1. What are forward proxy and forward proxy servers?
A forward proxy is usually called a proxy. A computer uses a server to access the Internet. This computer is called a client, this server is called a forward proxy server, which is usually called a proxy server. In this way, you are active, websites are passive, and websites cannot obtain your real IP address. Forward proxy server. It is only used for proxy internal network connection requests to the Internet, the client must specify the proxy server (generally in IE-Internet option-connection-LAN Settings ), and send the HTTP request to the Web server directly to the proxy server.
2. What are reverse proxy and reverse proxy servers?
The reverse proxy means that the website is published to the public network through a server for user access. The user directly accesses the reverse proxy server and then accesses the website through the server. The user cannot obtain the real IP address of the website. In this way, the website server is protected. If you have a server in China and you do not want to find IP addresses, you can build a reverse proxy server outside China. A reverse proxy server resolves many websites to the same IP address.
Technically speaking, common web proxy servers do not support external access requests to internal networks. When a proxy server can proxy hosts on the external network and access the internal network, this proxy service is calledReverse Proxy Service. The proxy server is calledReverse Proxy ServerAs a Web server, the external network can simply treat it as a standard Web server without specific configuration. The difference is that this server does not store the real data of any web pages, and all static web pages or CGI programs are stored on internal web servers. Therefore, the attack on the reverse proxy server does not damage the webpage information, which enhances the security of the Web server.
Reverse Proxy is used when external networks access internal networks. Forward proxy is used to provide internal network access to external networks, and packet filtering can be used to deny access to external networks in other ways.
Reverse proxy technology is useful in improving Website access speed and enhancing website availability and security. DNS round robin and squid reverse proxy can be used to achieve Load Balancing for websites, thus improving the availability and reliability of websites.
The reverse proxy server is also called the Web Acceleration Server.It is located at the front end of the web server and serves as the content cache for the Web server. To reduce the load of the actual Web server. Many large portal websites such as Sina now use squid reverse proxy technology to accelerate Website access and distribute different URL requests to different Web servers in the background, at the same time, Internet users can only see the address of the reverse proxy server, enhancing the website access security.
The reverse proxy server is set for the Web server. The background web server is transparent to Internet users. Users can only see the IP address of the reverse proxy server. It is unclear how the background web server is organized. When an Internet user requests a web service, DNS resolves the requested domain name to the IP address of the reverse proxy server, so that the URL request will be sent to the reverse proxy server, the reverse proxy server is responsible for processing user requests and responses, and interacting with the background web server. The reverse proxy server reduces the load on the backend web server, improves the access speed, and avoids the security risks caused by direct communication with the Web server.
A reverse proxy server can be used as a content server or as a Load balancer of a content server cluster.
1. As a substitute for the Content Server
If your content server has sensitive information that must be kept secure, such as the credit card number database, you can set a proxy server outside the firewall as a proxy for the content server. When an external client attempts to access the content server, it will send it to the proxy server. The actual content is on the content server and is protected by security inside the firewall. The proxy server is located outside the firewall and looks like a content server to the client.
When the client sends a request to the site, the request is forwarded to the proxy server. Then, the proxy server sends client requests to the content server through a specific channel in the firewall. The content server then returns the result to the proxy server through this channel. The proxy server sends the retrieved information to the client, as if the proxy server is the actual content server (see figure 2 ). If the content server returns an error message, the proxy server first intercepts the message, changes any URL listed in the header, and then sends the message to the client. This prevents external clients from getting the Redirection URL of the internal content server. In this way, the proxy server provides another barrier between the security database and possible malicious attacks. In contrast to the situation where you have the right to access the entire database, even if you are lucky enough to attack successfully, attackers are limited to accessing the information involved in a single transaction at best. Unauthorized users cannot access the real content server because the firewall channel only allows the proxy server to access the server.You can configure a Firewall Router so that it can only allow specific servers on a specific port (in this example, the proxy server on the port allocated to it) to access through the firewall, other machines are not allowed in or out.
2. Server Load balancer as a content server
You can use multiple proxy servers in an organization to balance the network load between Web servers. In this model, you can use the high-speed cache feature of the proxy server to create a server pool for load balancing. The proxy server can be on any side of the firewall. If the Web server receives a large number of requests every day, you can use the proxy server to share the load of the web server and improve network access efficiency.
The proxy server acts as the intermediate mediator for client requests sent to the Real Server. The proxy server saves the requested documents to the cache. If there is more than one proxy server, DNS can use the "loop multiplexing method" to select its IP address and randomly select a route for the request. The client uses the same URL each time, but the route used by the request may go through different proxy servers each time.
You can use multiple proxy servers to process requests to a high-volume content server. The advantage of this is that the content server can handle higher loads and be more efficient than when it is working independently. During the initial start period, the proxy server retrieves documents from the content server for the first time. After that, the number of requests to the content server will be greatly reduced.
Squid Concept
Squid can work with Apache for Load Balancing
Squid is a software used to buffer Internet data. In this way, it implements its function by accepting requests from the target (object) that people need to download and processing these requests as appropriate. That is to say, if a person wants to download a Web page, he requests squid to get it for him. Squid then connects to the remote server (e.g., http://squid.nlanr.net/) and sends a request to this page. Then, squid explicitly aggregates data to the client machine and copies the data at the same time. When someone needs the same page, squid can simply read it from the disk, and the data will be transmitted to the client immediately. The current squid can process HTTP, FTP, Gopher, SSL, WAIS, and other protocols. However, it cannot process pop, nntp, RealAudio, and other types of things.
Squid is a high-performance Proxy Cache Server. Squid supports FTP, Gopher, and HTTP protocols. Unlike general proxy cache software, squid uses a separate, non-modular, I/O-driven process to process all client requests.
Squid caches data elements in the memory and DNS query results. In addition, squid also supports non-modular DNS queries to negatively cache failed requests. Squid supports SSL and access control. Because of the use of ICP (lightweight Internet Cache Protocol), squid can implement a layered proxy array to maximize bandwidth savings.
Squid is composed of a major service program squid, a DNS query program dnsserver, several programs that rewrite requests and perform authentication, and several management tools. After squid is started, it can derive a specified number of dnsserver processes in advance, and each dnsserver process can execute a separate DNS query, in this way, the server waits for DNS query.
FastCGI Concept
Nginx must match the FastCGI value to support PHP parsing.
FastCGI is an improvement on CGI. It generally uses a C/S structure. Generally, the script processor starts one or more daemon processes. Each time the httpserver encounters a script, it is directly delivered to the FastCGI process for execution, then return the result (usually html) to the browser. There is a small problem with this method. In the case of frequent requests with large traffic volumes, the daemon process of the script processor may be overloaded, resulting in a slow process or even Memory leakage; however, the advantage of comparing the built-in modules of Apache is that the server and the script parser are completely independent of each other, so the server is no longer bloated, you can concentrate on static file response or return the results of the dynamic script parser to the user client. Therefore, compared with the built-in modulo mode of Apache, the performance sometimes needs to be improved a lot. Some tests may reach 5 ~ of Apache + mod_php ~ 10 times.
The FastCGI processor is required for nginx to be set as a PHP application server,
1. Apache reverse proxy configuration
After installing Apache, because the mod_proxy configuration is not loaded during installation, you have to add it later.
In the decompressed file (/Usr/local/src/apache2.2.21/) Execute the following command:
./Configure -- prefix =/usr/local/apache2.2.21/-- enable-mod-shared = 'proxyproxy _ AJP proxy_balancer proxy_connect proxy_ftp proxy_http proxy_rewrite'
Make
Make install
------------------------------------------------------------------
InConf/httpd. confFile, the loaded module information appears, as shown in:
Among them, mod_proxy.so; proxy_http.so is required by reverse proxy, mod_proxy_balancer.so is required by Server Load balancer
Next, configure two virtual hosts in httpd. conf and correspond to two ports (8811 and 8822 ). Description:
If you start the apache service, you can access both http: // localhost: 8811 and http: // localhost: 8822.
Configure the corresponding virtual host, as shown in:
2. nginx reverse proxy configuration
Step 1 configure reverse proxy
Modify in nginx. conf:
Location ~ /. Php $ {
Proxy_pass 158.37.70.143: 80;
}
In this way, when the client accesses localhost: 8080/index.html, the front-end nginx will automatically respond. When the user accesses localhost: 8080/test. php (this file is not found in the nginx directory at all), but the location ~ /. Php $ (indicates that the regular expression matches the file ending with. php, see how location defines and matches the http://wiki.nginx.org/NginxHttpCoreModule for details), The nginx server will automatically pass to the Apache server 158.37.70.143. Test. PHP will be automatically parsed, And the HTML result page will be returned to nginx, and then nginx will be displayed (if nginx uses the memcached module or squid, it can also support caching ), the output result is printed server2.
The above is the simplest example of using nginx as the reverse proxy server;
Step 2: Configure two web application servers
Set the server module of nginx. conf:
Location ^ ~ /PHPmyAdmin /{
Proxy_pass 127.0.0.1: 80;
}
Location ~ /. Php $ {
Proxy_pass 158.37.70.143: 80;
}
The first part above is location ^ ~ /PHPmyAdmin/, indicating that regular expressions are not used for matching (^ ~), It directly matches, that is, if the client accesses a URL starting with http: // localhost: 8080/PHPmyAdmin/(the phpMyAdmin directory is not in the local nginx directory ), nginx will automatically pass to the Apache server 127.0.0.1: 80, which parses the page under the phpMyAdmin directory, and then sends the result to nginx, which is displayed;
If the client access URL is http: // localhost/test. php, it will be processed by Apache that passes to 158.37.70.143: 80.
Set Server Load balancer using nginx
Step 1
Configure nginx. conf as follows:
> FirstAdd it to the HTTP module of nginx. conf in the nginx configuration file, and define the server cluster (two servers here) of the server cluster:
Upstream mycluster {
Server 127.0.0.1: 80;
Server 158.37.70.143: 80;
}
Step 2
As defined in the server module, Server Load balancer:
Location ~ /. Php $ {
Proxy_pass http: // mycluster; # The name here is the same as the name of the above Cluster
Proxy_redirect off;
Proxy_set_header host $ host;
Proxy_set_header X-real-IP $ remote_addr;
Proxy_set_header X-forwarded-for $ proxy_add_x_forwarded_for;
}
In this case
Http: // localhost: 8080/test. PHP page, the nginx directory does not have this file, but it will automatically pass it to the service cluster defined by mycluster, which consists of 127.0.0.1: 80; or 158.37.70.143: 80; for processing.
When upstream is defined above, no weight is defined after each server, indicating a balance between the two. If you want more responses, for example:
Upstream mycluster {
Server 127.0.0.1: 80 Weight = 5;
Server 158.37.70.143: 80;
}
The concept of reverse proxy: proxy and load balancing in nginx