Article directory
Gateways, Proxies and Reverse Proxies
What is a reverse proxy:
The so-called proxy refers to an intermediary between the user and the server. For the user, it is the proxy server, and for the server, it is the proxy user.
Then the forward proxy is the proxy server actively configured by the user, and sends requests to the target server through the proxy server.
A reverse proxy is a proxy actively provided by the server for users to access.
What is a gateway:
When a network needs to access another network, it always needs some entrances and exits, and these entrances and exits are gateways. The so-called reverse proxy server and load balancing server are just a special implementation of the gateway. They are all included in the big concept of gateway.
Nginx reverse proxy configuration
Add the proxy_pass parameter to the nginx configuration file: (Note that there will be problems with the configuration below)
After refreshing the configuration file, the browser requests localhost and accesses qq.com:
A problem at this time is that after requesting localhost, the address in the address bar will become https: //www.qq.com The reason is that the address after the proxy_pass option does not support the https protocol, otherwise nginx will send a page jump response to jump to the specified URL.
There will also be problems with the following configuration: because the address is incomplete
The correct configuration should be:
Reverse proxy-based load balancing configuration
Load balancing strategy
Polling:
Distribute requests to the server one by one. Disadvantage: Cannot maintain session.
ip_hash:
Determine the source IP address. The same IP points to the same server. Disadvantages: The session will also be lost when the IP changes, such as on the mobile terminal.
least-conn:
access with the least number of connections. Whichever server receives fewer users will be allocated to the server.
URL_hash:
Directs the specified server according to the URL visited by the user. Directed traffic forwarding (take the same hash of the URL and forward it to the same server). The session cannot be maintained either. For example, the registration page and the login page have different hashes. If you register on one server and then initiate a login request, it is another server. At this time, the login information cannot be found. Suitable for accessing fixed resources on different servers.
fair:
Distribute requests based on the server's response time. There is a risk of traffic skewing.
Note:
fair, url_hash, least-conn, and ip_hash are not commonly used in production. The biggest reason is that these strategies cannot dynamically go online or offline to the server. Very inflexible.
Generally, Lua scripting language is used to customize forwarding.
Load balancing weight related configuration (weight)
There will always be differences in equipment conditions in a server cluster, so more powerful equipment needs to take on more tasks. At this time, high-performance servers can be given a higher weight to improve user experience.
Separation of movement and stillness
Scenario:
Only suitable for small and medium-sized websites with small concurrency.
Principle:
The user's request will be accompanied by many dynamic requests and static requests. Obtaining resources such as js and pictures is a static access.
The original service is that Nginx is only responsible for reverse proxying. All resources are on the application server. The user requests Nginx, and Nginx then requests the application server. The server returns the resources to Nginx, and Nginx returns them to the user.
Static and dynamic separation means placing the static resources originally on the application server on the Nginx reverse proxy server. When the user initiates a static request, Nginx directly provides the resources, and the dynamic request is forwarded to achieve dynamic and static separation. Thereby improving the access speed of web pages.
Nginx configuration dynamic and static separation
URL-rewrite pseudo-static configuration
rewrite can also write regular expressions
rewrite end flag:
- last: After this rule is matched, continue to match new location URI rules.
- break: This rule will terminate immediately after matching and will no longer match any subsequent rules.
- redirect: Returns a 302 temporary redirect, and the browser address will display the URL address after the jump.
- permanent: Returns 301 permanent redirect, and the browser address bar will display the URL address after the jump.
Load balancing + URL-rewrite
Anti-hotlinking
What is anti-hotlinking:
When resources are accessed across sites, it is called "hotlinking." Assume that site B, as a commercial website, has many self-copyrighted images for commercial purposes. Site A hopes to display these images on its own website and use them directly.
In this way, when a large number of clients visit site A, they actually consume the traffic of site B. This is called a "hot link".
We want to prevent this from happening, which is called "anti-hotlinking."
How to prevent hotlinking:
HTTP protocol and standard browsers facilitate solving this problem. When the browser loads non-site resources, it will add a header field. The header field name is fixed to referer. This field records a request. Source, the first request does not have the referer field.
The server can detect whether the referer is an allowed host and accept the request if it is, otherwise reject it.
Anti-hotlink configuration:
valid_referers none | blocked | server_names | strings...
- none:检测referer头域不存在的情况。
- blocked:检测referer头域的值被防火墙或者代理服务器删除或伪装的情况。这种情况该头域的值不以"http://"或"https://"开头。
- server_names:设置一个或多个URL,检测Referer头域的值是否是这些URL中的某一个。
In the Nginx configuration file, add the following configuration to the location that needs to be protected against hotlinking
valid_referers none 主机名; # none 表示没有referer头域的时候允许访问,也可不配置,不配置时没有referer则不能访问
if ($invalid_referer){
return 403;
}
# 解释:valid_referers配置表示 如果referer头域中匹配到“主机名”那就接收请求。if处理的是无效的引用就返回403
Test using curl:
# 1. 查看192.168.165.101站点响应的头信息
curl -I http://192.168.165.101/img/img.png
# 2. 带引用,表示从http://baidu.com访问的192.168.165.101站点
curl -e "http://baidu.com" -I http://192.168.165.101/img/img.png