Reverse Proxy with ISPConfig3 + Apache2

Discussion in 'Installation/Configuration' started by Paul Webb, Sep 4, 2022.

  1. Paul Webb

    Paul Webb New Member

    First, I apologize. I searched on "reverse proxy" and I can see this topic has been beat to death, but for the life of me I cannot find the answer I'm looking for. So here goes:

    I presently have a setup that looks like this:
    • External Firewall with a Static External IP (38.x.y.z) and Internal IP (192.168.a.a) points to an internal Apache reverse proxy server (192.168.a.b)
    • The Apache Reverse Proxy server points to a number (probably 3-5) servers internally that run their own software and web servers. In other words, I don't control their content. For instance, one is a Ubiquiti UniFi controller, which runs on it's own Tomcat + Java stack. Another points to an ESET Management Server, which runs on its own NGINX + Postgres stack. Then I have a LAMP server or two.
    What I'd like to have is this:
    • External Firewall with a Static External IP (38.x.y.z) and Internal IP (192.168.a.a) points to an internal ISPConfig reverse proxy server (192.168.a.b)
    • For the sites that are LAMP stack based, they can just live on this server, and I can assign them IP addresses internal to the ISPConfig server, creating my own non-routable subnet there. This could be 127.0.0.3-127.0.0.255, or something completely unique like 172.20.15.2-172.20.15.254.
    • For the servers that are not LAMP stack based, a redirect exists that handles both HTTP and HTTPS. So those would redirect to, say, 192.168.a.p, where a.p is a valid internal IP pointing to say the UniFi controller, for instance.
    What I've been having trouble with is the ISPConfig GUI configuration for this second scenario. I can make the LAMP Stack based sites work through the GUI, no problem. But I can't make the ISPConfig server redirect to an internal IP address via apache reverse proxy commands. Under Sites in the ISPConfig interface, I've tried using the Redirect Type=proxy and the Redirect Type=R=301,L settings. I've also checked and unchecked the Rewrite HTTP to HTTPS checkbox. I've also read and followed a Stack Overflow post where the OP suggested just skipping all of this and going to the Options tab and pasting in my Apache Directives straight in (that didn't work). I did also, also try using the "Enable Proxy Protocol" checkbox there.

    So, with all that said, I'm fully expecting someone to tell me the RTFM (that I can't find specifically covering this use case) and the answer should be obvious, but well, it's not, at least not to me. Can someone humor me and tell me what I should be doing here? If needed, I can post a sample of my existing Apache Reverse Proxy server configuration that works (but isn't ISPConfig).

    Thank you, in advance!
     
  2. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    Testing redirects and then using 301 is not a good idea, as this is a permanent redirect that will be cached in browsers. So for testing, use 302 (R).

    If I understand correctly you want to create a site on the ISPConfig server "example.com" which works as reverse proxy for a internal application - not redirect to a different address.

    Can you share the exact settings you set for that?
     
  3. Paul Webb

    Paul Webb New Member

    Thank you! I will apply this information in future testing!

    Ah, not exactly. Let me use a UniFi controller as an example...

    I have one external IP address, and I need to have multiple sites on it, on ports 80 and 443. 80 just redirects them to 443, but both have to be available.

    To accomplish this, years ago I set up an Apache2 reverse proxy server. It looks at the subdomain.domain being requested and uses the apache reverse proxy engine to pass it to the appropriate internal server.

    If someone asks for example.com, and ISPConfig is acting as the apache reverse proxy server, I would just serve up that website within ISPConfig. It would be a website on the ISPConfig server, so it would just be served, no proxying needed.

    But the UniFi controller... that's a dedicated server with dedicated packages and a dedicated database on it. Let's assume it to be unifi.example.com externally, and 192.168.230.15 internally. I'd like to set up ISPConfig (acting as the reverse proxy server) to transparently proxy this traffic to the UniFi server's internal IP address. That's what I'm having trouble getting to work. I have a working apache2 configuration for this on my existing reverse proxy server, but no matter what I try, I can't get ISPConfig to successfully accept it.

    FYI, and just so you know what's installed on my ISPConfig server, here's my /etc/apache2/mods_enabled directory:
    Code:
    lrwxrwxrwx 1 root root 36 Aug 26 21:02 access_compat.load -> ../mods-available/access_compat.load
    lrwxrwxrwx 1 root root 30 Aug 26 21:12 actions.conf -> ../mods-available/actions.conf
    lrwxrwxrwx 1 root root 30 Aug 26 21:12 actions.load -> ../mods-available/actions.load
    lrwxrwxrwx 1 root root 28 Aug 26 21:02 alias.conf -> ../mods-available/alias.conf
    lrwxrwxrwx 1 root root 28 Aug 26 21:02 alias.load -> ../mods-available/alias.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 auth_basic.load -> ../mods-available/auth_basic.load
    lrwxrwxrwx 1 root root 34 Aug 26 21:12 auth_digest.load -> ../mods-available/auth_digest.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 authn_core.load -> ../mods-available/authn_core.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 authn_file.load -> ../mods-available/authn_file.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 authz_core.load -> ../mods-available/authz_core.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 authz_host.load -> ../mods-available/authz_host.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 authz_user.load -> ../mods-available/authz_user.load
    lrwxrwxrwx 1 root root 32 Aug 26 21:02 autoindex.conf -> ../mods-available/autoindex.conf
    lrwxrwxrwx 1 root root 32 Aug 26 21:02 autoindex.load -> ../mods-available/autoindex.load
    lrwxrwxrwx 1 root root 27 Aug 26 21:12 cgid.conf -> ../mods-available/cgid.conf
    lrwxrwxrwx 1 root root 27 Aug 26 21:12 cgid.load -> ../mods-available/cgid.load
    lrwxrwxrwx 1 root root 29 Aug 26 21:12 dav_fs.conf -> ../mods-available/dav_fs.conf
    lrwxrwxrwx 1 root root 29 Aug 26 21:12 dav_fs.load -> ../mods-available/dav_fs.load
    lrwxrwxrwx 1 root root 26 Aug 26 21:12 dav.load -> ../mods-available/dav.load
    lrwxrwxrwx 1 root root 30 Aug 26 21:02 deflate.conf -> ../mods-available/deflate.conf
    lrwxrwxrwx 1 root root 30 Aug 26 21:02 deflate.load -> ../mods-available/deflate.load
    lrwxrwxrwx 1 root root 26 Aug 26 21:02 dir.conf -> ../mods-available/dir.conf
    lrwxrwxrwx 1 root root 26 Aug 26 21:02 dir.load -> ../mods-available/dir.load
    lrwxrwxrwx 1 root root 26 Aug 26 21:02 env.load -> ../mods-available/env.load
    lrwxrwxrwx 1 root root 28 Aug 26 21:02 fcgid.conf -> ../mods-available/fcgid.conf
    lrwxrwxrwx 1 root root 28 Aug 26 21:02 fcgid.load -> ../mods-available/fcgid.load
    lrwxrwxrwx 1 root root 29 Aug 26 21:02 filter.load -> ../mods-available/filter.load
    lrwxrwxrwx 1 root root 30 Aug 26 21:12 headers.load -> ../mods-available/headers.load
    lrwxrwxrwx 1 root root 28 Aug 26 21:12 http2.conf -> ../mods-available/http2.conf
    lrwxrwxrwx 1 root root 28 Aug 26 21:12 http2.load -> ../mods-available/http2.load
    lrwxrwxrwx 1 root root 30 Aug 26 21:12 include.load -> ../mods-available/include.load
    lrwxrwxrwx 1 root root 27 Aug 26 21:02 mime.conf -> ../mods-available/mime.conf
    lrwxrwxrwx 1 root root 27 Aug 26 21:02 mime.load -> ../mods-available/mime.load
    lrwxrwxrwx 1 root root 32 Aug 26 21:02 mpm_event.conf -> ../mods-available/mpm_event.conf
    lrwxrwxrwx 1 root root 32 Aug 26 21:02 mpm_event.load -> ../mods-available/mpm_event.load
    lrwxrwxrwx 1 root root 34 Aug 26 21:02 negotiation.conf -> ../mods-available/negotiation.conf
    lrwxrwxrwx 1 root root 34 Aug 26 21:02 negotiation.load -> ../mods-available/negotiation.load
    lrwxrwxrwx 1 root root 32 Aug 26 21:02 passenger.conf -> ../mods-available/passenger.conf
    lrwxrwxrwx 1 root root 32 Aug 26 21:02 passenger.load -> ../mods-available/passenger.load
    lrwxrwxrwx 1 root root 28 Aug 26 21:12 proxy.conf -> ../mods-available/proxy.conf
    lrwxrwxrwx 1 root root 33 Aug 26 21:12 proxy_fcgi.load -> ../mods-available/proxy_fcgi.load
    lrwxrwxrwx 1 root root 33 Aug 27 19:36 proxy_http.load -> ../mods-available/proxy_http.load
    lrwxrwxrwx 1 root root 28 Aug 26 21:12 proxy.load -> ../mods-available/proxy.load
    lrwxrwxrwx 1 root root 29 Aug 26 21:02 python.load -> ../mods-available/python.load
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 reqtimeout.conf -> ../mods-available/reqtimeout.conf
    lrwxrwxrwx 1 root root 33 Aug 26 21:02 reqtimeout.load -> ../mods-available/reqtimeout.load
    lrwxrwxrwx 1 root root 30 Aug 26 21:12 rewrite.load -> ../mods-available/rewrite.load
    lrwxrwxrwx 1 root root 31 Aug 26 21:02 setenvif.conf -> ../mods-available/setenvif.conf
    lrwxrwxrwx 1 root root 31 Aug 26 21:02 setenvif.load -> ../mods-available/setenvif.load
    lrwxrwxrwx 1 root root 36 Aug 26 21:12 socache_shmcb.load -> ../mods-available/socache_shmcb.load
    lrwxrwxrwx 1 root root 26 Aug 26 21:12 ssl.conf -> ../mods-available/ssl.conf
    lrwxrwxrwx 1 root root 26 Aug 26 21:12 ssl.load -> ../mods-available/ssl.load
    lrwxrwxrwx 1 root root 29 Aug 26 21:02 status.conf -> ../mods-available/status.conf
    lrwxrwxrwx 1 root root 29 Aug 26 21:02 status.load -> ../mods-available/status.load
    lrwxrwxrwx 1 root root 29 Aug 26 21:12 suexec.load -> ../mods-available/suexec.load
    
    Thanks for all your help!
     
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    For a proxy, it does not matter if the service is on the same server or a different server as long as the server you proxy the traffic to is reachable from your ISPConfig system. All you have to do is to add the proxy directives in apache directives field of the website, so basically you can use the ones that you used on your manually configured system. But take care to insert proxy directives only and not a complete vhost.
     

Share This Page