.. _forward-proxy: Forward Proxy ************* .. Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. The Apache Traffic Server is a general purpose proxy, configurable as both a reverse and forward proxy. A forward proxy can be used as a central tool in your infrastructure to access the web and it may be combined with a cache to lower your overall bandwidth usage. Forward proxies act as a gatekeeper between client browsers on your local network and all (or some, at your configuration's discretion) web sites accessed by those clients. The forward proxy will receive the HTTP requests, perform any filtering or request alteration rules you establish, and when appropriate forward the request on to its destination website. The response will return through your proxy, where it may optionally be cached and/or modified, and then returned to the original client. There are two modes in which your forward proxy may operate: Forward Proxy Each client must be configured explicitly to use the forward proxy. Client browsers will be aware of the fact they are using a proxy and will form their HTTP requests appropriately. This results in the initial HTTP command being issued with fully qualified URIs that contain the destination hostname:: GET http://example.com/index.php?id=123 HTTP/1.1 Transparent Proxy The use of a transparent proxy is typically done in concert with network routing rules which redirect all outbound HTTP traffic through your proxy. Clients will behave, and form their HTTP requests, as if they are contacting the remote site directly, and will not be aware of the existence of a proxy server in between themselves and the remote servers. HTTP requests will be generated per their usual form, with only paths in the command and a separate Host request header:: GET /index?id=123 HTTP/1.1 Host: example.com Apache Traffic Server may be configured to operate as both a forward and a transparent proxy simultaneously. Proxy Configuration =================== Configuring basic forward proxy operation in Traffic Server is quite simple and straightforward. 1. Permit Traffic Server to process requests for hosts not explicitly configured in the remap rules, by modifying :ts:cv:`proxy.config.url_remap.remap_required` in :file:`records.config`:: CONFIG proxy.config.url_remap.remap_required INT 0 2. *Optional*: If Traffic Server will be operating strictly as a forward proxy, you will want to disable reverse proxy support by modifying :ts:cv:`proxy.config.reverse_proxy.enabled` in :file:`records.config`:: CONFIG proxy.config.reverse_proxy.enabled INT 0 You may also want to consider some of these configuration options: - Setting :ts:cv:`proxy.config.http.no_dns_just_forward_to_parent` determines which host will be used for DNS resolution. - Proxy Authentication can be enabled or disabled with :ts:cv:`proxy.config.http.forward.proxy_auth_to_parent` should you also be employing a proxy cache. - The client request header X-Forwarded-For may be toggled with :ts:cv:`proxy.config.http.insert_squid_x_forwarded_for`. - The client request header Forwarded may be configured with :ts:cv:`proxy.config.http.insert_forwarded`. Client Configuration ==================== If you are operating your proxy in transparent mode, your clients should require no special proxy-related configuration. If you are operating in explicit forward proxy mode, without automatic routing rules on your network to direct all outbound traffic through the proxy, your client browsers will need to be directed to the proxy. This may be accomplished in two different ways. Clients may be configured to use the default ``8080`` port on your Traffic Server host as a proxy. This will result in all requests from that client browser being issued through the single forward proxy as configured. Security Considerations ======================= It's important to note that once your Apache Traffic Server is configured as a forward proxy it will indiscriminately accept proxy requests from anyone. If it is reachable from the Internet, then you have configured an *Open Proxy*. This is generally not desirable, as it will permit anyone to potentially use your network as the source of traffic to sites of their choosing. To avoid this, you'll have to make sure your proxy server is either only reachable from within your private network or is secured by firewall rules that permit only those you wish to have access to the proxy.