Using Apache as the Reverse Proxy

This blog is an instance of Ghost running on a Linode. I'm going to assume that you've already got Ghost up and running with Node.js if you are reading this.

The Ghost installation guides are pretty good, but it's easy to just copy & paste their instructions without really understanding what's going on. The guide has instructions to get set up with nginx, but I chose to stick with Apache (for now) because I already use it to serve all of my other websites.

First, what's really going on here? Ghost is a Node.js blogging platform that runs as a process on your machine and functions as an HTTP server. It listens on port 2368 by default, and the sole responsibility of nginx/Apache in this case is to be a reverse proxy at your-domain.com and forward incoming requests to your instance of Ghost at port 2368.

For some clarity, here is the blurb from Apache's documentation about proxies:

An ordinary forward proxy is an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target and the proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites.

A typical usage of a forward proxy is to provide Internet access to internal clients that are otherwise restricted by a firewall.

A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content in the name-space of the reverse proxy. The reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.

A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall. Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.

To use Apache as our reverse proxy, we need to first enable mod_proxy.

$ a2enmod proxy_http

Next, use the ProxyPass and ProxyPassReverse directives in your VirtualHost configurations to forward your-domain.com to the instance of Ghost running on the server. This should be a file for a domain in the sites-available directory at /etc/apache2/

ProxyPass / http://127.0.0.1:2368/
ProxyPassReverse / http://127.0.0.1:2368/

We also want to disable forward proxy functionalities by setting the ProxyRequests directive to Off

ProxyRequests Off

Your file should look something like this now:

<VirtualHost your.ip.address.here:80>
    ServerName yourdomain.com
    ServerAdmin you@your-domain.com
    
    ProxyPass / http://127.0.0.1:2368/
    ProxyPassReverse / http://127.0.0.1:2368/
    ProxyRequests Off
</VirtualHost>

Make sure your site is enabled with a2ensite and then restart Apache - you should be good to go now if you have all of your other parts set up correctly.

Password Protecting Ghost with Apache's Basic Auth

Since Ghost does not yet offer password-protecting posts, I added some simple security over the blog by using Apache's basic authentication. What it's actually doing is just forcing user authentication at the reverse proxy we just set up in the section above and only forwarding traffic if valid credentials are provided.

To create a user and password pair, you will need to create an .htpasswd file and put it somewhere on the filesystem. The password you want to use for a user has to be represented as a base-64 encoded string in the file, and a quick way to get up and running is to use a tool like this to generate the file. You can read more about .htpasswd here.

Now that we have an .htpasswd file, refer to it in the following configs for basic auth and make sure everything is within a Location directive.

<Location />
	AuthType Basic 
	AuthName "IDENTIFY YOURSELF!"
	AuthUserFile path-to-your-htpasswd-file
	Require valid-user 
</Location>

Putting everything together, your VirtualHost should look like this:

<VirtualHost your.ip.address.here:80>
    ServerName yourdomain.com
    ServerAdmin you@your-domain.com
    
    <Location />
		AuthType Basic 
		AuthName "IDENTIFY YOURSELF!"
		AuthUserFile path-to-your-htpasswd-file
		Require valid-user 
	</Location>
    
    ProxyPass / http://127.0.0.1:2368/
    ProxyPassReverse / http://127.0.0.1:2368/
    ProxyRequests Off
</VirtualHost>

You should now have Ghost running through your domain with Apache and some simple security to go along with it!