[users@httpd] Forward Proxy, RewriteRules and connection keep-alive

Thu, 07 Dec 2017 03:28:50 -0800 

​​
Hello,

I am using Apache 2.4.10 as a Forward Proxy for local clients running
on the same machine. Apache listens on a dedicated port and local
clients can connect to it using plain HTTP. The Forward Proxy then
checks if the URL the client requests is an allowed one (whitelisted).
If it is then Apache rewrites the URL from http to https and issues
the request to the actual backend.
If the URL/hostname is not allowed then Apache responds to the client
with a 404.

My configuration (for two sample hosts) generally looks as follows:

    <VirtualHost 127.0.0.1:8888>
        # Enable Forward Proxy on port 8888 and enable SSL
        ProxyRequests On
        ProxyVia On
        AllowCONNECT 8888
        SSLProxyEngine On

        <Proxy "*">
            Order deny,allow
            Deny from all
            Allow from 127.0.0.1
        </Proxy>

        # Now do the rewrite magic
        RewriteEngine On

        RewriteCond %{HTTPS} !=on
        RewriteOptions AllowAnyURI
        RewriteCond "%{HTTP_HOST}" "www.first-host.com" [OR]
        RewriteCond "%{HTTP_HOST}" "www.another-host.net"
        RewriteRule ^(proxy:http://)(.*)$ https://$2 [P,L]

        # Prevent everything else
        RewriteRule ^(.*)$ - [R=404,L]
    </VirtualHost>

This generally works fine but the problem I have is that
Apache establishes a new connection (incl. TLS) for each request
to a backend. This also happens if the local client keeps the
connection to the Forward Proxy. While this is generally a
normal behaviour for a Forward Proxy it is not performing very
well if clients do a lot of requests with small responses.

I would like to have Apache to keep the connection to the actual
backend alive for a certain amount of time (defined by the timeout
settings) but I am not exactly sure how to achieve that.

My understanding is that the mentioned behaviour is basically due
to the fact that I use RewriteRule with [P] flag and how this is
implemented in mod_proxy/mod_proxy_http concerning workers, i.e. the
default worker is terminating the connection and there are no
dedicated workers for each of the hosts.

Is it possible to define the required behaviour using "ProxySet"
or by any other means for the above uses hosts?
If so: How would such configuration look like?

Additional note: I believe that ProxyPass cannot/should not be used
for Forward Proxies, i.e. when "ProxyRequests on" is defined.
ProxyPass would create such dedicated workers however I am not
using a Reverse Proxy here.

Regards
Markus Gausling

Reply via email to