What is the reverse proxy?
You've been to the stragglers, haven't you? We can view the outdated IP through IP is in Korea, we can know, in fact, the outdated data is still in the country. How to do this, this is called the reverse proxy, the server in Korea to send HTTP requests to a domestic server HTTP port, and then return the data back to Korea, sent to customers, so that the completion of the site entity in the country, looks like the site abroad.
Here's a look at IIS doing reverse proxy, this feature isapi_rewrite full version can be implemented. Download Isapi_rewrite full, install.
In creating a website, this site can use the domain name you want to access to, or the most direct way is the empty host header site, and then create a Httpd.ini file below the site, content:
Copy Code code as follows:
[Isapi_rewrite]
Rewritecond host:www\.my\.me
Rewriteproxy (. *) http://my.xxxx.net:81$1 [i,f,u]
This means mapping www.my.me to http://my.xxx.net:81, which is free to map to other ports.
Reverse proxy (Reverse proxy)This means that a proxy server accepts a connection request on the Internet and then forwards the request to a server on the internal network and returns the results from the server to the client requesting the connection on the Internet, at which point the proxy server behaves as a server.
A typical proxy server that is used only for proxy internal network connection requests to the Internet, the client must specify a proxy server and send HTTP requests that would otherwise be sent directly to the Web server to the proxy server. Because hosts on the external network do not configure and use this proxy server, the normal proxy server is also designed to search for multiple uncertain servers on the Internet, rather than accessing a fixed server for requests from multiple clients on the Internet. Therefore, the normal Web proxy server does not support external access requests to the internal network. When a proxy server can proxy a host on the external network, the proxy service is called the reverse proxy service when it accesses the internal network. At this point the proxy server behaves as a Web server, and the external network can simply treat it as a standard Web server without the need for a specific configuration. The difference is that the server does not keep the real data of any Web pages, all static Web pages or CGI programs are stored on the internal Web server. Therefore, attacks on the reverse proxy server do not cause Web page information to be compromised, which enhances the security of the Web server.
There is no conflict between the reverse proxy method and the packet filtering mode or the normal proxy mode. You can therefore use both methods in the firewall device, where the reverse proxy is used when the external network accesses the internal network, and the forward proxy or packet filtering method is used to deny other external access and to provide an internal network's access to the external network. Therefore, you can combine these ways to provide the best way to secure access.
Proxy server acts as a stand-in for the server
If your content server has sensitive information that must remain secure, such as a credit card number database, you can set up a proxy server outside the firewall to act as a stand-in for the content server. When an external client tries to access the content server, it is sent to the proxy server. The actual content is on the content server and is secured within the firewall. The proxy server is outside the firewall and appears to the client as a content server.
When the client requests to the site, the request is forwarded to the proxy server. The proxy server then sends the client's request to the content server through a specific path in the firewall. The content server then passes the results back to the proxy server through this channel. The proxy server sends the retrieved information to the client, as if the proxy server is the actual content server (see Figure 14-1). If the content server returns an error message, the proxy server intercepts the message and changes any URLs listed in the header before sending the message to the client. This prevents the external client from obtaining the redirected URL of the internal content server.
In this way, the proxy server provides another barrier between the secure database and possible malicious attacks. Compared with the right to access the entire database, the perpetrator is at best limited to accessing the information involved in a single transaction, even if a fluke is successful. An unauthorized user cannot access a true content server because the firewall path only allows the proxy server to have access.
Figure 14-1 The reverse proxy server is like a real content server
You can configure the firewall router to allow only specific servers on specific ports (in this case, proxy servers on their assigned ports) to access through the firewall, without allowing any other machines to enter or leave.
Security reverse proxy A secure reverse proxy occurs when one or more connections between a proxy server and another machine use the Secure Sockets Layer (SSL) protocol to encrypt data.
There are many uses for security reverse proxies:
You can provide an encrypted connection from the external proxy server of the firewall to the Secure Content server inside the firewall.
You can allow clients to securely connect to a proxy server, which facilitates the safe transmission of information, such as credit card numbers.
A secure reverse proxy causes each secure connection to slow down because of the overhead involved in encrypting the data. However, because SSL provides a caching mechanism, both parties can reuse previously negotiated security parameters, significantly reducing the overhead of subsequent connections.
There are three ways to configure a secure reverse proxy server:
Secure client to proxy。 This scenario is useful if unauthorized users have little or no opportunity to access the information exchanged between the proxy server and the content server (see Figure 14-2).
Figure 14-2 Client secure connection to proxy server
Secure Proxy to content server。 This scheme works well if the client is inside the firewall and the content server is outside the firewall. In this scenario, a proxy server can act as a secure channel between sites (see Figure 14-3)
Figure 14-3 Proxy Server secure connection to content server
secure client to proxy and secure proxy to content server。 This scenario works well if you need to secure the information exchanged between the server, proxy server, and client. In this scenario, the proxy server acts as both a secure inter-site channel and increases the security of client authentication (see Figure 14-4).
Figure 14-4 The client is securely connected to the proxy server and the proxy server is securely connected to the Content server
For information on how to set up each of these configurations, see Setting up a reverse proxy server.
In addition to SSL, the proxy server can also use client authentication, which requires that the computer requesting the proxy server provide a certificate (or identification form) to verify its identity.
