A reverse proxy intercepts requests from external clients and forwards them to backend servers, providing an additional layer of security and centralized management. This approach is widely used to hide internal server details and unify endpoints under a single domain.
Apache supports reverse proxy functionality through modules such as mod_proxy and mod_proxy_http. Each request is processed by these modules, ensuring traffic is routed correctly while preserving client-facing URLs.
Proper configuration of Apache as a reverse proxy enhances performance, simplifies network administration, and strengthens security. Thoroughly testing each directive and validating the setup helps maintain a stable and effective environment.
Steps to configure Apache as a reverse proxy server:
- Launch terminal application.
- Enable the mod_proxy and mod_proxy_http modules.
$ sudo a2enmod proxy proxy_http [sudo] password for user: Enabling module proxy. Considering dependency proxy for proxy_http: Module proxy already enabled Enabling module proxy_http. To activate the new configuration, you need to run: systemctl restart apache2
- Distribution with a2enmod support can simply run the command above without having to manually enable the required modules.
- CentOS and Red Hat enables both modules by default so requires no manual action to enable the modules.
Options Debian, Ubuntu openSUSE and SLES Fedora Core, CentOS, RHEL macOS homebrew xampp a2enmod support yes yes no no no no Modules to install none Module name n/a proxy, proxy_http Loadmodule directive n/a LoadModule proxy_module <module_locations>/mod_proxy.so
LoadModule proxy_http_module <module_locations>/mod_proxy_http.so - Create or edit the virtual host configuration file.
$ sudo vi /etc/apache2/sites-available/your-site.conf
- Add the necessary proxy directives to the virtual host file.
<VirtualHost *:80> ProxyRequests Off <Proxy *> Order deny,allow Allow from all </Proxy> ProxyPass "/backend-service-01" "http://backend-service-01.local/" ProxyPassReverse "/backend-service-01" "http:///backend-service-01.local" ProxyPass "/backend-service-02" "http://backend-service-02.local/" ProxyPassReverse "/backend-service-02" "http://backend-service-02.local" </VirtualHost>
Directive/Option Description ProxyRequests Off Disables forward proxy requests. This is important for a reverse proxy setup to ensure that your server doesn't unintentionally act as a forward proxy. <Proxy *> … </Proxy> Defines access control for a proxy. The * means it applies to all proxied content. Order deny,allow Sets the order of processing the Deny and Allow directives. In this case, deny rules are processed before allow rules. Allow from all Allows access from all IP addresses. ProxyPass Maps remote servers into the namespace of the local server. For example, ProxyPass "/backend-service-01" "http://backend-service-01.local/" means that when someone accesses http://your-apache-server/backend-service-01, they are actually accessing http://backend-service-01.local/ behind the scenes. ProxyPassReverse Adjusts the URL in the Location, Content-Location, and URI headers on HTTP redirect responses. This is essential for ensuring that redirects issued by the backend server point to the reverse proxy, not the original server. - Save the changes to the configuration file.
- Restart the Apache service to apply the new settings.
$ sudo systemctl restart apache2 # Ubuntu, Debian, openSUSE and SLES $ sudo systemctl restart httpd # CentOS and Red Hat
- Test access to the backend server directly.
$ curl http://backend-service-01.local I am backend-service-01.local
The request will fail if the backend service is hosted in a private network under a NAT.
This test could also be done by browsing the URL using a web browser.
- Test access through the configured Apache reverse proxy.
$ curl http://proxy-server/backend-service-01 I am backend-service-01.local
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.
Comment anonymously. Login not required.