Friday, January 18, 2008

How to create a forward proxy for development environment with Apache 2.2

Often web developers need to have a hosts file tricked to point to development intranet simulating a connection to the production site. This is done because they need to simulate the real production site before deploy their changes into real word.

In some case, you can waste a lot of time configuring your hosts file, especially some genius thought that could be funny change dynamically the server name for each page published. Something like article-1-blah-blah.domain.tld, article-2-yes-or-no.domain.tld, and so on...
Well, when there are a lot of developers working on the same project could happen that every developer have his own host file, with his own modification, in this case you could waste a lot of your time trying to came out to this sort of situation.

I would like to share my experience done in these days and I need to solve this problem trying two different solution.

I configured a Bind 9 DNS server for the development staff, but in a few days I discovered that this approach have some lack. First of all (like the hosts file), when you modify the network configuration all the application will be involved in the modification, so you can't have an application connected to the production and another connected to the development environment. Then not every body can change their network configuration (in this case I mean the DNS settings), because of network security policy.

A better solution is to use a forward proxy configured into the development intranet, that can forward internally requests for a defined group of domains and leave the browsers free to interact transparently with the rest of the world.

In the following I'll show you how to configure this kind of proxy in a easy and fast way. You need to install apache 2.2 (I think an older version could work well, but you'll need to do some adjustment).

In Ubuntu the installation it is quiet easy:

$ sudo apt-get install apache2 apache2.2-common

after you need to enable the proxy module:

$ sudo a2enmod proxy
$ sudo a2enmod proxy_connect
$ sudo a2enmod proxy_http

then you probably want to have the proxy listening on a particular port, like the 8888.
So you need to modify the /etc/apache2/ports.conf adding a new line:

Listen 8888

Now you can create a new virtual host, listening on 8888, able to be a forward proxy.
So create /etc/apache2/sites-available/myproxy

and put the following line inside:

<VirtualHost *:8881>
ServerAdmin webmaster@localhost

ErrorLog /var/log/apache2/myproxy_error.log

# Possible values include: debug, info, notice, warn, error, crit,
# alert, emerg.
LogLevel debug

CustomLog /var/log/apache2/myproxy_access.log combined
ServerSignature On

ProxyRequests On
ProxyVia On
ProxyPreserveHost On

<Proxy *>
Order deny,allow
Deny from all
Allow from 10.172.0.0/255.255.0.0
Allow from 172.16.0.0/255.255.0.0
Allow from 127.0.0.1
</Proxy>

AllowCONNECT 443

# Filters
ProxyRemote http://blog.productiondomain.tld/ http://dev-1.develp-domain.tld
ProxyRemote http://news.productiondomain.tld/ http://dev-2.develp-domain.tld
ProxyRemoteMatch http://(.*).forum.(.*).productiondomain.tld/ http://dev-3.develp-domain.tld
ProxyRemoteMatch http://(.*).customercare.productiondomain.tld/ http://dev-4.develp-domain.tld

# all the productiondomain.tld rest...
# ProxyRemoteMatch http://(.*).productiondomain.tld/ http://devlx1-new.bko.vtin.net

</VirtualHost>

Sunday, January 13, 2008

How to share HTTP and HTTPS port between Zimbra and Apache 2.2

After you have installed Zimbra, you could have some problem if you need to share http (port 80) and/or https (port 443) between Zimbra and Apache.
To do this you need change the http/https ports to a new values (port 8080/8443), remember to be logged as zimbra user:
$ zmprov ms zimbra.mydom.com zimbraMailPort 8080
$ zmprov ms zimbra.mydom.com zimbraMailSSLPort 8443
Look at zmtlsctl to see how to choose which port do you want enable: http, After you need to restart zimbra:
$ zmcontrol stop
$ zmcontrol start

Now you can check if the port are really changed:

$ netstat -ltnp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 8802/slapd
tcp 0 0 127.0.0.1:10024 0.0.0.0:* LISTEN 9310/amavisd (maste
tcp 0 0 127.0.0.1:10025 0.0.0.0:* LISTEN 9358/master
tcp 0 0 127.0.0.1:7306 0.0.0.0:* LISTEN 9101/mysqld
tcp 0 0 127.0.0.1:7307 0.0.0.0:* LISTEN 9036/mysqld
tcp 0 0 0.0.0.0:465 0.0.0.0:* LISTEN 9358/master
tcp 0 0 0.0.0.0:25 0.0.0.0:* LISTEN 9358/master
tcp 0 0 0.0.0.0:993 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:995 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:7780 0.0.0.0:* LISTEN 9285/httpd
tcp 0 0 0.0.0.0:110 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:143 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:7025 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN 6040/sshd
tcp 0 0 0.0.0.0:7035 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:8443 0.0.0.0:* LISTEN 9249/java
tcp 0 0 0.0.0.0:7071 0.0.0.0:* LISTEN 9249/java

Now you can begin to configure apache to access zimbra via reverse proxy. First of all you need to create a new file ssl-zimbra-reverse-proxy into /etc/apache2/sites-available representing the new virtual host

<VirtualHost *:443>
ServerName webmail.zimbra.tld
ServerAlias webmail.zimbra.tld

SSLProxyEngine On

ErrorLog /var/log/apache2/webmail.zimbra.tld-error_log
CustomLog /var/log/apache2/webmail.zimbra.tld-access_log combined

SSLEngine on
SSLCertificateFile /etc/apache2/ssl/apache.pem
SSLProtocol all

ProxyRequests Off


<proxy *>
Order deny,allow
Allow from all
</proxy>

ProxyPreserveHost On
ProxyPass / https://webmail.zimbra.tld:8443/
ProxyPassReverse / https://webmail.zimbra.tld:8443
</VirtualHost>

Now you can enable the proxy module and enable the site:

$ sudo a2enmod proxy
$ sudo a2enmod proxy_http
$ sudo a2ensite ssl-zimbra-reverse-proxy
This should be enough :-), anyway if you found this error in the log

[...] client denied by server configuration: proxy:https://192.168.100.2:8443/


be sure to add the proxy directive as follow:


Order deny,allow
Allow from all


...or if you found this error in the log

[...] [warn] proxy: No protocol handler was valid for the URL /. If you are using a DSO version of mod_proxy, make sure the proxy submodules are included in the configuration using LoadModule.

probabily you forgot to enable proxy_http:
$ sudo a2enmod proxy_http