What is reverse proxy?
Have you ever been to the target? You can check whether outdated IP addresses are in South Korea. You can see that outdated data is still in China. How can this be done? This is called reverse proxy. The server in South Korea sends the HTTP request to an http port of the domestic server, then returns the returned data to South Korea and sends it to the customer, in this way, the website entity is located in China, and it seems that the website is located abroad.
Here we will talk about the reverse proxy of IIS, which can be implemented in the isapi_rewrite full version. Download isapi_rewrite full and install it.
When you create a website, the website can be accessed with the domain name you want, or the most direct method is to leave the Host Header empty, and then create an httpd under the website. INI file, content:
CopyCode The Code is as follows: [isapi_rewrite]
Rewritecond HOST: www \. My \. Me
Rewriteproxy (. *) http://my.xxxx.net: 81 $1 [I, F, u]
It means to map www. My. Me To http://my.xxx.net: 81, where you can freely map to another port.
Reverse Proxy)The method is to use a proxy server to receive connection requests from the Internet and then forward the requests to the server on the internal network, return the result obtained from the server to the Client Requesting connection from the Internet. The proxy server is displayed as a server.
Generally, the proxy server is only used to proxy internal network connection requests to the Internet. The client must specify the proxy server and send the HTTP requests that were originally sent directly to the Web server to the proxy server. Because hosts on the external network do not configure and use this proxy server, the common proxy server is also designed to search for multiple uncertain servers on the Internet, instead of accessing a fixed server for requests from multiple clients on the Internet, the common Web Proxy server does not support external access requests to the internal network. When a proxy server can proxy hosts on the external network and access the internal network, this proxy service is called reverse proxy service. In this case, the proxy server acts as a Web server, and the external network can simply treat it as a standard Web server without specific configuration. The difference is that this server does not store the real data of any webpage, all static webpages or CGIProgramAre saved on the internal web server. Therefore, the attack on the reverse proxy server does not damage the webpage information, which enhances the security of the Web server.
There is no conflict between the reverse proxy mode and the packet filtering mode or the normal proxy mode. Therefore, you can use both methods in the firewall device. The reverse proxy is used when the external network accesses the internal network, forward proxy or packet filtering is used to deny other external access methods and provide internal network access to external networks. Therefore, we can combine these methods to provide the best security access method.
Proxy Server acting as Proxy Server
If your content server has sensitive information that must be kept secure, such as the credit card number database, you can set a proxy server outside the firewall as a proxy for the content server. When an external client attempts to access the content server, it will send it to the proxy server. The actual content is on the content server and is protected by security inside the firewall. The proxy server is located outside the firewall and looks like a content server to the client.
When the client sends a request to the site, the request is forwarded to the proxy server. Then, the proxy server sends client requests to the content server through a specific channel in the firewall. The content server then returns the result to the proxy server through this channel. The proxy server sends the retrieved information to the client, as if the proxy server is the actual content server (see Figure 14-1 ). If the content server returns an error message, the proxy server first intercepts the message, changes any URL listed in the header, and then sends the message to the client. This prevents external clients from getting the Redirection URL of the internal content server.
In this way, the proxy server provides another barrier between the security database and possible malicious attacks. In contrast to the situation where you have the right to access the entire database, even if you are lucky enough to attack successfully, attackers are limited to accessing the information involved in a single transaction at best. Unauthorized users cannot access the real content server because the firewall channel only allows the proxy server to access the server.
Figure 14-1 reverse proxy server is like a real content server
You can configure a Firewall Router so that it can only allow specific servers on a specific port (in this example, the proxy server on the port allocated to it) to access through the firewall, other machines are not allowed in or out.
Security reverse proxy when one or more connections between the current server and other machines use the Secure Socket Layer (SSL) protocol to encrypt data, a secure reverse proxy is performed.
Secure reverse proxy has many functions:
Provides encrypted connections from the external proxy server of the firewall to the Internal Security content server of the firewall.
Allows clients to Securely connect to the proxy server, facilitating secure transmission of information (such as credit card numbers ).
The security reverse proxy slows down the system overhead of each security connection due to data encryption. However, because SSL provides a high-speed cache mechanism, the connected parties can reuse the previously negotiated security parameters to greatly reduce the system overhead of subsequent connections.
There are three methods to configure the secure reverse proxy server:
Secure client to proxy. This solution is effective if unauthorized users have little or no access to the information exchanged between the proxy server and the Content Server (see Figure 14-2 ).
Figure 14-2 secure client connection to Proxy Server
Secure Proxy to Content Server. This solution is effective if the client is inside the firewall and the Content Server is outside the firewall. In this solution, the proxy server can act as a secure channel between sites (see Figure 14-3)
Figure 14-3 Proxy Server securely connected to Content Server
Secure client to proxy and secure proxy to Content Server. This solution is effective if you need to protect the security of information exchanged between the server, proxy server, and client. In this solution, the proxy server can act as a secure channel between sites and enhance the security of client authentication (see Figure 14-4 ).
Figure 14-4 The client securely connects to the proxy server and the Proxy Server securely connects to the Content Server
For information about how to set each of the preceding configurations, see set reverse proxy server.
In addition to SSL, the proxy server can also use client authentication, which requires that a certificate (or identification form) be provided to the computer requesting the proxy server to verify its identity.