Reverse proxy and Nginx example
1 The concept of reverse proxy
Reverse Proxy means that the proxy server accepts the connection request on the internet, then forwards the request to the server on the internal network, and returns the result obtained from the server to the client requesting the connection on the internet. At this time, the proxy server appears as a server to the outside world.
The usual proxy server is only used to proxy the connection request from the internal network to the Internet external network. The client must specify the proxy server and send the http request that should be sent directly to the Web server to the proxy server. Connection requests from the external network to the internal network are not supported because the internal network is invisible to the external network. When a proxy server can proxy the host on the external network to access the internal network, this kind of proxy service is called reverse proxy service. At this time, the proxy server appears as a Web server to the outside world, and the external network can simply treat it as a standard Web server without any specific configuration. The difference is that this server does not save any real data of web pages. All static web pages or CGI programs are stored on the internal web server. Therefore, the attack on the reverse proxy server will not damage the web page information, thus enhancing the security of the web server.
Reverse proxy is commonly referred to as web server acceleration, which is a technology that reduces the actual web server load by adding a high-speed web buffer server between a busy web server and an external network. The reverse proxy is to improve the acceleration function for the web server. As a proxy cache, it is not for browser users, but for one or more specific web servers, it can proxy the access requests from the external network to the internal network.
The direction proxy server will force the access of the external network to the server to be proxyed through it, so that the reverse proxy server is responsible for receiving the client's request, then obtains the content from the source server, returns the content to the user, and saves the content locally. In order to receive the same information request in the future, it will directly send the content in the local cache to the user to reduce the pressure on the back-end web server and improve the response speed.
2 Reverse proxy server and content server
A proxy server acts as a stand-in for your server, and if your content server has sensitive information that must be kept secure, such as a database of credit card numbers, you can set up a proxy server outside the firewall to act as a stand-in for your content server. When an external client tries to access the content server, it is sent to the proxy server. The actual content resides on the content server and is secured inside the firewall. The proxy server is located outside the firewall and appears to the client as a content server.
When a client makes a request to the site, the request goes to the proxy server. The proxy server then sends the client's request to the content server through a specific path in the firewall. The content server then sends the result back to the proxy server through this channel. The proxy server sends the retrieved information to the client as if the proxy server were the actual content server. If the content server returns an error message, the proxy server intercepts the message and changes any URLs listed in the header before sending the message to the client. This prevents external clients from getting the redirect URL of the internal content server.
In this way, the proxy server provides another barrier between the secure database and a possible malicious attack. Source of the article: Let's Walk Together.com www.176book.com. In contrast to having access to the entire database, even if the attack is successful, the perpetrator is at best limited to accessing the information involved in a single transaction. Unauthorized users cannot access the real content server because the firewall path only allows the proxy server to have access.
3 Workflow of a reverse proxy server
1) The user sends a request to access the web server through the domain name, and the domain name is resolved by the DNS server to the IP address of the reverse proxy server;
2) The reverse proxy server accepts the user's request;
3) The reverse proxy server looks up the requested content in the local cache, and directly sends the content to the user after finding it;
4) If there is no information content requested by the user in the local cache, the reverse proxy server will request the same information content from the origin server on behalf of the user, and send the information content to the user. If the information content is cached, it will also be saved to in cache.
4 Benefits of a reverse proxy
1) Solve the problem that the website server is visible to the outside world;
2) Save limited IP address resources, all websites in the enterprise share an IP address registered in the internet, these servers allocate private addresses, and use virtual hosts to provide services to the outside world;
3) The real web server is protected, the web server is invisible to the outside world, and the external network can only see the reverse proxy server, but there is no real data on the reverse proxy server, so the resource security of the web server is guaranteed;
4) Speed up the access to the website and reduce the burden of the web server. The reverse proxy has the function of caching web pages. If the content needed by the user is in the cache, it can be obtained directly from the proxy service, which reduces the load of the web server. It also speeds up user access.
5 Examples of Nginx as a reverse proxy for load balancing
We introduced the two main things that nginx, a lightweight high-performance server, can do:
Directly as http server (instead of apache, FastCGI processor support is required for PHP, which we will introduce later);
Another function is to implement load balancing as a reverse proxy server (as follows, we will give an example of how to use nginx to achieve load balancing in practice).
Because of nginx's advantages in handling concurrency, this application is very common these days. Source of the article: Let's Walk Together.com www.176book.com. Of course, the combination of Apache's mod_proxy and mod_cache can also achieve reverse proxying and load balancing for multiple app servers, but Apache is still not as good at concurrent processing as nginx.
1) Environment:
a. We are a Windows system locally, and then use VirutalBox to install a virtual Linux system. Install nginx (listening on port 8080) and apache (listening on port 80) on the local Windows system. Install apache on a virtual Linux system (listening on port 80). In this way, we are equivalent to having 1 nginx in the front end as a reverse proxy server; 2 apache as application servers in the back (can be regarded as a small server cluster. ;-) );
b. nginx is used as a reverse proxy server, placed before the two apaches, as the entry point for user access; nginx only
Only static pages are processed, and dynamic pages (php requests) are all delivered to the two apaches in the background for processing. That is to say, the static pages or files of our website can be placed in the nginx directory; dynamic pages and database access are reserved on the apache server in the background.
c. 如下介绍两种方法实现server cluster的负载均衡。
我们假设前端nginx(为127.0.0.1:80)仅仅包含一个静态页面index.html;
后台的两个apache服务器(分别为localhost:80和158.37.70.143:80),一台根目录放置phpMyAdmin文件夹和test.php(里面测试代码为print "server1";),另一台根目录仅仅放置一个test.php(里面测试代码为print "server2";)。
2)针对不同请求的负载均衡:
a. 在最简单地构建反向代理的时候(nginx仅仅处理静态不处理动态内容,动态内容交给后台的apache server来处理),我们具体的设置为:
在nginx.conf中修改:
location ~ \.php$ {
proxy_pass 158.37.70.143:80 ;
}
这样当客户端访问localhost:8080/index.html的时候,前端的nginx会自动进行响应;
当用户访问localhost:8080/test.php的时候(这个时候nginx目录下根本就没有该文件),但是通过上面的设置location ~ \.php$(表示正则表达式匹配以.php结尾的文件,详情参看location是如何定义和匹配的http://wiki.nginx.org/NginxHttpCoreModule) ,nginx服务器会自动pass给158.37.70.143的apache服务器了。该服务器下的test.php就会被自动解析,然后将html的结果页面返回给nginx,然后nginx进行显示(如果nginx使用memcached模块或者squid还可以支持缓存),输出结果为打印server2。
如上是最为简单的使用nginx做为反向代理服务器的例子;
b. 我们现在对如上例子进行扩展,使其支持如上的两台服务器。
我们设置nginx.conf的server模块部分,将对应部分修改为:
location ^~ /phpMyAdmin/ {
proxy_pass 127.0.0.1:80 ;
}
location ~ \.php$ {
proxy_pass 158.37.70.143:80 ;
}
上面第一个部分location ^~ /phpMyAdmin/,表示不使用正则表达式匹配(^~),而是直接匹配,也就是如果客户端访问的URL是以http://localhost:8080/phpMyAdmin/ 开头的话(本地的nginx目录下根本没有phpMyAdmin目录),nginx会自动pass到127.0.0.1:80 的Apache服务器,该服务器对phpMyAdmin目录下的页面进行解析,然后将结果发送给nginx,后者显示;
如果客户端访问URL是http://localhost/test.php 的话,则会被pass到158.37.70.143:80 的
apache进行处理。
因此综上,我们实现了针对不同请求的负载均衡。
如果用户访问静态页面index.html,最前端的nginx直接进行响应;
如果用户访问test.php页面的话,158.37.70.143:80 的Apache进行响应;
如果用户访问目录phpMyAdmin下的页面的话,127.0.0.1:80 的Apache进行响应;
3)访问同一页面的负载均衡:
即用户访问http://localhost:8080/test.php 这个同一页面的时候,我们实现两台服务器的负载均衡(实际情况中,这两个服务器上的数据要求同步一致,这里我们分别定义了打印server1和server2是为了进行辨认区别)。
a. 现在我们的情况是在windows下nginx是localhost侦听8080端口;
两台apache,一台是127.0.0.1:80(包含test.php页面但是打印server1),另一台是虚拟机的158.37.70.143:80(包含test.php页面但是打印server2)。
b. 因此重新配置nginx.conf为:
首先在nginx的配置文件nginx.conf的http模块中添加,服务器集群server cluster(我们这里是两台)的定义:
upstream myCluster {
server 127.0.0.1:80 ;
server 158.37.70.143:80 ;
}
表示这个server cluster包含2台服务器>然后在server模块中定义,负载均衡:
location ~ \.php$ {
proxy_pass http://myCluster ; #这里的名字和上面的cluster的名字相同
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
这样的话,如果访问http://localhost:8080/test.php 页面的话,nginx目录下根本没有该文件,但是它会自动将其pass到myCluster定义的服务区机群中,分别由127.0.0.1:80;或者158.37.70.143:80;来做处理。上面在定义upstream的时候每个server之后没有定义权重,表示两者均衡;如果希望某个更多响应的话例如:
upstream myCluster {
server 127.0.0.1:80 weight=5;
server 158.37.70.143:80 ;
}
这样表示5/6的几率访问第一个server,1/6访问第二个。另外还可以定义max_fails和fail_timeout等参数。
综上,我们使用nginx的反向代理服务器reverse proxy server的功能,将其布置到多台apache server的前端。
nginx仅仅用来处理静态页面响应和动态请求的代理pass,后台的apache server作为app server来对前台pass过来的动态页面进行处理并返回给nginx。
通过以上的架构,我们可以实现nginx和多台apache构成的机群cluster的负载均衡。两种均衡:
1)可以在nginx中定义访问不同的内容,代理到不同的后台server;如上例子中的访问phpMyAdmin目录代理到第一台server上;访问test.php代理到第二台server上;
2)可以在nginx中定义访问同一页面,均衡(当然如果服务器性能不同可以定义权重来均衡)地代理到不同的后台server上。如上的例子访问test.php页面,会均衡地代理到server1或者server2上。
实际应用中,server1和server2上分别保留相同的app程序和数据,需要考虑两者的数据同步。