Apache 代理配置
Apache Proxy Configuration
概述 (Overview)
Apache的代理功能允许服务器作为中介转发客户端请求到其他服务器。本文将详细介绍Apache代理模块的配置方法,包括正向代理、反向代理、负载均衡等核心技术。
Apache's proxy functionality allows the server to act as an intermediary that forwards client requests to other servers. This article will detail the configuration methods for Apache proxy modules, including forward proxy, reverse proxy, load balancing, and other core technologies.
1. 代理模块基础 (Proxy Module Basics)
1.1 启用代理模块 (Enabling Proxy Modules)
# 启用基本代理模块
sudo a2enmod proxy
# 启用HTTP代理模块
sudo a2enmod proxy_http
# 启用连接池模块
sudo a2enmod proxy_connect
# 启用FTP代理模块
sudo a2enmod proxy_ftp
# 启用AJP代理模块(用于Tomcat)
sudo a2enmod proxy_ajp
# 重启Apache
sudo systemctl restart apache2
1.2 基本代理配置 (Basic Proxy Configuration)
# 全局代理设置
ProxyRequests On
ProxyVia On
# 代理访问控制
<Proxy *>
Require ip 192.168.1.0/24
</Proxy>
# 或者更严格的访问控制
<Proxy *>
<RequireAll>
Require ip 192.168.1.0/24
Require not ip 192.168.1.100
</RequireAll>
</Proxy>
2. 正向代理配置 (Forward Proxy Configuration)
2.1 基本正向代理 (Basic Forward Proxy)
# 启用正向代理
ProxyRequests On
ProxyVia On
# 正向代理访问控制
<Proxy *>
# 允许特定IP使用代理
Require ip 192.168.1.0/24
# 或者基于用户认证
# AuthType Basic
# AuthName "Proxy Authentication"
# AuthUserFile /etc/apache2/.htpasswd
# Require valid-user
</Proxy>
# 代理超时设置
ProxyTimeout 300
# 代理连接池设置
ProxyMaxConnectionsPerChild 100
2.2 安全正向代理 (Secure Forward Proxy)
# 安全正向代理配置
<VirtualHost *:8080>
ServerName proxy.example.com
# 启用代理
ProxyRequests On
ProxyVia On
# 访问控制
<Proxy *>
# 基于用户认证
AuthType Basic
AuthName "Secure Proxy"
AuthUserFile /etc/apache2/.proxy_users
Require valid-user
# 限制访问的域名
<If "%{REQUEST_URI} =~ /blocked-domain\.com/">
Require all denied
</If>
</Proxy>
# 日志记录
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %V" proxy_combined
CustomLog /var/log/apache2/proxy_access.log proxy_combined
ErrorLog /var/log/apache2/proxy_error.log
# 安全设置
Header always set X-Content-Type-Options nosniff
Header always set X-Frame-Options DENY
</VirtualHost>
3. 反向代理配置 (Reverse Proxy Configuration)
3.1 基本反向代理 (Basic Reverse Proxy)
# 禁用正向代理(安全考虑)
ProxyRequests Off
# 基本反向代理配置
ProxyPass /app/ http://backend-server:8080/app/
ProxyPassReverse /app/ http://backend-server:8080/app/
# 或者使用Location块
<Location "/app/">
ProxyPass http://backend-server:8080/app/
ProxyPassReverse http://backend-server:8080/app/
</Location>
3.2 高级反向代理配置 (Advanced Reverse Proxy Configuration)
# 高级反向代理配置
<VirtualHost *:80>
ServerName www.example.com
# 禁用正向代理
ProxyRequests Off
# 代理设置
ProxyPreserveHost On
ProxyPassReverse / http://backend-server:8080/
# 处理多个后端服务
ProxyPass /api/ http://api-server:8000/
ProxyPassReverse /api/ http://api-server:8000/
ProxyPass /admin/ http://admin-server:9000/
ProxyPassReverse /admin/ http://admin-server:9000/
# 默认后端
ProxyPass / http://web-server:8080/
ProxyPassReverse / http://web-server:8080/
# 代理超时设置
ProxyTimeout 300
ProxyPassReverseCookies On
# 错误处理
ErrorDocument 503 /maintenance.html
</VirtualHost>
4. 代理头信息处理 (Proxy Header Handling)
4.1 设置代理头信息 (Setting Proxy Headers)
# 设置代理头信息
<VirtualHost *:80>
ServerName www.example.com
ProxyRequests Off
ProxyPreserveHost On
# 设置自定义头信息
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# 添加客户端信息头
<Location "/">
RequestHeader set X-Forwarded-Proto "http"
RequestHeader set X-Forwarded-Port "80"
RequestHeader set X-Real-IP "%{REMOTE_ADDR}s"
RequestHeader set X-Forwarded-For "%{REMOTE_ADDR}s"
</Location>
</VirtualHost>
4.2 处理后端响应头 (Handling Backend Response Headers)
# 处理后端响应头
<VirtualHost *:80>
ServerName www.example.com
ProxyRequests Off
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# 修改响应头
Header edit Location ^http://backend-server:8080/ http://www.example.com/
# 移除敏感头信息
Header unset Server
Header unset X-Powered-By
# 添加安全头
Header always set X-Frame-Options DENY
Header always set X-Content-Type-Options nosniff
</VirtualHost>
5. 代理缓存配置 (Proxy Cache Configuration)
5.1 启用代理缓存 (Enabling Proxy Cache)
# 启用缓存模块
LoadModule cache_module modules/mod_cache.so
LoadModule cache_disk_module modules/mod_cache_disk.so
# 缓存配置
CacheRoot /var/cache/apache2/proxy
CacheEnable disk /
CacheDirLevels 2
CacheDirLength 1
CacheDefaultExpire 3600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.1
5.2 高级缓存配置 (Advanced Cache Configuration)
# 高级缓存配置
<VirtualHost *:80>
ServerName www.example.com
ProxyRequests Off
# 缓存设置
CacheRoot /var/cache/apache2/proxy
CacheEnable disk /
CacheDirLevels 2
CacheDirLength 1
CacheDefaultExpire 3600
CacheMaxExpire 86400
CacheLastModifiedFactor 0.1
# 缓存控制头
<Location "/static/">
CacheQuickHandler on
CacheHeader on
CacheLock on
CacheLockPath /tmp/mod_cache-lock
CacheLockMaxAge 5
</Location>
# 不缓存动态内容
<Location "/api/">
CacheDisable on
</Location>
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
</VirtualHost>
6. 代理负载均衡 (Proxy Load Balancing)
6.1 基本负载均衡配置 (Basic Load Balancing Configuration)
# 启用负载均衡模块
LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
# 负载均衡器配置
<Proxy "balancer://mycluster">
BalancerMember http://backend1:8080
BalancerMember http://backend2:8080
BalancerMember http://backend3:8080
# 负载均衡方法
ProxySet lbmethod=byrequests
# 健康检查
ProxySet stickysession=JSESSIONID|jsessionid
</Proxy>
ProxyPass /app/ balancer://mycluster/
ProxyPassReverse /app/ balancer://mycluster/
6.2 高级负载均衡配置 (Advanced Load Balancing Configuration)
# 高级负载均衡配置
<Proxy "balancer://advancedcluster">
# 带权重的后端服务器
BalancerMember http://backend1:8080 route=web1 loadfactor=3
BalancerMember http://backend2:8080 route=web2 loadfactor=2
BalancerMember http://backend3:8080 route=web3 loadfactor=1
# 负载均衡方法
ProxySet lbmethod=bytraffic
# 会话粘性
ProxySet stickysession=JSESSIONID|jsessionid
# 故障转移设置
ProxySet failonstatus=503
ProxySet timeout=30
# 健康检查
ProxySet retry=60
</Proxy>
<VirtualHost *:80>
ServerName www.example.com
ProxyRequests Off
ProxyPreserveHost On
ProxyPass /app/ balancer://advancedcluster/
ProxyPassReverse /app/ balancer://advancedcluster/
# 负载均衡管理界面
<Location "/balancer-manager">
SetHandler balancer-manager
Require ip 192.168.1.0/24
</Location>
</VirtualHost>
7. 代理安全配置 (Proxy Security Configuration)
7.1 代理访问控制 (Proxy Access Control)
# 代理访问控制
<Proxy *>
# 基于IP的访问控制
<RequireAll>
Require ip 192.168.1.0/24
Require not ip 192.168.1.100
</RequireAll>
</Proxy>
# 特定路径的访问控制
<Proxy "/admin/*">
AuthType Basic
AuthName "Admin Proxy"
AuthUserFile /etc/apache2/.proxy_admin
Require valid-user
</Proxy>
7.2 防止代理滥用 (Preventing Proxy Abuse)
# 防止代理滥用
<VirtualHost *:80>
ServerName proxy.example.com
# 禁用正向代理
ProxyRequests Off
# 限制代理到特定后端
<Proxy *>
Require all denied
</Proxy>
# 只允许特定的反向代理路径
ProxyPass /app/ http://internal-app:8080/
ProxyPassReverse /app/ http://internal-app:8080/
# 速率限制
<IfModule mod_ratelimit.c>
# 限制到100KB/s
SetOutputFilter RATE_LIMIT
SetEnv rate-limit 100
</IfModule>
</VirtualHost>
8. 代理监控和日志 (Proxy Monitoring and Logging)
8.1 代理日志配置 (Proxy Log Configuration)
# 代理日志格式
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %V %p %R" proxy_combined
# 详细代理日志
CustomLog /var/log/apache2/proxy_access.log proxy_combined
ErrorLog /var/log/apache2/proxy_error.log
# 条件日志记录
SetEnvIf Request_URI "^/health" dontlog
CustomLog /var/log/apache2/proxy_access.log proxy_combined env=!dontlog
8.2 代理监控脚本 (Proxy Monitoring Script)
#!/bin/bash
# proxy-monitor.sh
monitor_proxy() {
local access_log="/var/log/apache2/proxy_access.log"
local error_log="/var/log/apache2/proxy_error.log"
echo "=== Proxy Monitoring ==="
# 统计代理请求数
echo "1. Proxy requests in last hour:"
awk -v date="$(date -d '1 hour ago' '+%d/%b/%Y:%H')" '$4 > "["date {print}' "$access_log" | wc -l
# 统计错误请求
echo
echo "2. Proxy errors (last 50 lines):"
tail -50 "$error_log" | grep -i "proxy\|error" | head -10
# 统计后端响应时间
echo
echo "3. Backend response times (last 10 requests):"
tail -10 "$access_log" | awk '{print $NF}' | grep -E "^[0-9]+$" | head -5
# 统计热门后端
echo
echo "4. Top backend servers:"
awk '/balancer/ {print $7}' "$access_log" | sort | uniq -c | sort -nr | head -5
echo
echo "Proxy monitoring completed!"
}
monitor_proxy
小结 (Summary)
通过本文学习,你应该掌握:
- Apache代理模块的启用和基本配置
- 正向代理和反向代理的配置方法
- 代理头信息的处理技术
- 代理缓存的配置和管理
- 代理负载均衡的实现
- 代理安全配置和访问控制
- 代理监控和日志分析技术
Apache代理功能是构建现代Web架构的重要组件,正确配置代理能够提高安全性、性能和可扩展性。在下一篇文章中,我们将详细介绍Apache反向代理的高级配置技术。