aboutsummaryrefslogtreecommitdiff
path: root/etc/proxy-apache2.conf
blob: fc7cfea0882e5fef266acb7d93c834a6786ee46f (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
# Paste the following fragment into the <VirtualHost> section intended for
# proxying HTTP(S) requests and caching the responses. See INSTALL-PROXY for
# details.
#
# List of modules used:
#
#   rewrite
#   headers
#   ssl
#   proxy
#   proxy_http
#   cache
#   cache_disk
#

        # Enable the rewrite rules functionality.
        #
        <IfModule !rewrite_module>
          Error "rewrite_module is not enabled"
        </IfModule>

        RewriteEngine  on
        RewriteOptions AllowAnyURI

        # Make sure that the HTTP header management functionality is enabled.
        #
        <IfModule !headers_module>
          Error "headers_module is not enabled"
        </IfModule>

        # Enable the HTTP proxy.
        #
        <IfModule !proxy_module>
          Error "proxy_module is not enabled"
        </IfModule>

        <IfModule !proxy_http_module>
          Error "proxy_http_module is not enabled"
        </IfModule>

        ProxyRequests On

        # Enable SSL/TLS API usage for querying HTTPS URLs.
        #
        <IfModule !ssl_module>
          Error "ssl_module is not enabled"
        </IfModule>

        SSLProxyEngine on

        # Optional: prevent non-authorized proxy usage, for example:
        #
        # <Proxy *>
        #   Require ip 10.5
        # </Proxy>

        # Accept only the HTTP GET method and respond with the 403 HTTP status
        # code (Forbidden) for other methods.
        #
        RewriteCond %{REQUEST_METHOD} !GET
        RewriteRule .* - [F]

        # Optional: restrict the URL set allowed for proxying, for example:
        #
        # RewriteCond %{HTTP_HOST} !(.+\.)?example.org
        # RewriteRule .* - [F]

        # Convert the http scheme to https for URLs being proxied.
        #
        # To prevent the conversion we can exclude certain hosts. For example:
        #
        # RewriteCond %{HTTP_HOST} !(.+\.)?example.org [OR]
        # RewriteCond %{HTTP_HOST} !(.+\.)?example.net
        #
        # Or check for a custom header value. Note that this header should not
        # be forwarded to the origin server. For example:
        #
        # RewriteCond %{HTTP:X-Preserve-HTTP} !(1|on|true) [NC]
        # RequestHeader unset X-Preserve-HTTP
        #
        RewriteRule ^proxy:http://(.*)$ "https://$1" [P]

        # Enable the disk storage-based cache.
        #
        <IfModule !cache_module>
          Error "cache_module is not enabled"
        </IfModule>

        <IfModule !cache_disk_module>
          Error "cache_disk_module is not enabled"
        </IfModule>

        CacheEnable disk "http://"

        # Specify the cache root directory and make sure it is writable by the
        # user under which Apache2 is running.
        #
        # Note that if there are no other proxies enabled for the WEB server,
        # you can probably specify (you still have to specify it) the default
        # cache directory (/var/cache/apache2/mod_cache_disk for Debian/Ubuntu
        # and /var/cache/httpd/proxy for Fedora/RHEL).
        #
        CacheRoot

        # Cache entry maximum size (in bytes).
        #
        CacheMaxFileSize 100000000

        # Prevent duplicate caching of responses for the same simultaneously
        # proxied URL. Specify an appropriate per-URL lock timeout (in
        # seconds) to avoid stalled downloads from keeping the entries
        # uncached.
        #
        CacheLock       on
        CacheLockMaxAge 600

        # Always validate an existing cache entry by querying the origin
        # server.
        #
        # We do this by injecting the request header which always declares the
        # existing cache entry as potentially stale (ignoring Expire response
        # header and Cache-Control header's max-age field) which should also
        # be propagated through all the upstream proxies forcing them to
        # validate the resource freshness.
        #
        # Note that this relies on both the proxy and origin servers correctly
        # supporting conditional requests based on entity tags (ETag HTTP
        # response and If-None-Match HTTP request headers) or less accurate
        # entity modification times (Last-Modified HTTP response and
        # If-Modified-Since HTTP request headers), which is normally the case
        # if both are running Apache. A proxy normally caches the ETag and/or
        # Last-Modified response header values alongside the cached entity and
        # adds If-None-Match and/or If-Modified-Since headers respectively to
        # the entity validation request. An origin server normally checks if
        # any of the ETag or Last-Modified headers changed for the entity and
        # responds with its full content, if that's the case, or with the 304
        # HTTP status code (Not Modified) otherwise (see the Apache Caching
        # Guide for details).
        #
        # Also note that to observe the injected header the cache handler
        # should not be configured as a quick handler.
        #
        RequestHeader     set Cache-Control max-age=0
        CacheQuickHandler off