is ProxyPass good practice

ebeg asked:

I wonder if mod_proxy is a good practice because i have an apache http server which delvier my application ressources html/css/jss and for specific url I use ProxyPass to external IP.
By example url like: a.example.com/index.html load ressources from c:/htdocs/a/index.html etc…

But for all url ending with /api I have ProxyPass configuration by example for a.example/api/ I have
ProxyPass /api http://external-server-ip.com:8802/api connectiontimeout=10 timeout=2400

All this works, but I doubt if this is good practice? because actually it seems all my REST /api/... requests go through apache then apache send them to http://external-server-ip.com:8802/api then this external server send response to apache then apache respond to me ? This seems heavy and bad no ?

Is this common behavior: keep same domain name + load ressource from same http-server but for all REST request send+fetch proxypass to external ip depending on "subdomain"

My answer:


It’s proper separation of concerns and generally best practice to run a normal web server in front of your app servers.

Your app server is generally written to serve a specific business purpose, and adding unnecessary things to it is usually considered a waste of time and money unless there is a compelling reason why a web server can’t be used. (This is rare but it does happen, which is why most languages/web frameworks have middleware for things like TLS.)

The web server itself is much more full featured and can do a variety of things that you would otherwise have to add to your app server, or which the web server can simply do better, such as IP-based access control, WAF, serving static assets, caching, basic load balancing, and many more.

What is unusual is proxy passing to an app server that isn’t under your control. You didn’t explain why you are doing this, but if you are loading things over the Internet or some other untrusted network, you really should be using HTTPS. This is one situation in which the app server really needs to include TLS middleware, but if it isn’t under your control you will have to get the owners of the app server to implement that.


View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.