We talked earlier start to the instructions and user permissions of httpd, the resource compression configuration to achieve https, Recalling please refer https://www.cnblogs.com/qiuhom-1874/p/12593675.html ; today we say it httpd redirection, HSTS, reverse proxy configuration;
First, let's understand the redirection of it, what does it mean? If we access a resource on the server does not exist or does not correspond to our next visit URL, and users do not know the URL of our new situation, how we let our users access to the new URL it? Usually we visit some degree, type the domain name of a degree directly in the browser, then the browser will give us a direct response, you'll also find cautious response than http, but https, we obviously did not visit a degree with https, Why https page response is it? In fact, this is http redirect; redirection is our so-called URL corresponding resource access is no longer the original position, and for the user, the user does not know the location number corresponding to the URL on the back where, if the server is not configured to redirect, then the user access to resources or not up to date or not visit, in order to solve such a problem, redirect users to play forwards the request to the effect on the new URL; its principle is this, users access a resource resources, when the server receives a user request, URL check user access is not corresponding to the original location of the resource, then the server status code 301 or 302 response to the client, which means no longer tell the client to access this location the corresponding location services will end by location header to tell the client, the client receives the response packet to the server will ask again sent to the new URL again, get resource response response;
httpd redirection need to use redirect instruction, it is the configuration syntax Redirect [status] URL-path URL; status information indicates the state, permanent status code represents a permanent redirection to return 301; temp which returns a status code 302. This temporary redirect the default value;
Example: The user requests access to a temporary redirect http to https
Note: The above configuration means that the user access / https URI this time, will temporarily be redirected to https://www.test.com, of course, redirect this command can be used in the server configuration section, in the virtual host configuration section, also It can be used in the configuration directory and .htaccess file segment;
test:
Tip: You can see our access www.test.com/https, when a browser to access the URL, give us a message in response to a location response header, and the new URL tells us, then the browser automatically to access location the new URL, the final results of the https://www.test.com response to us;
Example 2: to achieve access via http to https rewrite Jump
Note: The above configuration representation, open rewrite functions, and users to access any content URI rewritten as https: // request packet access user's host header /index.html, meaning that users access www.test.com/ after abc.html server receives such a request, it sends the user's URL rewriting is https://www.test.com/index.html, any content regardless of user access www.test.com under, will be treated as access https://www.test.com/index.html
test:
Tip: You can see anything on us regardless of browser access www.test.com/ under, it gave us a jump to https://www.test.com/index.html;
HSTS: HTTP Strict Transport Security, which translates to http Strict Transport Security, we can find a point by the above example, when the user is the first visit to the service side, Talia is http protocol to transfer data, it is known http protocol is transmitted in the clear , the first time assume the user to access the service side of the data, the data is among hackers intercepted and tampered with, and can be imagined, the client receives the server information is not true, but hackers tampering with the response message, follow-up the client is not likely to visit a real server response to the client's URL, but after hackers tampered with, so that no doubt there are security risks; to solve this problem, the server-side configuration support HSTS, will give the browser HTTP headers returned carrying HSTS field. The browser to get the information, will be accessible to all HTTP requests made within 307 Jump to HTTPS. Without any network process, so that hackers will not be able to capture our information through the network; HSTS preload list is the Chrome browser HSTS preloaded list of sites in the list, when accessed using Chrome browser, It will be automatically converted to HTTPS. Firefox, Safari, Edge browser also uses this list; meaning is the site of the HSTS preload list can be achieved within the browser to http Jump Jump to https;
httpd HSTS is achieved by a configuration enables Header always set Strict-Transport-Security instruction set back to give a maximum time, represented by a given length of time the browser requests to access websites use https;
Example:
Note: The above represents a set strict-transport-security response is max-age = 31536000 header, after this configuration, we own website to support HSTS
Tip: You can see that our visit www.test.com the corresponding response message have the Strict-Transport-Security response headers;
httpd as a proxy server;
First let us understand the concept of a proxy of it, the so-called proxy is their inability to do things that helped make others do, we understand the role of this agency called someone else Officer, I do not know this interpretation is correct; for example, we I want to visit a site, but the site is only a particular network can get access, how this time to allow other users of other non-specific network access to it? In fact, the agent is this role, as a client, the agent can help the client to access the resources of a particular network as the server, the agent can help the server in response to client requests; it two different is on the side of the client we usually called forward proxy, meaning that the proxy client to access specific network resources, this is only for http web service is concerned, but no matter how they talk, forward proxy is to help clients shop and go to something; on the server side we usually called a reverse proxy agent, meaning that it is a proxy server in response to client requests; proxy in fact, we can be understood as the middle of the "people", both as a client, and when the service side, but we have different viewpoints on it's called is not the same; the principle role of forward proxy is when a client message sent to the proxy server, proxy client will change the source IP or source port information of the client; see on the real server requests are usually positive the proxy ip and port; and for the reverse proxy, it is mainly a proxy server in response to client Seek, it is usually to modify the destination IP or destination port the client to see the message response from a client in, typically in response to the packet's source IP or source port as the proxy server response, while the rear end of the real service delivery the server point of view, the request packet is usually the reverse proxy server source IP or source port; from the above description, the proxy server to assume two roles, it is for the client-side service, service-oriented end it is the client; so we see the client response packet source IP and port is the proxy server, the server can see the source port information request packet source port information are also proxy server; normally forward proxy in addition to helping clients to access external resources, it also can serve the purpose of hiding the client; and for the reverse proxy, which in addition can help the server in response to client requests, but it also can play a role in hiding the server, so a , the client and server are realized through a proxy data exchange; in real life we access web services are usually based on this Two kinds of agents to come, which is the agency's most important role;
httpd reverse proxy function is implemented based proxy module, the most common and most important instructions are proxypass and ProxyPassReverse
Example:
Note: The above configuration means that the client access / nginx this URI, sends the user back to the request on behalf of the Anti-we really designated site; that is, we will visit www.test.com/nginx browser access to official nginx Home up;
Tip: You can see that we added a proxypass and proxypassreverse instructions in a virtual host, we visit the corresponding URI, the browser will jump to our request corresponding to the specified URL we go up; of course we can also proxypass instructions for location in ; main role proxypassreverse directive is to prevent the client from bypassing the anti generation servers, back-end host direct request; description above is httpd simple instructions on the use of more use httpd command, please refer to the official document example;