How to Set Up a Reverse Proxy with Apache on Debian 12 Bookworm

Learn how to set up a reverse proxy with Apache on Debian 12 Bookworm. This guide covers installation, configuration, and securing your setup with HTTPS.

by İbrahim Korucuoğlu ( @siberoloji) | Sunday, April 06, 2025

Categories:

Linux

5 minute read

As modern web applications become more modular and distributed, reverse proxies have become an essential component of a robust and scalable server infrastructure. A reverse proxy not only improves performance, scalability, and security, but also simplifies load balancing and SSL termination.

This guide walks you through the complete process of setting up Apache as a reverse proxy on Debian 12 Bookworm, ensuring your system is configured securely and efficiently.

📘 What is a Reverse Proxy?

A reverse proxy is a type of proxy server that sits in front of one or more backend servers and forwards client requests to them. Unlike a forward proxy, which handles outbound traffic from internal clients to the internet, a reverse proxy handles inbound traffic from the internet to internal services.

Apache can serve as a reverse proxy using its mod_proxy module, along with related modules like mod_proxy_http, mod_proxy_ftp, and mod_ssl.

🔧 Why Use Apache as a Reverse Proxy?

Apache, while traditionally used as a web server, is highly flexible and capable of proxying HTTP, HTTPS, FTP, and more. Common use cases for using Apache as a reverse proxy include:

Load balancing across multiple application servers.
Serving static content via Apache while passing dynamic content to an app server.
Isolating backend services from direct exposure to the internet.
SSL termination for backend services without native SSL support.
Combining multiple services on different ports or hosts under one domain.

🛠️ Prerequisites

Before setting up the reverse proxy, make sure:

You have a fresh installation of Debian 12 Bookworm.
Apache is installed (apache2 package).
You have root or sudo access.
You have one or more backend services running (e.g., a Node.js app on port 3000).

🖥️ Step 1: Install Apache Web Server

If Apache isn’t installed on your Debian 12 system, run the following command:

sudo apt update
sudo apt install apache2 -y

Once installed, enable and start the Apache service:

sudo systemctl enable apache2
sudo systemctl start apache2

Verify it’s running:

sudo systemctl status apache2

You should see output indicating the service is active (running).

🔌 Step 2: Enable Apache Proxy Modules

Apache uses a modular architecture, and reverse proxy functionality requires enabling several modules. Run the following commands:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod proxy_balancer
sudo a2enmod lbmethod_byrequests
sudo a2enmod headers
sudo a2enmod rewrite

Then restart Apache to apply the changes:

sudo systemctl restart apache2

🌐 Step 3: Configure a Virtual Host for the Reverse Proxy

Now, let’s configure Apache to proxy requests to a backend service.

Suppose you have a backend application running on localhost:3000, and you want users to access it via http://yourdomain.com/.

Create a new virtual host configuration file:

sudo nano /etc/apache2/sites-available/reverse-proxy.conf

Paste the following configuration:

<VirtualHost *:80>
    ServerName yourdomain.com

    ProxyPreserveHost On
    ProxyRequests Off
    ProxyPass / http://localhost:3000/
    ProxyPassReverse / http://localhost:3000/

    ErrorLog ${APACHE_LOG_DIR}/reverse-proxy-error.log
    CustomLog ${APACHE_LOG_DIR}/reverse-proxy-access.log combined
</VirtualHost>

Make sure to replace yourdomain.com with your actual domain name or server IP.

Save and exit (CTRL+O, then CTRL+X).

Enable the new site:

sudo a2ensite reverse-proxy.conf
sudo systemctl reload apache2

Now, requests to http://yourdomain.com will be forwarded to the service on port 3000.

🔒 Step 4: Enable HTTPS with Let’s Encrypt (Optional but Recommended)

Securing your reverse proxy with HTTPS is highly recommended. Let’s use Certbot to get a free SSL certificate from Let’s Encrypt.

Install Certbot and the Apache plugin:

sudo apt install certbot python3-certbot-apache -y

Run Certbot:

sudo certbot --apache

Follow the prompts to select the correct domain and enable HTTPS. Certbot will:

Obtain the certificate.
Update your Apache configuration.
Set up automatic renewal.

To test the auto-renewal process, you can run:

sudo certbot renew --dry-run

🧪 Step 5: Testing the Setup

After configuration, test your reverse proxy:

Make sure your backend application is running on port 3000.
Visit http://yourdomain.com or https://yourdomain.com in a browser.
You should see the content served by the backend application.

Check Apache logs for any issues:

tail -f /var/log/apache2/reverse-proxy-error.log

⚙️ Advanced Configuration Tips

1. Load Balancing Multiple Backends

You can load balance between multiple servers:

<Proxy "balancer://mycluster">
    BalancerMember http://localhost:3000
    BalancerMember http://localhost:3001
</Proxy>

<VirtualHost *:80>
    ServerName yourdomain.com

    ProxyPreserveHost On
    ProxyPass / balancer://mycluster/
    ProxyPassReverse / balancer://mycluster/
</VirtualHost>

This distributes incoming requests between two application servers.

2. Restrict Access to the Backend

It’s best practice to prevent direct access to backend services. If your app runs on localhost, it’s already protected. If it’s on another server, consider firewall rules (via ufw or iptables) to allow only your Apache server to reach it.

3. Add Cache for Static Content

To enhance performance, you can instruct Apache to cache static assets:

<IfModule mod_expires.c>
    ExpiresActive On
    ExpiresByType image/jpg "access plus 1 month"
    ExpiresByType image/jpeg "access plus 1 month"
    ExpiresByType image/png "access plus 1 month"
    ExpiresByType text/css "access plus 1 week"
    ExpiresByType application/javascript "access plus 1 week"
</IfModule>

Enable the module:

sudo a2enmod expires
sudo systemctl restart apache2

4. Set Custom Headers

For security or identification purposes, you might want to set custom headers:

Header always set X-Content-Type-Options "nosniff"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-XSS-Protection "1; mode=block"

These help mitigate common web vulnerabilities.

🔁 Troubleshooting Common Issues

Blank page or 502 errors:
- Ensure your backend app is up and reachable on the expected port.
- Check that Apache has the proxy modules enabled.
SSL not working:
- Confirm that Certbot completed successfully and your virtual host config uses port 443.
Too many redirects:
- Backend apps sometimes force redirects to their own base URLs. You might need to set ProxyPreserveHost On or configure the backend to respect the proxy URL.

✅ Conclusion

Using Apache as a reverse proxy on Debian 12 Bookworm is a powerful way to manage traffic to backend applications. Whether you’re building a scalable microservices infrastructure or just want to secure and simplify your app hosting, Apache provides a solid foundation.

With the steps covered in this guide, you now have:

Installed and configured Apache.
Enabled necessary proxy modules.
Created a reverse proxy configuration.
Secured your proxy with HTTPS.
Learned about load balancing and advanced configurations.

Apache may not be as lightweight as Nginx, but its flexibility and feature set make it a valuable tool in your sysadmin arsenal.

Feedback

Was this page helpful?

Glad to hear it! Please tell us how we can improve.

Sorry to hear that. Please tell us how we can improve.

< How to Configure Apache to Serve a Static Site on Debian 12 Bookworm