What is the use of ProxyPassReverse Directive
If the server actually handling a request does a redirect to a different URL on that server, the ProxyPassReverse
directive rewrites the URL in terms of the reverse proxy server. For example, as noted in the Apache documentation, if:
http://reverseproxy.com/mirror/foo/bar
is sent (reverse proxied) to
http://backend.example.com/bar
for handling, but at the backend server it is determined that the correct URL should have been quux
, i.e. that the request must be redirected to
http://backend.example.com/quux
the ProxyPassReverse
directive rewrites the URL (at the reverse proxy) to
http://reverseproxy.com/mirror/foo/quux
before forwarding the HTTP redirect response to the client. This way the client only knows about the reverse proxy server, but can nonetheless make the required request to the correct URL of http://reverseproxy.com/mirror/foo/quux
which will then be reverse proxied to the backend server and handled as normal. In short, it just allows the reverse proxy to return correct URI headers on HTTP redirect responses.
From the Apache 2.4 Reverse proxy guide:
To ensure that and Location: headers generated from the backend are modified to point to the reverse proxy, instead of back to itself, the ProxyPassReverse directive is most often required:
ProxyPass "/" "http://www.example.com/"
ProxyPassReverse "/" "http://www.example.com/"
If you have a Client and 2 servers, Proxy and Origin, where Origin does the actual work (generating response) and Proxy just proxies request to Origin, a good server architecture is when
- Origin does not know about Proxy
- and every request goes through Proxy.
If Origin does not know about Proxy it might happen that Origin returns the Client a HTTP Redirect (HTTP 301 or 302) through Proxy, which points directly to itself, Origin. And that is a problem because the browser will directly contact Origin in the next round, leaving out Proxy from then on for every request and this would violate point 2.
As the HTTP redirect responses go back from the Proxy to the Client, the Proxy can/should modify those Redirects so that the Location header is forced to point to Proxy. This way a standalone application running on Origin, unaware of the Proxy, can generate any redirect URL as long as the Proxy is well configured and this way Proxy ensures that all requests obey the two points above and Origin won't accidentally circumvent this path and no modification is necessary to code running on Origin.
This, however cannot solve the problem when Origin deliberately wants to circumvent Proxy as redirects can be generated in HTML code which Apache cannot detect.