Analysis of Reverse Proxy
The reverse proxy method refers to a proxy server that accepts connection requests on the Internet, then forwards the request to a server on the internal network and returns the results from the server to the client requesting the connection on the Internet, Reverse. At this point the proxy server appears as a reverse proxy server externally.
Working StyleThe usual proxy server, which is used only to proxy connection requests to the Internet by the internal network, must specify a proxy server and send HTTP requests that would otherwise be sent directly to the Web server to the proxy server. Because the host on the external network does not configure and use this proxy server, the normal proxy server is also designed to search the internet for multiple, uncertain servers instead of accessing a fixed server for requests from multiple clients on the Internet. Therefore, the normal Web proxy server does not support external access requests to the internal network. When a proxy server is able to proxy hosts on an external network, this proxy service is called a reverse proxy service when it accesses the internal network. At this point the proxy server is represented as a Web server, and the external network can simply treat it as a standard Web server without the need for a specific configuration. The difference is that the server does not save the real data of any Web page, all static Web pages or CGI programs are stored on the internal Web server. Therefore, the attack on the reverse proxy server does not cause the Web page information to be destroyed, which enhances the security of the Web server. There is no conflict between the reverse proxy mode and the packet filtering method or the normal proxy mode, so both methods can be used in the firewall device, where the reverse proxy is used for external network access to the internal network, and the forward proxy or packet filtering method is used to deny other external access and provide internal network access to the external network. This way, you can combine these approaches to provide the best secure access.CDNThe full name of the CDN is the Content Delivery network, which is the contents distribution networks. The basic idea is to avoid the bottleneck and link of the Internet which may affect the speed and stability of data transmission, and make the content transmission faster and more stable. By placing the reverse Proxy node server in the network, a layer of intelligent virtual network based on the existing Internet, the CDN system can re-direct the user's request to the service node closest to the user according to the network traffic and the connection of each node, the load condition and the distance and response time of the user. The goal is to enable users to get the content they need, solve the congestion of Internet networks, and improve the responsiveness of users to websites.Proxy ServerIf your content server has sensitive information that must be kept secure, such as a credit card number database, you can set up a proxy server outside the firewall as an alias for the content server. When an external client tries to access the content server, it is sent to the proxy server. The actual content is located on the content server and is secured inside the firewall. The proxy server is outside the firewall and looks like a content server to the external client. When the client requests the site, the request goes to the proxy server. The proxy server then sends the client's request to the content server through a specific path in the firewall. The content server then passes the results back to the proxy server through the channel. The proxy server sends the retrieved information to the client, as if the proxy server is the actual content server (see Figure 14-1). If the content server returns an error message, the proxy server intercepts the message and changes any URLs that are listed in the header, and then sends the message to the client. This prevents external clients from getting the redirect URL of the internal content server. In this way, the proxy server provides another barrier between the secure database and possible malicious attacks. As opposed to having access to the entire database, the perpetrator is at best limited to accessing the information involved in a single transaction, even if it is a fluke attack. An unauthorized user cannot access a real content server because the firewall path only allows the proxy server to have access. Figure 14-1 The reverse proxy server is like a real content serverA reverse proxy server is like a real content serverA firewall router can be configured to allow only specific servers on a specific port (in this case, the proxy server on its assigned port) to have access through the firewall without allowing any other machines to enter or leave. Security reverse proxy Security Reverse proxy occurs when one or more connections between the proxy server and other machines use the Secure Sockets Layer (SSL) protocol to encrypt data.UseThere are many uses for security reverse proxies: You can provide encrypted connections from external proxy servers to firewall internal secure Content servers. You can allow clients to securely connect to a proxy server, which facilitates the secure transfer of information, such as credit card numbers. A secure reverse proxy causes each secure connection to become slower due to the overhead involved in encrypting the data. However, because SSL provides a caching mechanism, both sides of the connection can reuse previously negotiated security parameters, greatly reducing the overhead of subsequent connections.Configuration MethodThere are three ways to configure a secure reverse proxy server:
Secure client to proxy。 This scenario works well if an unauthorized user has little or no opportunity to access information exchanged between the proxy server and the content server (see Figure 14-2). Figure 14-2 Client securely connects to a proxy server
Secure Proxy to content server。 This scenario is effective if the client is outside the firewall and the content server is inside the firewall. In this scenario, the Proxy server can act as a secure channel between sites (see figure 14-3) Figure 14-3 the proxy server securely connects to the content server
secure client to proxy and secure proxy to content server。 This scenario is effective if you need to secure the information exchanged between the server, the proxy server, and the client. In this scenario, the Proxy server can act as a security channel between sites and increase the security of client authentication (see Figure 14-4). Figure 14-4 The client securely connects to the proxy server and the proxy server securely connects to the content server for information about how to set up each of these configurations, see Setting up a reverse proxy server. In addition to SSL, a proxy server can also use client authentication, which requires a certificate (or identification form) to be provided to the computer on which the proxy server is requesting to verify its identity.CompareHere is a simple comparison of several typical proxy services. There are three types of proxy servers that are common on the network: 1. Standard proxy buffering Server A standard proxy buffering service is used to cache static Web pages (for example, HTML files and picture files) to a host on the local network (that is, the proxy server). When the cached page is accessed for a second time, the browser will request data directly from the local proxy server and no longer request data from the original web site. This saves valuable network bandwidth and improves access speed. However, to do this, you must explicitly indicate the IP address and port number of the proxy server on each of the internal hosts ' browsers. When the client is surfing the Internet, each time the request is sent to the proxy server, the proxy server determines whether to connect to the remote Web server to obtain the data. If there is a destination file in the local buffer, pass the file directly to the user. If not, retrieve the file first, save a buffer locally, and then send the file to the client browser. 2. The transparent proxy buffer server transparent proxy buffering service and the standard Proxy server function exactly the same. However, the agent operation is transparent to the client's browser (that is, it does not need to indicate the IP and port of the proxy server). The transparent proxy server blocks network traffic and filters out HTTP (80 port) traffic that is accessed externally. If the client's request is buffered locally, the buffered data is sent directly to the user, and if there is no buffering locally, the request is made to the remote Web server, and the remaining operations are identical to the standard proxy server. For Linux operating systems, transparent proxies are implemented using Iptables or IPChains. Transparent proxies are especially useful for ISPs (Internet server providers) because there is no need to make any settings for the browser. 3. The reverse proxy buffer server Reverse proxy is a proxy service that is completely different from the first two agents. Use it to reduce the load on the original Web server. The reverse proxy server takes on a static page request from the original Web server to prevent the original server from overloading. It is located between the local Web server and the Internet, handles all requests to the Web server, and prevents direct communication between the Web server and the Internet. If the page requested by the Internet user has buffering on the proxy server, the proxy server sends the buffered content directly to the user. If there is no buffering, a request is made to the Web server, the data is retrieved, and the local cache is sent to the user. This approach reduces the load on the Web server by reducing the number of requests to the Web server.
Analysis of Reverse Proxy