This guide is for HTTPS, however it works exactly the same for HTTP.

This is a short and sweet guide, however its something that needs to be documented as it is extremely fiddly!

At home I have a few KVM-based virtual machines, and quite a few Docker containers running using internal networks that (by design) only the server and themselves can access.

This is all well and good and secure, however its a bit of a pain in the ass when you want to test things or even worse use them (without a plethora of routes, or having to NAT the hell out of everything…).

In this example, I have a virtual machine listening on the internal network running an Apache based application. I know it works because if I hit it up on telnet it works:

[email protected]:/me# telnet 80
Connected to
Escape character is '^]'.

Naturally if i try that from a desktop not containing a route (or if my server didnt have NAT) then it wouldnt work.

What I want to be able to do is hit a URL, i.e. ‘’, and have that Apache application, on that VM (or container) appear.

You can do this with iptables, as mentioned earlier:

iptables -t nat -I PREROUTING -p tcp -d --dport 8000 -j DNAT --to-destination
iptables -I FORWARD -m state -d --state NEW,RELATED,ESTABLISHED -j ACCEPT

.. along with enabling conntrack, ipv4_forward, etc.

(In my example above i’ve got port 80 in use, which is common, so im having to redirect on a different port).

This is a pain in the ass as you have to connect to the host and remember to enter the port every time, and its not hugely elegant.

So, whats the answer?


What I ended up with, was using ProxyPass and DNS to allow me to hit a URL, i.e. and have the Apache application on the VM load.

First, simply create a DNS A record to your server’s IP using your chosen DNS server – i.e. in bind it’ll be:

siteĀ IN A

Once you can dig that address and get the correct IP (i.e. ‘dig’ returns the IP, you can crack on with the ProxyPass configuration.

First, ensure that you have the correct modules enabled:

[email protected]:/me# a2enmod proxy_http
Considering dependency proxy for proxy_http:
Module proxy already enabled
Module proxy_http already enabled

Next, navigate to /etc/apache2/sites-available/ and create a new site:

[email protected]:/me# cd /etc/apache2/sites-available/
[email protected]:/etc/apache2/sites-available# nano site.conf

Within this new conf, paste something similar to the following:

ServerAlias *
####Configuration for SSL #####
SSLEngine on
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
 SSLCertificateFile /etc/apache2/ssl/
 SSLCertificateKeyFile /etc/apache2/ssl/
 SSLCertificateChainFile /etc/apache2/ssl/ 
#### End of SSL Configuration #### 
LoadModule proxy_module modules/
LoadModule proxy_http_module modules/ ProxyPass / disablereuse=On
 ProxyPassReverse /

Few points:

  • Ensure your SSL crt, key and pem file paths are all correct.
  • Ensure your VirtualHost IP is correct.
  • Ensure your port is set to 443 for SSL.
  • If you are not using SSL, change 443 to 80 and remove all the lines between ‘Configuration for SSL’ and ‘End of SSL configuration’.
  • Ensure the IP ( is set to the IP of the internal VM/container on both lines at the bottom of the config!

Thats about it really. Restart apache2 using ‘service apache2 reload’, and then test it out. If you have any issues then double check /var/log/apache2/error.log.