Using Apache as proxy in port-forwarding role (inward to misbehaving NATted devices)

Cameron Simpson cs at
Tue Jun 17 03:37:36 UTC 2008

On 16Jun2008 18:23, Philip Prindeville <philipp_subx at> wrote:
> I have a machine with a couple of NIC's that is both my firewall and  
> HTTP server.  It's running FC8.
> It has Apache installed on it.
> Behind the firewall, are various devices and servers.  All of the  
> devices on my LAN are NATted using an unroutable address.

Look at Apache's reverse proxy setup (in the rewrite rules - you rewrite
to the internal URL of the target device and use the [P] flag).
It does help if the internal device doesn't embed absolute URLs in its
web page output (which it may not, even if it looks like it

This is easy to set up and works well for a lot of this stuff.
Having used both, I am of the opinion that it is easier to arrange
than squids reverse proxy ("accelerator") mode.

If the internal devices are embedding absolute URLs in their HREF links
you may need to run, additionally, a squid on your _local_ box, that
intercepts outbound URLs with the bad links and rewrites them (using the
http_redirect plugin), and then use that squid as your proxy.

Finally, an even cleaner way (for outside your LAN, provided you're not
on a AN with the same numbering scheme) is to:
  bind the unroutable addresses to your "lo" interface
  ssh tunnel from your local box to the firewall (or past it),
    and forward ports bound _locally_ to the internal address port pairs
    to the matching remote address/port pairs
Then browsing will work directly, without proxies or apaches.

Cameron Simpson <cs at> DoD#743

It's like a roller-coaster ride where you can't throw up.
       Radio commentator on a certain basketball team's current season

More information about the users mailing list