[Website architecture] Nginx 4-layer, 7-layer proxy configuration, detailed explanation of forward proxy and reverse proxy

News 2023-06-25 03:54:58 views: null

Hi everyone, and welcome to the Stop Refactoring channel.

In this issue we discuss web proxies .

As mentioned in the previous issue of "Large Website Security", for the sake of network security, generally large websites need to isolate the network area to prevent attackers from directly controlling the server.

The application and database of the website system will be placed in this network security area . This creates a proxy problem .

External network requests need to come in, and third-party service calls need to go out. In this installment we discuss the agency problem in detail, and we discuss it in this order:​​

1. Reverse proxy, external network requests come in 

2. Forward proxy, requesting external network services 

Reverse proxy, receiving external network requests

External network requests need to go through the unified gateway to reverse proxy into the network isolation zone. The gateway can be a load balancing service or service software such as Nginx.

 

If it is Nginx, the configuration of the reverse proxy is like this.

 

What needs to be explained here is that if the external network request is https , then it is not necessary for all services of the entire website system to be https. It is only necessary to ensure that https is configured at the gateway layer , and the internal calls of the system still use http .

If cloud services such as load balancing are used, https only needs to be configured in the load balancing service, and the call of the website system itself is still http, because there is no benefit to using https communication inside the website system, but it will reduce performance.

 

Forward proxy, calling external network services

Sometimes, the website system needs to call third-party services, and the super-large website system will separate several network isolation areas, and the disaster recovery backup needs to be backed up by the network isolation area.

In the above scenarios, the website system has to call a server outside the network isolation zone. At this time, it needs to forward proxy to the target server through the same proxy server .

 

The forward proxy can use Nginx as the service software. There are generally two ways of forward proxy, one is the 7-layer proxy, and the other is the 4-layer proxy.

The network layered model is generally divided into 7 layers according to the OSI model.

The seventh layer is the application layer , which is the commonly heard HTTP, HTTPS, RTMP, SMTP and other protocols.

The fourth layer is the transport layer , that is, basic protocols such as TCP and UDP.

The corresponding layer 7 agent and layer 4 agent are the corresponding two network layers.

If you are using a layer 7 proxy , the Nginx configuration is like this.

This configuration is consistent with the reverse proxy configuration above , and can proxy to multiple target servers by matching url keywords.

The website system calls the external network service and needs to point the IP/port to the proxy server . Of course, we recommend using the domain name call, and the call can be directed to the proxy server by modifying the server host file.

Of course, in addition to modifying the IP pointing, you can also set http_proxy, https_proxy and other parameters to set the proxy, but this method is not recommended, because it is not very good to manage.

The other is the 4-layer proxy Nginx configuration is like this, but a port needs to correspond to a target server , and the website system calls external network services also need to point the IP/port to the proxy server.

And because the layer 4 proxy is based on the basic protocols of TCP/UDP, TCP-based requests such as HTTP and RTMP can share a proxy port .

 

Of course, the layer 4 proxy configuration is more complicated than that of the layer 7 proxy, requiring a port corresponding to a target server.

But we recommend layer 4 proxy more .

One is that the performance and stability will be relatively high, and the other is better management. Since a port corresponds to a target external network service, if there are some unexpected problems, you can directly close the corresponding port on the proxy server to disconnect immediately Specify the external network service without affecting the call of other external network services.

Summarize

In this issue, we talked about the proxy scheme of the website system, which is actually one of the contents of the previous issue of website system security. This issue discusses it in more detail.

Guess you like

Origin blog.csdn.net/Daniel_Leung/article/details/130467891
Recommended
Linus is the most active in "eating dog food"!
Ranking
Share good programmer web front-end array and sorting, de-duplication and random roll call
Compilation error caused by cv_bridge and python version problems error: return-statement with no value, in function returning'void*' [-fpe
魔众帮助中心系统 v3.1.0 首页切换器,界面优化
Die beim Millimeterwellenradar-Integrationstest aufgetretene Grube (Multiprozessbindung an einen UDP-Port verursacht Probleme)
How to suppress the "requires transitive directive for an automatic module" warning properly?
LeetCode-1743. Restore the Array From Adjacent Pairs-Analysis and Code (Java)
Summer 2019 Summer soft essay 7 workers
Python中Assert断言的使用语法和例子
LeetCode one question per day (2021-2-3 sliding window median)
Fairchild, the ancestor of semiconductors, the legend of the first trillion-dollar start-up
Daily
More
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)

Code World

© 2018 codetd.com