Before explaining the Nginx reverse proxy configuration, we need to understand the definition of several mainstream proxy technologies.
At present, the main types of proxy technology mainly include reverse proxy, forward proxy, and transparent proxy. The following three technologies are introduced one by one.
Foreword
To apply the ancient dragon martial arts novels, agency service technology is a very old technology, which was used in the early days of the Internet. The general way to implement proxy technology is to install proxy service software on the server and make it a proxy server, so as to realize the proxy technology. Commonly used proxy technology is divided into forward proxy, reverse proxy and transparent proxy. This article is to explain some basic principles and specific scope of application for these three types of agents, so that you can understand the agent service technology more deeply.
At present, the reverse proxy has been mentioned by many people. The following will explain the three proxy models in the order of reverse proxy, forward proxy, and transparent proxy.
1. Reverse proxy
Reverse proxy is often used in WEB scenarios. For the client, the proxy server is like an original server, and the client does not need any special settings. The client sends an ordinary request to the content in the name-space of the reverse proxy, and then the reverse proxy will determine where (the original server) to forward the request, and return the obtained content to the client. The role of using a reverse proxy server is as follows:
1. Protect and hide the original resource server
User A always thinks that it is accessing the original server B instead of the proxy server Z, but practically the reverse proxy server accepts the response of the user A, obtains the user A's required resources from the original resource server B, and sends it to the user A. Due to the firewall, only the proxy server Z is allowed to access the original resource server B. Although in this virtual environment, the combination of firewall and reverse proxy protects the original resource server B, but user A is unaware.
2. Load balancing
When there are more than one reverse proxy server, we can even make them into a cluster. When more users access the resource server B, let different proxy servers Z (x) respond to different users, and then send different users. Resources needed.
Of course, the reverse proxy server has the role of CACHE like the forward proxy server. It can cache the resources of the original resource server B instead of requesting data from the original resource server B every time, especially some static data, such as pictures and Documents, if these reverse proxy servers can come from the same network as user X, then user X can access the reverse proxy server X and get very high speed. This is the core of CDN technology.
We are not explaining CDN, so we removed the most critical core technology of CDN, intelligent DNS. It's just to show that the CDN technology actually uses the reverse proxy principle.
The reverse proxy conclusion is just the opposite of the forward proxy. For the client, it is like the original server, and the client does not need to make any special settings. The client sends a normal request to the content in the name-space of the reverse proxy, and then the reverse proxy will determine where (the original server) to forward the request and return the obtained content to the client, like these The content is originally its own.
Basically, there are many programs for doing forward and reverse proxy online, and most of the software that can do forward proxy can also be reverse proxy. The most popular of open source software is Squid, which can be used as a forward proxy or a front-end server used by many people as a reverse proxy. In addition, MS ISA can also be used as a forward proxy under the WINDOWS platform. The main practice of reverse proxy is WEB service, the hottest one in recent years is Nginx. Some people on the Internet say that NGINX cannot be a forward proxy, which is actually wrong. NGINX can also be a forward proxy, but fewer people use it.
2. Forward Proxy
In general, if there is no special explanation, the agent technology defaults to the forward agent technology. The concept of forward proxy is as follows: Forward proxy (forward) is a server [proxy server Z] located between the client [user A] and the original server (origin server) [server B], in order to obtain content from the original server , User A sends a request to proxy server Z and specifies the target (server B), then proxy server Z forwards the request to server B and returns the obtained content to the client. The client must make some special settings to use the forward proxy. As shown below
From the above concept, we can see that the so-called forward proxy in this article is that the proxy server replaces the visitor [User A] to access the target server [Server B].
This is what forward agency means. And why use proxy server instead of visitor [user A] to visit server B? This will start from the meaning of the use of proxy servers.
The use of forward proxy server mainly has the following points:
1. Access Server B that could not be accessed
Figure 1.2
Let's get rid of the complicated network routing scenario and look at Figure 1.2. Assume that the router is named R1 from left to right. R2 assumes that initially user A needs to pass through a routing node such as R1 and R2 router to access server B. If router R1 or router If R2 fails, then server B cannot be accessed. However, if user A asks proxy server Z to access server B instead of itself, because proxy server Z is not in the router R1 or R2 node, but accesses server B through other routing nodes, then user A can get the data of server B. . An example in reality is "FQ". However, since VPN technology is widely used, "FQ" not only uses traditional forward proxy technology, but also uses VPN technology.
2. Accelerate access to server B
This argument is not as popular as before, mainly due to the rapid development of bandwidth traffic. In the early forward agency, many people used forward agency to speed up. As shown in Figure 1.2, suppose user A goes to server B, passes R1 router and R2 router, and the link from R1 to R2 router is a low-bandwidth link. And user A to proxy server Z, from proxy server Z to server B are high-bandwidth links. Obviously, you can speed up access to Server B.
3. The role of Cache
Cache (cache) technology and proxy service technology are closely related (not only forward proxy, reverse proxy also uses Cache (cache) technology. Also as shown in the figure above, if user A accesses server B some data J, already Someone has accessed the data J on the server B through the proxy server Z, then the proxy server Z will save the data J for a period of time, if someone happens to get the data J, then the proxy server Z no longer accesses the server B, but the cached data J Sent directly to user A. This technology is called Cache hit in Cache. If there are more users like user A to access proxy server Z, then these users can get data J directly from proxy server Z, and There is no need to go to server B to download data.
4.
The content of client access authorization is still used a lot today. For example, some companies use ISA SERVER as a forward proxy server to authorize whether users have permission to access the Internet, as shown in Figure 1.3 below.
Figure 1.3
The firewall acts as a gateway to filter access to it from the external network. Suppose that both user A and user B have set up a proxy server, user A allows access to the Internet, and user B does not allow access to the Internet (this is restricted on proxy server Z) so that user A can access server B through the proxy server because of authorization. Since user B is not authorized by proxy server Z, the data packet will be directly discarded when accessing server B.
5. Hide the visitor's whereabouts
as shown in Figure 1.4 below. We can see that Server B does not know that user A is actually the user who visits himself, because proxy server Z replaces user A to directly interact with server B. If the proxy server Z is fully controlled (or incompletely controlled) by user A, it will be used to be referred to as the term “broiler”.
We conclude that the forward proxy is a server between the client and the origin server. In order to obtain content from the origin server, the client sends a request to the proxy and specifies the target (origin server), and then the proxy sends the origin server Forward the request and return the obtained content to the client. The client must set a forward proxy server, of course, the premise is to know the forward proxy server's IP address, as well as the port of the proxy program.
3. Transparent proxy
If we divide forward proxy, reverse proxy and transparent proxy according to human blood relationship. Then the forward proxy and the transparent proxy are obviously cousin relationships, while the forward proxy and the reverse proxy are cousin relationships.
Transparent proxy means that the client does not need to know the existence of a proxy server, it adapts your request fields (messages), and will transmit the real IP. Note that the encrypted transparent proxy is an anonymous proxy, which means that there is no need to set up a proxy. An example of transparent agency practice is the behavior management software used by many companies today. as follows
Figure 3.1
User A and User B do not know that the behavior management device acts as a transparent proxy. When User A or User B submits a request to Server A or Server B, the transparent proxy device intercepts and modifies the messages of User A or B according to their own policies. And as the actual requester, send a request to the server A or B. When receiving the information back, the transparent proxy then sends the allowed message back to the user A or B according to its own settings, as shown above, if the transparent proxy setting does not allow Access server B, then user A or user B will not get the data of server B
