Quick overview

Think of Apache as a polite bouncer that forwards requests to your backend apps and keeps the drama out of public view. This guide shows how to enable the right modules set up virtual hosts and proxy rules and add a few security tweaks so you do not accidentally open your server to the entire internet.

Enable the required modules

On Debian derivatives the a2enmod helper will save you typing. The key modules are mod_proxy mod_proxy_http and mod_proxy_balancer. You may also want mod_headers and mod_rewrite for header work and redirects.

sudo a2enmod proxy proxy_http proxy_balancer headers rewrite
sudo systemctl restart apache2

Simple virtual host with a backend pool

Here is a minimal but realistic example that uses ProxyPass ProxyPassReverse and a balancer. It preserves the Host header so backend apps see the original domain.

<VirtualHost *:80>
  ServerName example.com

  ProxyPreserveHost On

  # Public path mapped to a balancer pool
  ProxyPass "/app/" "balancer://appcluster/"
  ProxyPassReverse "/app/" "balancer://appcluster/"

  <Proxy 'balancer://appcluster/'>
    BalancerMember 'http://10.0.0.10:8080'
    BalancerMember 'http://10.0.0.11:8080'
    # Optional stickyness or load methods go here if needed
  </Proxy>

  # Pass client info to the backend
  RequestHeader set X-Forwarded-Proto 'http'
  RequestHeader set X-Forwarded-For '%{REMOTE_ADDR}s'

  ErrorLog '/var/log/apache2/proxy-error.log'
  CustomLog '/var/log/apache2/proxy-access.log' combined
</VirtualHost>

Make it secure and not embarrassing

Reverse proxies can accidentally become open proxies if mapping is too permissive. Protect internal paths and admin interfaces and limit what gets proxied.

• Deny access to raw server info and predictable internal paths
• Add headers so backend apps know the client and protocol
• Limit HTTP methods on proxied endpoints to what your app actually needs
• Consider Basic or stronger authentication for admin or status endpoints

Example restrictions

# Block common internal endpoints from being proxied
<LocationMatch "^/(?:server-status|server-info|\.git)">
  Require all denied
</LocationMatch>

# Allow only safe methods on proxied paths
<Location "/app/">
  <LimitExcept GET POST HEAD>
    Require all denied
  </LimitExcept>
</Location>

TLS and backend transport

Terminate TLS at the proxy for public traffic and keep backend connections on the private network. If backend servers require encryption then use https in the BalancerMember URL and verify certificates where appropriate.

Testing and restart

Reload gracefully and then poke the proxy with curl or a browser. Inspect headers and backend logs to confirm the Host and X Forwarded headers reached the app.

sudo systemctl reload apache2

# Quick checks
curl -v -H 'Host: example.com' 'http://proxy-host/app/'
curl -I 'http://proxy-host/app/'

Extra tips that sound like common sense but are worth stating

• Keep ProxyPass rules explicit and simple. Wildcards and overlapping rules are how open proxies are born.
• Use ProxyPreserveHost when backend apps rely on the original Host header.
• Monitor logs and enable access controls for admin endpoints.
• When in doubt test with curl and check backend logs before you tell stakeholders everything is fine.

Follow these steps and you will have a reliable Apache reverse proxy using mod_proxy with clear ProxyPass and ProxyPassReverse mappings a sensible balancer configuration and a few security fences so your server behaves like a responsible gatekeeper.