/
Reverse Proxy on Apache

Information Classification: External Restricted.
See https://www.chili-publish.com/security

Reverse Proxy on Apache

Jul 24, 2022

CHILI does not officially support setting up a proxy both in support and in functionality. There are some security reasons a solution might consider a proxy. However, it strongly suggested to avoid this method unless 100% necessary.

As your Apache is redirecting the requests, it should be able to resolve the domain (DNS lookup) for the CHILI server internally.

You can set up a Reverse Proxy on Apache by modifying the httpd-vhost.conf file that is used by your application.

The below configuration shows a possible VirtualHost configuration for the application http://www.yourapplication.com.
It contains a configured Reverse Proxy Setting for a CHILI Server that is accessible via the domain http://www.yourchilipublisher.com.

We assume that the CHILI Publisher web application is accessible via http://www.yourchilipublisher.com/CHILI/.

This setup will allow you to load the CHILI publisher web application on http://www.yourapplication.com/CHILI/ while the traffic is actually being redirected to http://www.yourchilipublisher.com/CHILI/.

httpd-vhosts.conf for http
<VirtualHost *:80>
        ServerAdmin webmaster@yourapplication.com
        ServerName www.yourapplication.com
        
		DocumentRoot /var/www/yourapplication
        <Directory /var/www/yourapplication>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        ProxyRequests Off
        
		<Proxy *>
                Order allow,deny
                Allow from all
        </Proxy>

        ProxyPass               /CHILI/ http://www.yourchilipublisher.com/CHILI/
        ProxyPassReverse        /CHILI/ http://www.yourchilipublisher.com/CHILI/
        
		ProxyPreserveHost       On
</VirtualHost>


ProxyRequests Off  allows or prevents Apache httpd from functioning as a forward proxy server.
In a typical reverse proxy or gateway configuration, this option should be set to  Off .

The Proxy Directive (<Proxy/>) enables forwarding of (standard) proxy requests.

ProxyPass and ProxyPassReverse redirects the requests, directed to a certain subfolder of your application, to get the information from the CHILI Server.

The ProxyPass directive allows remote servers to be mapped into the space of the local server.
The local server does not act as a proxy in the conventional sense but appears to be a mirror of the remote server.

The ProxyPassReverse directive lets Apache httpd adjust the URL in the  Location Content-Location  and  URI  headers on HTTP redirect responses.
This is essential when Apache httpd is used as a reverse proxy (or gateway) to avoid bypassing the reverse proxy because of HTTP redirects on the backend servers which stay behind the reverse proxy.

When ProxyPreserveHost is enabled, it will pass the Host line from the incoming request to the proxied host, instead of the hostname specified in the  ProxyPass  line.

Required Apache Modules

Make sure that you have the mod_proxy and mod_proxy_http Apache modules are installed for this setup.


HTTPS

When using HTTPS, the httpd-vhost.conf configuration for your VirtualHost will look slightly different than it would for HTTP

httpd-vhosts.conf for https
<VirtualHost *:443>
		ServerAdmin webmaster@yourapplication.com
        ServerName www.yourapplication.com
		
		DocumentRoot /var/www/yourapplication
		<Directory /var/www/yourapplication>
                Options Indexes FollowSymLinks MultiViews
                AllowOverride All
                Order allow,deny
                allow from all
        </Directory>

        SSLEngine 				on
        SSLProxyEngine 			on
		SSLCertificateFile 		/path/to/yourapplication.crt
		SSLCertificateKeyFile 	/path/to/yourapplication.key
        
		ProxyRequests Off
        
		<Proxy *>
	        Order allow,deny
            Allow from all
        </Proxy>
        
		ProxyPass               /CHILI/ https://www.yourchilipublisher.com/CHILI/
        ProxyPassReverse        /CHILI/ https://www.yourchilipublisher.com/CHILI/
        
		# ProxyPreserveHost cannot work when using SSL - the hostname will not match the certificate
		ProxyPreserveHost       Off
</VirtualHost>

Required Apache Modules

Apart from the mod_proxy and mod_proxy_http Apache modules (see above), you also need the deflate, headers, proxy_connect, proxy_http and the ssl Apache modules to be installed


CHILI publish Online (SaaS)

When working with SaaS the above vhost files will cause issues because in the above examples the server is setup with an alias of CHILI, but not CHILI publish Online, there is no alias. What you need to do instead is proxy from your subdirectory to the top directory of your CHILI publish Online URL.

Here is an example where we proxy to path editor

<VirtualHost *:443>
  ServerName example.com
  ServerAlias www.example.com
  DocumentRoot "C:\Php"
  <Directory "C:\Php">
    Options +Indexes +Includes +FollowSymLinks +MultiViews
    AllowOverride All
    Require all granted
	
  </Directory>
  
  	SSLCertificateFile "C:\wamp64\bin\apache\apache2.4.39\bin\privateCertificate.crt"
	SSLCertificateKeyFile "C:\wamp64\bin\apache\apache2.4.39\bin\privateFree.key"
	SSLEngine on
	SSLProxyEngine on

    ProxyPass /editor/ https://myenvironment.chili-publish.online/
    ProxyPassReverse /editor/ https://myenvironment.chili-publish.online/
</VirtualHost>


So, now if I want to get to CHILI BackOffice, I would now go to: https://www.example.com/editor/myenvironment/interface.aspx


All information on this page must be treated as External Restricted, or more strict. https://www.chili-publish.com/security