as
+ a cache for slower backend webservers. The reverse proxy can also enable
+ advanced URL strategies and management techniques, allowing webpages
+ served using different webserver systems or architectures to coexist
+ inside the same URL space. Reverse proxy systems are also ideal for
+ implementing centralised logging websites with many or diverse website
+ backends. Complex multi-tier webserver systems can be constructed using an
+ The reverse proxy is configured using the You can control who can access your proxy via the When configuring a reverse proxy, access control takes on the
+ attributes of the normal server You probably don't have that particular file type defined as
+ In the rare situation where you must download a specific file using the
+ FTP An FTP URI is interpreted relative to the home directory of the user
+ who is logging in. Alas, to reach higher directory levels you cannot
+ use /../, as the dots are interpreted by the browser and not actually
+ sent to the FTP server. To address this problem, the so called Squid
+ %2f hack was implemented in the Apache FTP proxy; it is a
+ solution which is also used by other popular proxy servers like the Squid Proxy Cache. By
+ prepending To log in to an FTP server by username and password, Apache uses
+ different strategies. In absense of a user name and password in the URL
+ altogether, Apache sends an anomymous login to the FTP server,
+ i.e., This works for all popular FTP servers which are configured for
+ anonymous access. For a personal login with a specific username, you can embed the user
+ name into the URL, like in: If the FTP server asks for a password when given this username (which
+ it should), then Apache will reply with a in the first place). The password which is transmitted in such a way is not encrypted on
+ its way. It travels between your browser and the Apache proxy server in
+ a base64-encoded cleartext string, and between the Apache proxy and the
+ FTP server as plaintext. You should therefore think twice before
+ accessing your FTP server via HTTP (or before accessing your personal
+ files via FTP at all!) When using unsecure channels, an eavesdropper
+ might intercept your password on its way. If you're using the An Apache proxy server situated in an intranet needs to forward
+ external requests through the company's firewall. However, when it has to
+ access resources within the intranet, it can bypass the firewall when
+ accessing hosts. The Users within an intranet tend to omit the local domain name from their
+ WWW requests, thus requesting "http://somehost/" instead of
+ For circumstances where you have a application server which doesn't
+ implement keepalives or HTTP/1.1 properly, there are 2 environment
+ variables which when set send a HTTP/1.0 with no keepalive. These are set
+ via the These are the The The By default, only the default https port ( Note that you'll need to have This directive is only useful for Apache proxy servers within
-intranets. The The host arguments to the NoProxy directive are one of the
-following type list: This directive is only useful for Apache proxy servers within
+ intranets. The The host arguments to the A Domain is a partially qualified DNS domain name, preceded
+ by a period. It represents a list of hosts which logically belong to the
+ same DNS domain or zone (i.e., the suffixes of the hostnames are
+ all ending in Domain). To distinguish Domains from Hostnames (both syntactically and semantically; a DNS domain can
+ have a DNS A record, too!), Domains are always written with a
+ leading period. Domain name comparisons are done without regard to the case, and
+ Domains are always assumed to be anchored in the root of the
+ DNS tree, therefore two domains A SubNet is a partially qualified internet address in
+ numeric (dotted quad) form, optionally followed by a slash and the netmask,
+ specified as the number of significant bits in the SubNet. It is
+ used to represent a subnet of hosts which can be reached over a common
+ network interface. In the absence of the explicit net mask it is assumed
+ that omitted (or zero valued) trailing digits specify the mask. (In this
+ case, the netmask can only be multiples of 8 bits wide.) Examples: As a degenerate case, a SubNet with 32 valid bits is the
+ equivalent to an IPAddr, while a SubNet with zero
+ valid bits (e.g., 0.0.0.0/0) is the same as the constant
+ _Default_, matching any IP address. A IPAddr represents a fully qualified internet address in
+ numeric (dotted quad) form. Usually, this address represents a host, but
+ there need not necessarily be a DNS domain name connected with the
+ address. An IPAddr does not need to be resolved by the DNS system, so
+ it can result in more effective apache performance. A Hostname is a fully qualified DNS domain name which can
+ be resolved to one or more IPAddrs via the
+ DNS domain name service. It represents a logical host (in contrast to
+ Domains, see above) and must be resolvable
+ to at least one IPAddr (or often to a list
+ of hosts with different IPAddrs). In many situations, it is more effective to specify an IPAddr in place of a Hostname since a
+ DNS lookup can be avoided. Name resolution in Apache can take a remarkable
+ deal of time when the connection to the name server uses a slow PPP
+ link. Hostname comparisons are done without regard to the case,
+ and Hostnames are always assumed to be anchored in the root
+ of the DNS tree, therefore two hosts Directives placed in For example, the following will allow only hosts in
- The following example will process all files in the
- Directives placed in For example, the following will allow only hosts in
+ The following example will process all files in the The The The The 'rocky.wotsamattau.edu' would also be matched if referenced by IP
-address. Note that 'wotsamattau' would also be sufficient to match
-'wotsamattau.edu'. Note also that Note that Note also that blocks connections to all sites. blocks connections to all sites. This directive is only useful for Apache proxy servers within
-intranets. The This directive is only useful for Apache proxy servers within
+ intranets. The Source File: mod_proxy.c Summary
-Warning
-This document has been updated to take into account changes
-made in the 2.0 version of the Apache HTTP Server. Some of the
-information may still be inaccurate, please use it
-with care.
-FTP,
-CONNECT (for SSL),
-HTTP/0.9,
-HTTP/1.0, and
-HTTP/1.1.
-The module can be configured to connect to other proxy modules for these
-and other protocols.SSLProxy* directives in mod_ssl.ProxyRequests until you have
-secured your server. Open proxy servers are
-dangerous both to your network and to the Internet at large.Warning
+ ProxyRequests until you have secured your server. Open proxy servers are dangerous both to your
+ network and to the Internet at large.FTP, CONNECT (for SSL),
+ HTTP/0.9, HTTP/1.0, and HTTP/1.1.
+ The module can be configured to connect to other proxy modules for these
+ and other protocols.HTTP/1.1, and filter support was enabled.mod_proxy has been
+ splitted into several module files. The accompanying modules distributed
+ with the httpd are mod_proxy_http,
+ mod_proxy_ftp and mod_proxy_connect.
+ Thus if you want to use one or more of the particular proxy functions you
+ have to load mod_proxy and the appropriate
+ module(s) into the server (either statically or dynamically via the
+ LoadModule directive).mod_proxy up to Apache v1.3.x has been removed
+ from mod_proxy and will be incorporated into a new module,
+ mod_cache. In other words: the Apache 2.0.x-Proxy doesn't
+ cache at all - all caching functionality has been moved into
+ mod_cache, which is capable of caching any content, not
+ only content from proxy.SSLProxy* directives in mod_ssl.Directives
@@ -93,335 +89,363 @@ dangerous both to your network and to the Internet at large.
Topics
See also
+
Common configuration topics
-
-
-
-
-Forward and Reverse Proxies
-
-ProxyRemote
-directive. In addition, caching of data can be achieved by configuring
-Apache mod_cache. Other dedicated forward proxy
-packages include Squid.ProxyPass and ProxyPassReverse directives. Caching can be
-enabled using mod_cache as with the forward proxy.Controlling access to your proxy
-
-<Proxy>
-control block using the following example:
-<Proxy *>
-Order Deny,Allow
-Deny from all
-Allow from 192.168.0
-</Proxy>
-<directory> configuration.Why doesn't file type xxx
-download via FTP?
-
-
-application/octet-stream bin dms lha lzh exe class tgz taz
-How can I force an FTP ASCII download of
-File xxx?
-
-;type=a to force an ASCII transfer.
-(FTP Directory listings are always executed in ASCII mode, however.)How can I access FTP files outside
-of my home directory?
-
-/etc/motd, you would use the URLftp://user@host/%2f/etc/motdHow can I hide the FTP cleartext password
-in my browser's URL line?
-
-
-user: anonymous
-password: apache_proxy@
-ftp://username@host/myfile. If the FTP server
-asks for a password when given this username (which it should),
-then Apache will reply with a [401 Authorization required] response,
-which causes the Browser to pop up the username/password dialog.
-Upon entering the password, the connection attempt is retried,
-and if successful, the requested resource is presented.
-The advantage of this procedure is that your browser does not
-display the password in cleartext (which it would if you had used
-ftp://username:password@host/myfile in
-the first place).Note
-The password which is transmitted in such a way
-is not encrypted on its way. It travels between your browser and
-the Apache proxy server in a base64-encoded cleartext string, and
-between the Apache proxy and the FTP server as plaintext. You should
-therefore think twice before accessing your FTP server via HTTP
-(or before accessing your personal files via FTP at all!) When
-using unsecure channels, an eavesdropper might intercept your
-password on its way.
-Why does Apache start more slowly when
-using the proxy module?
-
-ProxyBlock
-directive, hostnames' IP addresses are looked up and cached during
-startup for later match test. This may take a few seconds (or more)
-depending on the speed with which the hostname lookups occur.What other functions are useful for an
-intranet proxy server?
-
-NoProxy directive is useful for
-specifying which hosts belong to the intranet and should be accessed
-directly.ProxyDomain directive
-is used and the server is configured for
-proxy service, Apache can return a redirect response and send the client
-to the correct, fully qualified, server address. This is the preferred method
-since the user's bookmark files will then contain fully qualified hosts.How can I make the proxy talk HTTP/1.0 and
-disable keepalives?
-
-SetEnv directive.
-<location /buggyappserver/ >
-ProxyPass http://buggyappserver:7001/foo/
-SetEnv force-proxy-request-1.0 1
-SetEnv proxy-nokeepalive 1
-</location>
-
+
+
+ Forward and Reverse Proxies
+ mod_proxy can be figured to behave like a
+ forward proxy using the ProxyRemote directive. In addition, caching of data can be
+ achieved by configuring mod_cache. Other dedicated
+ forward proxy packages include Squid.mod_proxy frontend and any number of backend
+ webservers.ProxyPass and ProxyPassReverse directives. Caching can be
+ enabled using mod_cache as with the forward proxy.Controlling access to your proxy
+ <Proxy> control block using
+ the following example:
+ <Proxy *>
+
+ Order Deny,Allow
+ Deny from all
+ Allow from 192.168.0
+
+ </Proxy>
+ <Directory> configuration.Why doesn't file type xxx
+ download via FTP?
+ application/octet-stream in your proxy's mime.types
+ configuration file. A useful line can beapplication/octet-stream bin dms lha lzh exe class tgz taz
How can I force an FTP ASCII download of
+ File xxx?
+ ASCII transfer method (while the default transfer is in
+ binary mode), you can override mod_proxy's
+ default by suffixing the request with ;type=a to force an
+ ASCII transfer. (FTP Directory listings are always executed in ASCII mode,
+ however.)How can I access FTP files outside
+ of my home directory?
+ /%2f to the path of your request, you can make
+ such a proxy change the FTP starting directory to / (instead
+ of the home directory). For example, to retrieve the file
+ /etc/motd, you would use the URL:
+ ftp://user@host/%2f/etc/motd
+ How can I hide the FTP cleartext password
+ in my browser's URL line?
+
+ user: anonymous
+ password: apache_proxy@
+
+ ftp://username@host/myfile
+ 401 (Authorization
+ required) response, which causes the Browser to pop up the
+ username/password dialog. Upon entering the password, the connection
+ attempt is retried, and if successful, the requested resource is
+ presented. The advantage of this procedure is that your browser does not
+ display the password in cleartext (which it would if you had used
+ ftp://username:password@host/myfile
+ Note
+ Why does Apache start more slowly when using
+ the proxy module?
+ ProxyBlock directive, hostnames' IP addresses are looked up
+ and cached during startup for later match test. This may take a few
+ seconds (or more) depending on the speed with which the hostname lookups
+ occur.What other functions are useful for an
+ intranet proxy server?
+ NoProxy
+ directive is useful for specifying which hosts belong to the intranet and
+ should be accessed directly.http://somehost.example.com/. Some commercial proxy servers
+ let them get away with this and simply serve the request, implying a
+ configured local domain. When the ProxyDomain directive is used and the server is configured for proxy service, Apache can return
+ a redirect response and send the client to the correct, fully qualified,
+ server address. This is the preferred method since the user's bookmark
+ files will then contain fully qualified hosts.How can I make the proxy talk HTTP/1.0 and
+ disable keepalives?
+ SetEnv directive.force-proxy-request-1.0 and
+ proxy-nokeepalive notes.
+ <Location /buggyappserver/>
+
+ ProxyPass http://buggyappserver:7001/foo/
+ SetEnv force-proxy-request-1.0 1
+ SetEnv proxy-nokeepalive 1
+
+ </Location>
+ AllowCONNECT Directive
-
-
-Description: Ports that are allowed to CONNECT through
-the proxy
+Syntax: AllowCONNECT port [port] ...
+Description: Ports that are allowed to CONNECT through the
+proxy Syntax: AllowCONNECT port [port] ...Default: AllowCONNECT 443 563Context: server config, virtual host Status: Extension Module: mod_proxy AllowCONNECT directive specifies a list
-of port numbers to which the proxy CONNECT method may
-connect. Today's browsers use this method when a https
-connection is requested and proxy tunneling over http is in
-effect.
By default, only the default https port (443) and the
-default snews port (563) are enabled. Use the
-AllowCONNECT directive to overrride this default and
-allow connections to the listed ports only.AllowCONNECT directive specifies a list
+ of port numbers to which the proxy CONNECT method may
+ connect. Today's browsers use this method when a https
+ connection is requested and proxy tunneling over HTTP is in effect.443) and the
+ default snews port (563) are enabled. Use the
+ AllowCONNECT directive to override this default and
+ allow connections to the listed ports only.mod_proxy_connect present
+ in the server in order to get the support for the CONNECT at
+ all.NoProxy Directive
-
-
-Description: Hosts, domains, or networks that will be connected
-to directly
+Syntax: NoProxy host [host] ...
+Description: Hosts, domains, or networks that will be connected to
+directly Syntax: NoProxy host [host] ...Context: server config, virtual host Status: Extension Module: mod_proxy NoProxy directive specifies a
-list of subnets, IP addresses, hosts and/or domains, separated by
-spaces. A request to a host which matches one or more of these is
-always served directly, without forwarding to the configured
-ProxyRemote proxy server(s).Example
- ProxyRemote * http://firewall.mycompany.com:81
- NoProxy .mycompany.com 192.168.112.0/21
-
+
NoProxy directive specifies a
+ list of subnets, IP addresses, hosts and/or domains, separated by
+ spaces. A request to a host which matches one or more of these is
+ always served directly, without forwarding to the configured
+ ProxyRemote proxy server(s).Example
+ ProxyRemote * http://firewall.mycompany.com:81
+ NoProxy .mycompany.com 192.168.112.0/21
+ NoProxy
+ directive are one of the following type list:
-
+
- Examples: .com .apache.org.
- To distinguish Domains from Hostnames (both
- syntactically and semantically; a DNS domain can have a DNS A record,
- too!), Domains are always written
- with a leading period.
- Note: Domain name comparisons are done without regard to the case,
- and Domains are always assumed to be anchored in the root
- of the DNS tree, therefore two domains .MyDomain.com and
- .mydomain.com. (note the trailing period) are
- considered equal. Since a domain comparison does not involve a DNS
- lookup, it is much more efficient than subnet comparison.Examples
+ .com .apache.org.
+ Note
+ .MyDomain.com and
+ .mydomain.com. (note the trailing period) are considered
+ equal. Since a domain comparison does not involve a DNS lookup, it is much
+ more efficient than subnet comparison.
- Examples:
-
-
- As a degenerate case, a SubNet with 32 valid bits is the
- equivalent to an IPAddr, while a SubNet with zero
- valid bits (e.g., 0.0.0.0/0) is the same as the constant
- _Default_, matching any IP address. 192.168 or 192.168.0.0255.255.0.0)192.168.112.0/21192.168.112.0/21 with a netmask of 21
- valid bits (also used in the form 255.255.248.0)
+
+
+ 192.168 or 192.168.0.0255.255.0.0)192.168.112.0/21192.168.112.0/21 with a netmask of 21
+ valid bits (also used in the form 255.255.248.0)
- Example: 192.168.123.7
- Note: An IPAddr does not need to be resolved by the DNS
- system, so it can result in more effective apache performance.Example
+ 192.168.123.7
+ Note
+
- Examples: prep.ai.mit.edu
- www.apache.org.
- Note: In many situations, it is more effective to specify an
- IPAddr in place of a
- Hostname since a DNS lookup
- can be avoided. Name resolution in Apache can take a remarkable deal
- of time when the connection to the name server uses a slow PPP
- link.
- Note: Hostname comparisons are done without regard to the case,
- and Hostnames are always assumed to be anchored in the root
- of the DNS tree, therefore two hosts WWW.MyDomain.com
- and www.mydomain.com. (note the trailing period) are
- considered equal.Examples
+ prep.ai.mit.edu
+ www.apache.org
+ Note
+ WWW.MyDomain.com
+ and www.mydomain.com. (note the trailing period) are
+ considered equal.See also
@@ -431,38 +455,41 @@ following type list:
<Proxy> Directive
-
-
-Description: Container for directives applied to proxied
-resources
+Syntax: <Proxy wildcard-url> ...</Proxy>
+Description: Container for directives applied to proxied resources Syntax: <Proxy wildcard-url> ...</Proxy>Context: server config, virtual host Status: Extension Module: mod_proxy <Proxy>
-sections apply only to matching proxied content. Shell-style
-wildcards are allowed.yournetwork.example.com to access content via your
-proxy server:
-<Proxy *>
- Order Deny,Allow
- Deny from all
- Allow from yournetwork.example.com
-</Proxy>
-foo directory of example.com through the
-INCLUDES filter when they are sent through the proxy
-server:
-<Proxy http://example.com/foo/*>
- SetOutputFilter INCLUDES
-</Proxy>
-<Proxy>
+ sections apply only to matching proxied content. Shell-style wildcards are
+ allowed.yournetwork.example.com to access content via your proxy
+ server:
+ <Proxy *>
+
+ Order Deny,Allow
+ Deny from all
+ Allow from yournetwork.example.com
+
+ </Proxy>
+ foo
+ directory of example.com through the INCLUDES
+ filter when they are sent through the proxy server:
+ <Proxy http://example.com/foo/*>
+
+ SetOutputFilter INCLUDES
+
+ </Proxy>
+ Module: mod_proxy
-Compatibility: available in Apache 2.0.44 and later ProxyBadHeader directive determines the behaviour
-of mod_proxy if it receives syntactically invalid header lines
-(i.e. containing no colon). The following arguments are possible:
-
+ IsErrorIgnoreStartBodyProxyBadHeader directive determines the
+ behaviour of mod_proxy if it receives syntactically invalid
+ header lines (i.e. containing no colon). The following arguments
+ are possible:
+
IsErrorIgnoreStartBody
-
-Description: Words, hosts, or domains that are banned from being
proxied
+Syntax: ProxyBlock *|word|host|domain
-[word|host|domain] ...Syntax: ProxyBlock *|word|host|domain
+[word|host|domain] ...Context: server config, virtual host Status: Extension Module: mod_proxy ProxyBlock directive specifies a list of
-words, hosts and/or domains, separated by spaces. HTTP, HTTPS, and
-FTP document requests to sites whose names contain matched words,
-hosts or domains are blocked by the proxy server. The proxy
-module will also attempt to determine IP addresses of list items which
-may be hostnames during startup, and cache them for match test as
-well. Example:
- ProxyBlock joes-garage.com some-host.co.uk rocky.wotsamattau.edu
-ProxyBlock directive specifies a list of
+ words, hosts and/or domains, separated by spaces. HTTP, HTTPS, and
+ FTP document requests to sites whose names contain matched words,
+ hosts or domains are blocked by the proxy server. The proxy
+ module will also attempt to determine IP addresses of list items which
+ may be hostnames during startup, and cache them for match test as
+ well. That may slow down the startup time of the server.Example
+ ProxyBlock joes-garage.com some-host.co.uk rocky.wotsamattau.edu
+ rocky.wotsamattau.edu would also be matched if referenced by
+ IP address.wotsamattau would also be sufficient to match
+ wotsamattau.edu.
-ProxyBlock *
-
+ ProxyBlock *
+ ProxyDomain Directive
-
-Description: Default domain name for proxied requests
+Syntax: ProxyDomain DomainSyntax: ProxyDomain DomainContext: server config, virtual host Status: Extension Module: mod_proxy ProxyDomain directive specifies
-the default domain which the apache proxy server will belong to. If a
-request to a host without a domain name is encountered, a redirection
-response to the same host with the configured Domain appended
-will be generated.Example
- ProxyRemote * http://firewall.mycompany.com:81
- NoProxy .mycompany.com 192.168.112.0/21
- ProxyDomain .mycompany.com
-ProxyDomain directive specifies
+ the default domain which the apache proxy server will belong to. If a
+ request to a host without a domain name is encountered, a redirection
+ response to the same host with the configured Domain appended
+ will be generated.Example
+ ProxyRemote * http://firewall.mycompany.com:81
+ NoProxy .mycompany.com 192.168.112.0/21
+ ProxyDomain .mycompany.com
+
This directive is useful for reverse-proxy setups, where you want to -have a common look and feel on the error pages seen by the end user. -This also allows for included files (via mod_include's SSI) to get -the error code and act accordingly (default behavior would display -the error page of the proxied server, turning this on shows the SSI -Error message).
+This directive is useful for reverse-proxy setups, where you want to + have a common look and feel on the error pages seen by the end user. + This also allows for included files (via mod_include's SSI) to get + the error code and act accordingly (default behavior would display + the error page of the proxied server, turning this on shows the SSI + Error message).
| Description: | IO buffer size for outgoing HTTP and FTP -connections |
|---|---|
| Syntax: | ProxyIOBufferSize bytes |
| Description: | Determine size of internal data throughput buffer |
| Syntax: | ProxyIOBufferSize bytes |
| Default: | ProxyIOBufferSize 8192 |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
The ProxyIOBufferSize directive adjusts the size
+ of the internal buffer, which is used as a scratchpad for the data between
+ input and output. The size must be less or equal 8192.
In almost every case there's no reason to change that value.
| Description: | Container for directives applied to regular-expression-matched proxied resources |
|---|---|
| Syntax: | <ProxyMatch regex> ...</ProxyMatch> |
| Syntax: | <ProxyMatch regex> ...</ProxyMatch> |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
The <ProxyMatch> directive is
-identical to the <Proxy> directive, except it matches URLs
-using regular expressions.
The <ProxyMatch> directive is
+ identical to the <Proxy> directive, except it matches URLs
+ using regular expressions.
| Description: | Maximium number of proxies that a request can be forwarded through |
|---|---|
| Syntax: | ProxyMaxForwards number |
| Syntax: | ProxyMaxForwards number |
| Default: | ProxyMaxForwards 10 |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
| Compatibility: | Available in Apache 2.0 and later |
The ProxyMaxForwards directive specifies the
-maximum number of proxies through which a request may pass. This is
-set to prevent infinite proxy loops, or a DoS attack.
The ProxyMaxForwards directive specifies the
+ maximum number of proxies through which a request may pass, if there's no
+ Max-Forwards header supplied with the request. This is
+ set to prevent infinite proxy loops, or a DoS attack.
- ProxyMaxForwards 10
-
+ ProxyMaxForwards 15
+
| Description: | Maps remote servers into the local server -URL-space |
|---|---|
| Syntax: | ProxyPass [path] !|url |
| Context: | server config, virtual host |
| Description: | Maps remote servers into the local server URL-space |
| Syntax: | ProxyPass [path] !|url |
| Context: | server config, virtual host, directory |
| Status: | Extension |
| Module: | mod_proxy |
This directive allows remote servers to be mapped into the space of -the local server; the local server does not act as a proxy in the -conventional sense, but appears to be a mirror of the remote -server. path is the name of a local virtual path; -url is a partial URL for the remote server and cannot -include a query string.
- -Suppose the local server has address http://wibble.org/;
-then
- ProxyPass /mirror/foo/ http://foo.com/
-
will cause a local request for the
-<http://wibble.org/mirror/foo/bar> to be
-internally converted into a proxy request to
-<http://foo.com/bar>.
-The ! directive is useful in situations where you don't want to reverse-proxy -a subdirectory. eg.
-
- ProxyPass /mirror/foo/i !
- ProxyPass /mirror/foo http://foo.com
-
will proxy all requests to /mirror/foo to foo.com EXCEPT requests made to /mirror/foo/i
- -When used inside a <Location> section, the first argument is
-ommitted and the local directory is obtained from the <Location>.
If you require a more flexible reverse-proxy configuration, see
-the RewriteRule directive
-with the [P] flag.
This directive allows remote servers to be mapped into the space of + the local server; the local server does not act as a proxy in the + conventional sense, but appears to be a mirror of the remote + server. path is the name of a local virtual path; url + is a partial URL for the remote server and cannot include a query + string.
+ +Suppose the local server has address http://example.com/;
+ then
+ ProxyPass /mirror/foo/ http://backend.example.com/
+
will cause a local request for
+ http://example.com/mirror/foo/bar to be internally converted
+ into a proxy request to http://backend.example.com/bar.
The ! directive is useful in situations where you don't want
+ to reverse-proxy a subdirectory, e.g.
+ ProxyPass /mirror/foo/i !
+ ProxyPass /mirror/foo http://backend.example.com
+
will proxy all requests to /mirror/foo to
+ backend.example.com except requests made to
+ /mirror/foo/i.
Order is important. you need to put the exclusions before the + general proxypass directive.
+When used inside a <Location> section, the first argument is ommitted and the local
+ directory is obtained from the <Location>.
If you require a more flexible reverse-proxy configuration, see the
+ RewriteRule directive with the
+ [P] flag.
| Description: | Adjusts the URL in HTTP response headers sent from -a reverse proxied server |
|---|---|
| Syntax: | ProxyPassReverse [path] url |
| Context: | server config, virtual host |
| Description: | Adjusts the URL in HTTP response headers sent from a reverse +proxied server |
| Syntax: | ProxyPassReverse [path] url |
| Context: | server config, virtual host, directory |
| Status: | Extension |
| Module: | mod_proxy |
This directive lets Apache adjust the URL in the Location,
-Content-Location and URI headers on
-HTTP redirect responses. This is essential when Apache is used as
-a reverse proxy to avoid by-passing the reverse proxy because of HTTP
-redirects on the backend servers which stay behind the reverse proxy.
path is the name of a local virtual path.
-url is a partial URL for the remote server - the same way they are
-used for the ProxyPass directive.
-Example:
-Suppose the local server has address http://wibble.org/; then
- ProxyPass /mirror/foo/ http://foo.com/
- ProxyPassReverse /mirror/foo/ http://foo.com/
-
will not only cause a local request for the
-<http://wibble.org/mirror/foo/bar> to be internally
-converted into a proxy request to <http://foo.com/bar> (the
-functionality ProxyPass provides here). It also takes care of
-redirects the server foo.com sends: when http://foo.com/bar is
-redirected by him to http://foo.com/quux Apache adjusts this to
-http://wibble.org/mirror/foo/quux before forwarding the HTTP
-redirect response to the client. Note that the hostname used for
-constructing the URL is chosen in respect to the setting of the
-UseCanonicalName directive.
-Note that this ProxyPassReverse directive can
-also be used in conjunction with the proxy pass-through feature
-("RewriteRule ... [P]") from
-mod_rewrite because its doesn't depend on a
-corresponding ProxyPass
-directive.
When used inside a <Location> section, the first argument is
-ommitted and the local directory is obtained from the <Location>.
This directive lets Apache adjust the URL in the Location,
+ Content-Location and URI headers on HTTP redirect
+ responses. This is essential when Apache is used as a reverse proxy to avoid
+ by-passing the reverse proxy because of HTTP redirects on the backend
+ servers which stay behind the reverse proxy.
path is the name of a local virtual path. url is a
+ partial URL for the remote server - the same way they are used for the
+ ProxyPass directive.
For example, suppose the local server has address
+ http://example.com/; then
+ ProxyPass /mirror/foo/ http://backend.example.com/
+ ProxyPassReverse /mirror/foo/ http://backend.example.com/
+
will not only cause a local request for the
+ http://example.com/mirror/foo/bar to be internally converted
+ into a proxy request to http://backend.example.com/bar
+ (the functionality ProxyPass provides here). It also takes care
+ of redirects the server backend.example.com sends: when
+ http://backend.example.com/bar is redirected by him to
+ http://backend.example.com/quux Apache adjusts this to
+ http://example.com/mirror/foo/quux before forwarding the HTTP
+ redirect response to the client. Note that the hostname used for
+ constructing the URL is chosen in respect to the setting of the UseCanonicalName directive.
Note that this ProxyPassReverse directive can
+ also be used in conjunction with the proxy pass-through feature
+ (RewriteRule ... [P]) from mod_rewrite
+ because its doesn't depend on a corresponding ProxyPass directive.
When used inside a <Location> section, the first argument is ommitted and the local
+ directory is obtained from the <Location>.
| Description: | Use incoming Host HTTP request header for -proxy request |
|---|---|
| Syntax: | ProxyPreserveHost on|off |
| Description: | Use incoming Host HTTP request header for proxy +request |
| Syntax: | ProxyPreserveHost On|Off |
| Default: | ProxyPreserveHost Off |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
| Compatibility: | Available in -Apache 2.0.31 and later. |
| Compatibility: | Available in Apache 2.0.31 and later. |
When enabled, this option will pass the Host: line from the -incoming request to the proxied host, instead of the hostname -specified in the proxypass line. -
-This option should normally be turned 'off'.
+When enabled, this option will pass the Host: line from the incoming + request to the proxied host, instead of the hostname specified in the + proxypass line.
+ +This option should normally be turned Off. It is mostly
+ useful in special configurations like proxied mass name-based virtual
+ hosting, where the original Host header needs to be evaluated by the
+ backend server.
| Description: | Network buffer size for outgoing HTTP and FTP + |
|---|---|
| Description: | Network buffer size for proxied HTTP and FTP connections |
| Syntax: | ProxyReceiveBufferSize bytes |
| Syntax: | ProxyReceiveBufferSize bytes |
| Default: | ProxyReceiveBufferSize 0 |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
The ProxyReceiveBufferSize directive
-specifies an explicit network buffer size for outgoing HTTP and FTP
-connections, for increased throughput. It has to be greater than 512
-or set to 0 to indicate that the system's default buffer size should
-be used.
- ProxyReceiveBufferSize 2048
-
The ProxyReceiveBufferSize directive specifies an
+ explicit (TCP/IP) network buffer size for proxied HTTP and FTP connections,
+ for increased throughput. It has to be greater than 512 or set
+ to 0 to indicate that the system's default buffer size should
+ be used.
+ ProxyReceiveBufferSize 2048
+
| Description: | Remote proxy used to handle certain requests |
|---|---|
| Syntax: | ProxyRemote match remote-server |
| Syntax: | ProxyRemote match remote-server |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
This defines remote proxies to this proxy. match is either the -name of a URL-scheme that the remote server supports, or a partial URL -for which the remote server should be used, or '*' to indicate the -server should be contacted for all requests. remote-server is a -partial URL for the remote server. Syntax:
- -- remote-server = protocol://hostname[:port] -- -
protocol is the protocol that should be used to communicate -with the remote server; only "http" is supported by this module.
- --Example:
-
- ProxyRemote http://goodguys.com/ http://mirrorguys.com:8000
- ProxyRemote * http://cleversite.com
- ProxyRemote ftp http://ftpproxy.mydomain.com:8080
-
In the last example, the proxy will forward FTP requests, encapsulated -as yet another HTTP proxy request, to another proxy which can handle -them.
- -This option also supports reverse proxy configuration - a backend -webserver can be embedded within a virtualhost URL space even if that -server is hidden by another forward proxy.
+This defines remote proxies to this proxy. match is either the
+ name of a URL-scheme that the remote server supports, or a partial URL
+ for which the remote server should be used, or * to indicate
+ the server should be contacted for all requests. remote-server is
+ a partial URL for the remote server. Syntax:
+ remote-server =
+ scheme://hostname[:port]
+
scheme is effectively the protocol that should be used to
+ communicate with the remote server; only http is supported by
+ this module.
+ ProxyRemote http://goodguys.com/ http://mirrorguys.com:8000
+ ProxyRemote * http://cleversite.com
+ ProxyRemote ftp http://ftpproxy.mydomain.com:8080
+
In the last example, the proxy will forward FTP requests, encapsulated + as yet another HTTP proxy request, to another proxy which can handle + them.
+ +This option also supports reverse proxy configuration - a backend + webserver can be embedded within a virtualhost URL space even if that + server is hidden by another forward proxy.
| Description: | Remote proxy used to handle requests -matched by regular expressions |
|---|---|
| Syntax: | ProxyRemoteMatch regex remote-server |
| Description: | Remote proxy used to handle requests matched by regular +expressions |
| Syntax: | ProxyRemoteMatch regex remote-server |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
The ProxyRemoteMatch is identical
-to the ProxyRemote
-directive, except the first argument is a regular expression
-match against the requested URL.
The ProxyRemoteMatch is identical to the
+ ProxyRemote directive, except the
+ first argument is a regular expression match against the requested URL.
| Description: | Enables forward (standard) proxy requests |
|---|---|
| Syntax: | ProxyRequests on|off |
| Syntax: | ProxyRequests On|Off |
| Default: | ProxyRequests Off |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
This allows or prevents Apache from functioning as a forward proxy
-server. (Setting ProxyRequests to 'off' does not disable use of the
-ProxyPass directive.)
This allows or prevents Apache from functioning as a forward proxy
+ server. (Setting ProxyRequests to Off does not disable use of
+ the ProxyPass directive.)
In a typical reverse proxy configuration, this option should be set to -'off'.
+In a typical reverse proxy configuration, this option should be set to
+ Off.
Do not enable proxying with ProxyRequests until you have
-secured your server. Open proxy servers are
-dangerous both to your network and to the Internet at large.
In order to get the functionality of proxying HTTP or FTP sites, you
+ need also mod_proxy_http or mod_proxy_ftp
+ (or both) present in the server.
Do not enable proxying with ProxyRequests until you have secured your server. Open proxy servers are dangerous
+ both to your network and to the Internet at large.
| Description: | Network timeout for proxied requests |
|---|---|
| Syntax: | ProxyTimeout seconds |
| Syntax: | ProxyTimeout seconds |
| Default: | ProxyTimeout 300 |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
| Compatibility: | Available in -Apache 2.0.31 and later |
| Compatibility: | Available in Apache 2.0.31 and later |
This directive allows a user to specifiy a timeout on proxy requests. -This is usefull when you have a slow/buggy appserver which hangs, -and you would rather just return a timeout and fail gracefully instead -of waiting however long it takes the server to return -
+This directive allows a user to specifiy a timeout on proxy requests. + This is useful when you have a slow/buggy appserver which hangs, and you + would rather just return a timeout and fail gracefully instead of waiting + however long it takes the server to return.
| Description: | Information provided in the Via HTTP response header for proxied requests |
|---|---|
| Syntax: | ProxyVia on|off|full|block |
| Default: | ProxyVia off |
| Syntax: | ProxyVia On|Off|Full|Block |
| Default: | ProxyVia Off |
| Context: | server config, virtual host |
| Status: | Extension |
| Module: | mod_proxy |
This directive controls the use of the Via: HTTP
-header by the proxy. Its intended use is to control the flow of of
-proxy requests along a chain of proxy servers. See RFC2068 (HTTP/1.1)
-for an explanation of Via: header lines.
Via: header,
-it is passed through unchanged.Via: header line added for
-the current host.Via: header
-line will additionally have the Apache server version shown as a
-Via: comment field.Via: header lines
-removed. No new Via: header will be generated.This directive controls the use of the Via: HTTP
+ header by the proxy. Its intended use is to control the flow of of
+ proxy requests along a chain of proxy servers. See RFC 2616 (HTTP/1.1), section
+ 14.45 for an explanation of Via: header lines.
Off, which is the default, no special processing
+ is performed. If a request or reply contains a Via: header,
+ it is passed through unchanged.On, each request and reply will get a
+ Via: header line added for the current host.Full, each generated Via: header
+ line will additionally have the Apache server version shown as a
+ Via: comment field.Block, every proxy request will have all its
+ Via: header lines removed. No new Via: header will
+ be generated.This module implements a proxy/gateway for Apache. It implements
-proxying capability for
-FTP,
-CONNECT (for SSL),
-HTTP/0.9,
-HTTP/1.0, and
-HTTP/1.1.
-The module can be configured to connect to other proxy modules for these
-and other protocols.
This module was experimental in Apache 1.1.x. Improvements and bugfixes -were made in Apache v1.2.x and Apache v1.3.x, then the module underwent a major -overhaul for Apache v2.0. The protocol support was upgraded to HTTP/1.1, -and filter support was enabled.
- -Please note that the caching function present in -mod_proxy up to Apache v1.3.x has been removed from -mod_proxy and will be incorporated into a new module, mod_cache. In other words: -the Apache 2.0.x-Proxy doesn't -cache at all - all caching functionality has been moved into mod_cache, -which is capable of caching any content, not only content from proxy. -
- -If you need to use SSL when contacting remote servers, have a look at the
-SSLProxy* directives in
Do not enable proxying with
Do not enable proxying with
This module implements a proxy/gateway for Apache. It implements
+ proxying capability for FTP, CONNECT (for SSL),
+ HTTP/0.9, HTTP/1.0, and HTTP/1.1.
+ The module can be configured to connect to other proxy modules for these
+ and other protocols.
This module was experimental in Apache 1.1.x. Improvements and bugfixes
+ were made in Apache v1.2.x and Apache v1.3.x, then the module underwent a
+ major overhaul for Apache v2.0. The protocol support was upgraded to
+ HTTP/1.1, and filter support was enabled.
During the overhaul process the
Please note that the caching function present in
If you need to use SSL when contacting remote servers, have a look at the
+ SSLProxy* directives in
Apache can be configured in both a forward and reverse -proxy configuration.
- -A forward proxy is an intermediate system that enables a browser to connect to a -remote network to which it normally does not have access. A forward proxy -can also be used to cache data, reducing load on the networks between the -forward proxy and the remote webserver.
- -Apache's mod_proxy can be figured to behave like a forward proxy
-using the
A reverse proxy is a webserver system that is capable of serving webpages -sourced from other webservers - in addition to webpages on disk or generated -dynamically by CGI - making these pages look like they originated at the -reverse proxy.
- -When configured with the mod_cache module the reverse -proxy can act as a cache for slower backend webservers. The reverse proxy -can also enable advanced URL strategies and management techniques, allowing -webpages served using different webserver systems or architectures to -coexist inside the same URL space. Reverse proxy systems are also ideal for -implementing centralised logging websites with many or diverse website -backends. Complex multi-tier webserver systems can be constructed using an -Apache mod_proxy frontend and any number of backend webservers.
- -The reverse proxy is configured using the
-
You can control who can access your proxy via the
-
When configuring a reverse proxy, access control takes on the
-attributes of the normal server
You probably don't have that particular file type defined as -application/octet-stream in your proxy's mime.types configuration -file. A useful line can be
- -In the rare situation where you must download a specific file using the FTP
-ASCII transfer method (while the default transfer is in
-binary mode), you can override mod_proxy's default by
-suffixing the request with ;type=a to force an ASCII transfer.
-(FTP Directory listings are always executed in ASCII mode, however.)
-An FTP URI is interpreted relative to the home directory of the user -who is logging in. Alas, to reach higher directory levels you cannot -use /../, as the dots are interpreted by the browser and not actually -sent to the FTP server. To address this problem, the so called "Squid -%2f hack" was implemented in the Apache FTP proxy; it is is a solution -which is also used by other popular proxy servers like the Squid Proxy Cache. By -prepending /%2f to the path of your request, you can make such a proxy -change the FTP starting directory to / (instead of the home -directory).
- -Example: To retrieve the file
-/etc/motd, you would use the URL
-To log in to an FTP server by username and password, Apache -uses different strategies. -In absense of a user name and password in the URL altogether, -Apache sends an anomymous login to the FTP server, i.e.,
-This works for all popular FTP servers which are configured for -anonymous access.
- -For a personal login with a specific username, you can embed
-the user name into the URL, like in:
-ftp://username@host/myfile. If the FTP server
-asks for a password when given this username (which it should),
-then Apache will reply with a [401 Authorization required] response,
-which causes the Browser to pop up the username/password dialog.
-Upon entering the password, the connection attempt is retried,
-and if successful, the requested resource is presented.
-The advantage of this procedure is that your browser does not
-display the password in cleartext (which it would if you had used
-ftp://username:password@host/myfile in
-the first place).
If you're using the
An Apache proxy server situated in an intranet needs to forward
-external requests through the company's firewall. However, when it has
-to access resources within the intranet, it can bypass the firewall
-when accessing hosts. The
Users within an intranet tend to omit the local domain name from their
-WWW requests, thus requesting "http://somehost/" instead of
-"http://somehost.my.dom.ain/". Some commercial proxy servers let them get
-away with this and simply serve the request, implying a configured
-local domain. When the
For circumstances where you have a application server which doesn't implement
-keepalives or HTTP/1.1 properly, there are 2 environment variables which when
-set send a HTTP/1.0 with no keepalive. These are set via the
These are the 'force-proxy-request-1.0' and 'proxy-nokeepalive' notes.
- -Apache can be configured in both a forward and + reverse proxy configuration.
+ +A forward proxy is an intermediate system that enables a + browser to connect to a remote network to which it normally does not have + access. A forward proxy can also be used to cache data, reducing load on + the networks between the forward proxy and the remote webserver.
+ +Apache's
A reverse proxy is a webserver system that is capable of + serving webpages sourced from other webservers - in addition to webpages + on disk or generated dynamically by CGI - making these pages look like + they originated at the reverse proxy.
+ +When configured with the mod_cache module the reverse proxy can act as
+ a cache for slower backend webservers. The reverse proxy can also enable
+ advanced URL strategies and management techniques, allowing webpages
+ served using different webserver systems or architectures to coexist
+ inside the same URL space. Reverse proxy systems are also ideal for
+ implementing centralised logging websites with many or diverse website
+ backends. Complex multi-tier webserver systems can be constructed using an
+
The reverse proxy is configured using the
You can control who can access your proxy via the
When configuring a reverse proxy, access control takes on the
+ attributes of the normal server
You probably don't have that particular file type defined as
+ application/octet-stream in your proxy's mime.types
+ configuration file. A useful line can be
application/octet-stream bin dms lha lzh exe class tgz taz+
In the rare situation where you must download a specific file using the
+ FTP ASCII transfer method (while the default transfer is in
+ binary mode), you can override ;type=a to force an
+ ASCII transfer. (FTP Directory listings are always executed in ASCII mode,
+ however.)
An FTP URI is interpreted relative to the home directory of the user
+ who is logging in. Alas, to reach higher directory levels you cannot
+ use /../, as the dots are interpreted by the browser and not actually
+ sent to the FTP server. To address this problem, the so called Squid
+ %2f hack was implemented in the Apache FTP proxy; it is a
+ solution which is also used by other popular proxy servers like the Squid Proxy Cache. By
+ prepending /%2f to the path of your request, you can make
+ such a proxy change the FTP starting directory to / (instead
+ of the home directory). For example, to retrieve the file
+ /etc/motd, you would use the URL:
To log in to an FTP server by username and password, Apache uses + different strategies. In absense of a user name and password in the URL + altogether, Apache sends an anomymous login to the FTP server, + i.e.,
+ +This works for all popular FTP servers which are configured for + anonymous access.
+ +For a personal login with a specific username, you can embed the user + name into the URL, like in:
+ +If the FTP server asks for a password when given this username (which
+ it should), then Apache will reply with a 401 (Authorization
+ required) response, which causes the Browser to pop up the
+ username/password dialog. Upon entering the password, the connection
+ attempt is retried, and if successful, the requested resource is
+ presented. The advantage of this procedure is that your browser does not
+ display the password in cleartext (which it would if you had used
in the first place).
+ +The password which is transmitted in such a way is not encrypted on + its way. It travels between your browser and the Apache proxy server in + a base64-encoded cleartext string, and between the Apache proxy and the + FTP server as plaintext. You should therefore think twice before + accessing your FTP server via HTTP (or before accessing your personal + files via FTP at all!) When using unsecure channels, an eavesdropper + might intercept your password on its way.
+If you're using the
An Apache proxy server situated in an intranet needs to forward
+ external requests through the company's firewall. However, when it has to
+ access resources within the intranet, it can bypass the firewall when
+ accessing hosts. The
Users within an intranet tend to omit the local domain name from their
+ WWW requests, thus requesting "http://somehost/" instead of
+ http://somehost.example.com/. Some commercial proxy servers
+ let them get away with this and simply serve the request, implying a
+ configured local domain. When the
For circumstances where you have a application server which doesn't
+ implement keepalives or HTTP/1.1 properly, there are 2 environment
+ variables which when set send a HTTP/1.0 with no keepalive. These are set
+ via the
These are the force-proxy-request-1.0 and
+ proxy-nokeepalive notes.
Directives placed in
For example, the following will allow only hosts in
-yournetwork.example.com to access content via your
-proxy server:
The following example will process all files in the
-foo directory of example.com through the
-INCLUDES filter when they are sent through the proxy
-server:
Directives placed in
For example, the following will allow only hosts in
+ yournetwork.example.com to access content via your proxy
+ server:
The following example will process all files in the foo
+ directory of example.com through the INCLUDES
+ filter when they are sent through the proxy server:
The
IsErrorIgnoreStartBodyThe
IsErrorIgnoreStartBodyThe
The
When enabled, this option will pass the Host: line from the -incoming request to the proxied host, instead of the hostname -specified in the proxypass line. -
-This option should normally be turned 'off'.
+When enabled, this option will pass the Host: line from the incoming + request to the proxied host, instead of the hostname specified in the + proxypass line.
+ +This option should normally be turned Off. It is mostly
+ useful in special configurations like proxied mass name-based virtual
+ hosting, where the original Host header needs to be evaluated by the
+ backend server.
This allows or prevents Apache from functioning as a forward proxy
-server. (Setting ProxyRequests to 'off' does not disable use of the
-
In a typical reverse proxy configuration, this option should be set to -'off'.
- -Do not enable proxying with
This allows or prevents Apache from functioning as a forward proxy
+ server. (Setting ProxyRequests to Off does not disable use of
+ the
In a typical reverse proxy configuration, this option should be set to
+ Off.
In order to get the functionality of proxying HTTP or FTP sites, you
+ need also
Do not enable proxying with
This defines remote proxies to this proxy. match is either the -name of a URL-scheme that the remote server supports, or a partial URL -for which the remote server should be used, or '*' to indicate the -server should be contacted for all requests. remote-server is a -partial URL for the remote server. Syntax:
- -- remote-server = protocol://hostname[:port] -- -
protocol is the protocol that should be used to communicate -with the remote server; only "http" is supported by this module.
- --Example:
-In the last example, the proxy will forward FTP requests, encapsulated -as yet another HTTP proxy request, to another proxy which can handle -them.
- -This option also supports reverse proxy configuration - a backend -webserver can be embedded within a virtualhost URL space even if that -server is hidden by another forward proxy.
+This defines remote proxies to this proxy. match is either the
+ name of a URL-scheme that the remote server supports, or a partial URL
+ for which the remote server should be used, or * to indicate
+ the server should be contacted for all requests. remote-server is
+ a partial URL for the remote server. Syntax:
scheme is effectively the protocol that should be used to
+ communicate with the remote server; only http is supported by
+ this module.
In the last example, the proxy will forward FTP requests, encapsulated + as yet another HTTP proxy request, to another proxy which can handle + them.
+ +This option also supports reverse proxy configuration - a backend + webserver can be embedded within a virtualhost URL space even if that + server is hidden by another forward proxy.
The
The
This directive allows remote servers to be mapped into the space of -the local server; the local server does not act as a proxy in the -conventional sense, but appears to be a mirror of the remote -server. path is the name of a local virtual path; -url is a partial URL for the remote server and cannot -include a query string.
- -Suppose the local server has address http://wibble.org/;
-then
will cause a local request for the
-<http://wibble.org/mirror/foo/bar> to be
-internally converted into a proxy request to
-<http://foo.com/bar>.
-The ! directive is useful in situations where you don't want to reverse-proxy -a subdirectory. eg.
-will proxy all requests to /mirror/foo to foo.com EXCEPT requests made to /mirror/foo/i
- -When used inside a
If you require a more flexible reverse-proxy configuration, see
-the [P] flag.
This directive allows remote servers to be mapped into the space of + the local server; the local server does not act as a proxy in the + conventional sense, but appears to be a mirror of the remote + server. path is the name of a local virtual path; url + is a partial URL for the remote server and cannot include a query + string.
+ +Suppose the local server has address http://example.com/;
+ then
will cause a local request for
+ http://example.com/mirror/foo/bar to be internally converted
+ into a proxy request to http://backend.example.com/bar.
The ! directive is useful in situations where you don't want
+ to reverse-proxy a subdirectory, e.g.
will proxy all requests to /mirror/foo to
+ backend.example.com except requests made to
+ /mirror/foo/i.
Order is important. you need to put the exclusions before the + general proxypass directive.
+When used inside a
If you require a more flexible reverse-proxy configuration, see the
+ [P] flag.
This directive lets Apache adjust the URL in the Location,
-Content-Location and URI headers on
-HTTP redirect responses. This is essential when Apache is used as
-a reverse proxy to avoid by-passing the reverse proxy because of HTTP
-redirects on the backend servers which stay behind the reverse proxy.
path is the name of a local virtual path.
-url is a partial URL for the remote server - the same way they are
-used for the
-Example:
-Suppose the local server has address http://wibble.org/; then
will not only cause a local request for the
-<http://wibble.org/mirror/foo/bar> to be internally
-converted into a proxy request to <http://foo.com/bar> (the
-functionality ProxyPass provides here). It also takes care of
-redirects the server foo.com sends: when http://foo.com/bar is
-redirected by him to http://foo.com/quux Apache adjusts this to
-http://wibble.org/mirror/foo/quux before forwarding the HTTP
-redirect response to the client. Note that the hostname used for
-constructing the URL is chosen in respect to the setting of the
-
-Note that this RewriteRule ... [P]") from
-
When used inside a
This directive lets Apache adjust the URL in the Location,
+ Content-Location and URI headers on HTTP redirect
+ responses. This is essential when Apache is used as a reverse proxy to avoid
+ by-passing the reverse proxy because of HTTP redirects on the backend
+ servers which stay behind the reverse proxy.
path is the name of a local virtual path. url is a
+ partial URL for the remote server - the same way they are used for the
+
For example, suppose the local server has address
+ http://example.com/; then
will not only cause a local request for the
+ http://example.com/mirror/foo/bar to be internally converted
+ into a proxy request to http://backend.example.com/bar
+ (the functionality ProxyPass provides here). It also takes care
+ of redirects the server backend.example.com sends: when
+ http://backend.example.com/bar is redirected by him to
+ http://backend.example.com/quux Apache adjusts this to
+ http://example.com/mirror/foo/quux before forwarding the HTTP
+ redirect response to the client. Note that the hostname used for
+ constructing the URL is chosen in respect to the setting of the
Note that this RewriteRule ... [P]) from
When used inside a
CONNECT through
-the proxyCONNECT through the
+proxyThe CONNECT method may
-connect. Today's browsers use this method when a https
-connection is requested and proxy tunneling over http is in
-effect.
By default, only the default https port (443) and the
-default snews port (563) are enabled. Use the
-
The CONNECT method may
+ connect. Today's browsers use this method when a https
+ connection is requested and proxy tunneling over HTTP is in effect.
By default, only the default https port (443) and the
+ default snews port (563) are enabled. Use the
+
Note that you'll need to have CONNECT at
+ all.
The
The
'rocky.wotsamattau.edu' would also be matched if referenced by IP -address.
+rocky.wotsamattau.edu would also be matched if referenced by
+ IP address.
Note that 'wotsamattau' would also be sufficient to match -'wotsamattau.edu'.
+Note that wotsamattau would also be sufficient to match
+ wotsamattau.edu.
Note also that
+Note also that
-blocks connections to all sites.
+blocks connections to all sites.
The
The 512 or set
+ to 0 to indicate that the system's default buffer size should
+ be used.
The 8192.
In almost every case there's no reason to change that value.
The
The Max-Forwards header supplied with the request. This is
+ set to prevent infinite proxy loops, or a DoS attack.
This directive is only useful for Apache proxy servers within
-intranets. The
The host arguments to the NoProxy directive are one of the -following type list:
-This directive is only useful for Apache proxy servers within
+ intranets. The
The host arguments to the
.com .apache.org..MyDomain.com and
- .mydomain.com. (note the trailing period) are
- considered equal. Since a domain comparison does not involve a DNS
- lookup, it is much more efficient than subnet comparison.A Domain is a partially qualified DNS domain name, preceded + by a period. It represents a list of hosts which logically belong to the + same DNS domain or zone (i.e., the suffixes of the hostnames are + all ending in Domain).
+ +To distinguish Domains from Hostnames (both syntactically and semantically; a DNS domain can + have a DNS A record, too!), Domains are always written with a + leading period.
+ +Domain name comparisons are done without regard to the case, and
+ Domains are always assumed to be anchored in the root of the
+ DNS tree, therefore two domains .MyDomain.com and
+ .mydomain.com. (note the trailing period) are considered
+ equal. Since a domain comparison does not involve a DNS lookup, it is much
+ more efficient than subnet comparison.
192.168 or 192.168.0.0255.255.0.0)192.168.112.0/21192.168.112.0/21 with a netmask of 21
- valid bits (also used in the form 255.255.248.0)A SubNet is a partially qualified internet address in + numeric (dotted quad) form, optionally followed by a slash and the netmask, + specified as the number of significant bits in the SubNet. It is + used to represent a subnet of hosts which can be reached over a common + network interface. In the absence of the explicit net mask it is assumed + that omitted (or zero valued) trailing digits specify the mask. (In this + case, the netmask can only be multiples of 8 bits wide.) Examples:
+ +192.168 or 192.168.0.0255.255.0.0)192.168.112.0/21192.168.112.0/21 with a netmask of 21
+ valid bits (also used in the form 255.255.248.0)As a degenerate case, a SubNet with 32 valid bits is the + equivalent to an IPAddr, while a SubNet with zero + valid bits (e.g., 0.0.0.0/0) is the same as the constant + _Default_, matching any IP address.
A IPAddr represents a fully qualified internet address in + numeric (dotted quad) form. Usually, this address represents a host, but + there need not necessarily be a DNS domain name connected with the + address.
+An IPAddr does not need to be resolved by the DNS system, so + it can result in more effective apache performance.
+prep.ai.mit.edu
- www.apache.org.WWW.MyDomain.com
- and www.mydomain.com. (note the trailing period) are
- considered equal.A Hostname is a fully qualified DNS domain name which can + be resolved to one or more IPAddrs via the + DNS domain name service. It represents a logical host (in contrast to + Domains, see above) and must be resolvable + to at least one IPAddr (or often to a list + of hosts with different IPAddrs).
+ +In many situations, it is more effective to specify an IPAddr in place of a Hostname since a + DNS lookup can be avoided. Name resolution in Apache can take a remarkable + deal of time when the connection to the name server uses a slow PPP + link.
+Hostname comparisons are done without regard to the case,
+ and Hostnames are always assumed to be anchored in the root
+ of the DNS tree, therefore two hosts WWW.MyDomain.com
+ and www.mydomain.com. (note the trailing period) are
+ considered equal.
This directive allows a user to specifiy a timeout on proxy requests. -This is usefull when you have a slow/buggy appserver which hangs, -and you would rather just return a timeout and fail gracefully instead -of waiting however long it takes the server to return -
+This directive allows a user to specifiy a timeout on proxy requests. + This is useful when you have a slow/buggy appserver which hangs, and you + would rather just return a timeout and fail gracefully instead of waiting + however long it takes the server to return.
This directive is only useful for Apache proxy servers within
-intranets. The
This directive is only useful for Apache proxy servers within
+ intranets. The
Via HTTP response
header for proxied requestsThis directive controls the use of the Via: HTTP
-header by the proxy. Its intended use is to control the flow of of
-proxy requests along a chain of proxy servers. See RFC2068 (HTTP/1.1)
-for an explanation of Via: header lines.
Via: header,
-it is passed through unchanged.Via: header line added for
-the current host.Via: header
-line will additionally have the Apache server version shown as a
-Via: comment field.Via: header lines
-removed. No new Via: header will be generated.This directive controls the use of the Via: HTTP
+ header by the proxy. Its intended use is to control the flow of of
+ proxy requests along a chain of proxy servers. See RFC 2616 (HTTP/1.1), section
+ 14.45 for an explanation of Via: header lines.
Off, which is the default, no special processing
+ is performed. If a request or reply contains a Via: header,
+ it is passed through unchanged.On, each request and reply will get a
+ Via: header line added for the current host.Full, each generated Via: header
+ line will additionally have the Apache server version shown as a
+ Via: comment field.Block, every proxy request will have all its
+ Via: header lines removed. No new Via: header will
+ be generated.Via: header will be generated.
This directive is useful for reverse-proxy setups, where you want to -have a common look and feel on the error pages seen by the end user. -This also allows for included files (via mod_include's SSI) to get -the error code and act accordingly (default behavior would display -the error page of the proxied server, turning this on shows the SSI -Error message).
+This directive is useful for reverse-proxy setups, where you want to + have a common look and feel on the error pages seen by the end user. + This also allows for included files (via mod_include's SSI) to get + the error code and act accordingly (default behavior would display + the error page of the proxied server, turning this on shows the SSI + Error message).
CONNECT through
-the proxyCONNECT through the
+proxy.htaccess-Dateien
erlaubt sind.Via HTTP response
+Via HTTP response
header for proxied requestsCONNECT through
-the proxyCONNECT through the
+proxy.htaccess filesVia HTTP response
+Via HTTP response
header for proxied requestsCONNECT through
-the proxyCONNECT through the
+proxy.htaccess filesVia HTTP response
+Via HTTP response
header for proxied requests