Analysis of the function of reverse proxy server

In the traditional sense, proxy server is the server between the user computer network and the Internet, its function is to proxy network users to obtain network information, it can be understood as a transit point for network information. If the Web browser is configured to use a proxy server, all requests will only be forwarded through the proxy, and the proxy server will send an access request to the site according to the user's request and use different filtering rules for each application in turn.

A transparent proxy server configures a proxy server to handle user requests when the client is completely unaware of it. The disadvantage is that the proxy server does not support SSL, but the user's browser does not need to be configured for normal HTTP traffic (that is, plaintext HTTP traffic), and in many cases it is used with the caching proxy server, where the proxy server accesses pictures and other files from its cache. Without having to consume Internet bandwidth every time from the Web server.

The reverse proxy server (Reverse Proxy server) reduces the load on the actual Web server by adding a high-speed web buffer server between the busy Web server and the Internet, increasing the speed of access to Web pages. The reverse proxy server is located between the user Web server and the Internet. When an HTTP connection is entered, the reverse proxy server determines what action is performed and then makes a request to the Web server on the back end. Reverse proxy servers are very important, and they often carry multiple tasks.

The reverse proxy server can be an SSL terminator. This means that SSL authorization certificates and their keys are installed on the proxy server, along with the corresponding IP addresses of those sites. SSL is therefore terminated at the proxy server, and requests to the backend server will be delivered as plain text. This is really good in general, but if your terminal network is unsafe, network spoofing can get the required service request through a secure channel.

Here we want to explore the virtual host and SSL. The concept of a virtual host is based on the site name and works in connection with HTTP header data. When an HTTP request is made, the Web server that supports the virtual host is serviced for different content that is based on the requested site. Essentially, this means that you can point multiple domain names to an identical IP address. If SSL is enabled, it must be combined with a specific IP address, and the SSL authorization certificate must match the name of the site, which is the site that the user is trying to access. The SSL dialog takes place before HTTP data is sent, so the server has only one option, that is, an authorization certificate renders an IP address. If an SSL connection is established and the requested URL is found to belong to another site, the Web browser notifies the user. If it doesn't work this way, SSL is meaningless.

A proxy server can also be a load balancer. Load balance in its basic sense, its working mode is nothing more than two, the actual work can be run in a certain way. The first way to do this is to intelligently iterate through a group of servers at the IP layer, and the second way to do more intelligent work by using a proxy server. A group of servers can use DNS polling to service the site. Multiple DNS records can be shipped to a host name, so the connection selects one from this group of servers. Of course, this is a pain in the way of managing an SSL site. Routers can also load-balance in a similar way, which requires that the existing state be saved so that subsequent requests can be routed to the appropriate server. However, most devices that operate in this way simply act as a proxy server. It is meaningful to use a proxy server for load balancing, especially after considering the other features it provides.

A reverse proxy server can act as an application-tier firewall for a Web server. In fact, it contains two aspects: incoming requests are subject to the rules and policies configured in the proxy server, and the Web server is closed and isolated from the outside world, effectively offsetting Cross-site scripting attacks.

The reverse proxy server also often acts as a content filter, although filtering is closely related to firewalls, but reverse proxies have better performance. Most proxy server vendors implement a mechanism that blocks certain keywords or content types. This can be another level of preventing malicious code from attacking a real server.

A large number of tasks that a front-end proxy server can perform can also be done by a reverse proxy server. A cache server, such as squid, can work with a reverse proxy server in a variety of configurations. If the reverse proxy server does not support caching, many sites choose to configure access to the back-end server through a caching agent, so that images and other static content are not retrieved from the real server. Many reverse proxy servers can also lease certain tasks, such as pictures, to a completely separate server. These proxy servers are often referred to as "web accelerators."

There are many proxy server products that can run in reverse proxy server mode, where we focus on a few free open source products. Apache2.2 is now used with the modular agent service balancer. Apache has been relying on a module agent to support a reverse proxy server for a long time, but by using the Balancer module, Apache can achieve more complex and flexible configurations. Of course, the configuration is not very simple, the Apache itself is resource intensive and high in memory requirements.

Pound is a reverse proxy server and load balancer that can terminate an SSL connection. The configuration is fairly straightforward, and its great advantage over Apache is that it is carefully crafted and small and flexible. Many pound users have given their very impressive throughput statistics, and of course it has been reliable and effective.