Apache reverse proxy and dynamically resolving mirrors

This may be obvious to others, but took me quite some time to get my mind around.

I was given the task of making the Debian packages provided by the Jenkins project available to our internal servers, which have no connection to the internet. When running a local mirror is not an option, we sometimes access such external sites via a reverse proxy on one of our servers. This is quite easy with Apache (with the proxy and proxy_http modules enabled):

# disable forward proxy
ProxyRequests Off

# restrict access as needed
<Proxy *>
    Order Deny,Allow
    Deny from all
    Allow from yournetwork.example.com
</Proxy>

#
ProxyPass /jenkins/ http://pkg.jenkins-ci.org/debian/
ProxyPassReverse /jenkins/ http://pkg.jenkins-ci.org/debian/

The problem with the jenkins repository is that they serve the actual packages via a content delivery network, where the URL http://mirrors.jenkins-ci.org/debian/ resolves dynamically to one of their mirror servers.

kheymann@corax:~$ curl http://mirrors.jenkins-ci.org/debian/jenkins_1.500_all.deb
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://dl.aragost.com/jenkins/debian/jenkins_1.500_all.deb">here</a>.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at mirrors.jenkins-ci.org Port 80</address>
</body></html>
kheymann@corax:~$ curl http://mirrors.jenkins-ci.org/debian/jenkins_1.500_all.deb
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href="http://jenkins.mirror.isppower.de/debian/jenkins_1.500_all.deb">here</a>.</p>
<hr>
<address>Apache/2.2.14 (Ubuntu) Server at mirrors.jenkins-ci.org Port 80</address>
</body></html>

Adding reverse proxy statements for all mirror servers is not possible, but gladly this is not nescessary at all. The clue is the ProxyPassReverse statement, which replaces the external site with it’s internal representation in all http traffic passing the the proxy. This allows to choose one specific mirror and make sure only it is used:

ProxyPass /jenkins-bin/ http://ftp-chi.osuosl.org/pub/jenkins/debian/
ProxyPassReverse /jenkins-bin/ http://mirrors.jenkins-ci.org/debian/

As long as the chosen mirror stays available and up to date this works like a charm.

Comments !

social