Access RouterOS v6.0 WebUI behind Apache Reverse Proxy

inadm · May 29, 2013, 9:14am

Hi,

this is not directly RouterOS related, but maybe someone already implemented something like this.

What’s the plan ?

I’d like to give some people Read Access to the Web Management UI of some RouterOS v6.0 devices.

Due to some networking restrictions, i cannot give them direct access to the Webinterface, so i thought i use an existing Apache Webserver, and configure it as Reverse Proxy, which forwards the traffic then to the RouterOS boxes.

[Client] <---> [Apache Reverse Proxy] <---> [Multiple RouterOS Webinterface(s)]

What did i configure ?

On the Apache, i ensured the proxy modules were enabled and as a first and simple test, i added the follwing configuration to the referring httpd configuration (SSL will be done when this one works):

# RouterOS - Proxied WebUI Access Test
ProxyPass       /fw-int1/  http://10.10.10.1/
<Location /fw-int1/>
        ProxyPassReverse /
</Location>

So when i access now my Webserver on http://172.16.4.35/fw-int1/ i got the RouterOS Web Login Mask presented from my Apache.

What’s the (my) Problem ?

As soon as i try to login, the webserver wants to access http://172.16.4.35/webfig/ [instead of something like http://172.16.4.35/fw-int1/webfig/ ] which of course does not exist. So it seems the RouterOS Webinterface doe snot just use relative paths, but uses absolute web path instead.

I guess this could be fixed with some proxy rewrite rules ?

But before i have a detailed look at this, i wonder if anyone already implemented something like this ?
As i don’t see a reason to invent the wheel again

Regards
Lewis

DanFoster · March 11, 2014, 12:31pm

Resurrecting an old thread, I’m finding exactly the same, does anyone have any idea on how to get this working?

mirino74 · November 1, 2016, 3:38pm

Hi,

I had a similar problem, it was finally solved using third-level domains for individual RouterOS devices (both 5.x and 6.x) and proxying to “/” . Relevant code from httpd.conf for two devices is shown below. In this example, port 83 has been set in RouterOS to configure devices via the web interface. It is fully functional in my case… The solution was found here: https://www.aik.ftumj.ac.id/Khaos.txt/etc/apache2/reserve.conf

Regards
Mirek

<VirtualHost *>
    ProxyRequests off
    SSLProxyEngine on
    ProxyPreserveHost On 
    ServerName mk1.mydomain.com
    <Location />
        ProxyPass http://192.168.0.10:83/
        ProxyPassReverse http://192.168.0.10:83/
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>

<VirtualHost *>
    ProxyRequests off
    SSLProxyEngine on
    ProxyPreserveHost On 
    ServerName mk2.mydomain.com
    <Location />
        ProxyPass http://192.168.0.20:83/
        ProxyPassReverse http://192.168.0.20:83/
        Order allow,deny
        Allow from all
    </Location>
</VirtualHost>