Apache 反向proxy
Apache反向proxy is a将客户端request转发 to after 端server techniques, 它可以improving网站 security性, performance and reliability. through反向proxy, 您可以隐藏 after 端server 真实IP地址, implementationload balancing, cache静态 in 容, 以及providingSSL终止etc.functions. 本文将详细介绍Apache反向proxy configurationmethod, working principles and application场景, helping您搭建一个 high performance, security 反向proxyserver.
反向proxy basicconcepts
反向proxy is aserver, 它接收客户端 request, 然 after 将这些request转发 to 一个 or many 个 after 端server, 最 after 将 after 端server response返回给客户端. and 正向proxy不同, 反向proxy is for after 端serverservice , 客户端并不知道 after 端server 存 in .
正向proxy vs 反向proxy
- 正向proxy: for 客户端service, 客户端知道目标server 地址, 目标server不知道客户端 真实地址.
- 反向proxy: for after 端serverservice, 客户端不知道 after 端server 地址, after 端server不知道客户端 真实地址.
Apache反向proxy working principles
Apachethroughmod_proxymoduleimplementation反向proxyfunctions. 当客户端发送request to Apache反向proxyserver时, Apache会根据configuration将request转发 to after 端server, 然 after 将 after 端server response返回给客户端. 整个过程 for 客户端 is 透明 , 客户端并不知道request被转发 to 了 after 端server.
Apache反向proxy workflow程such as under :
- 客户端发送HTTPrequest to Apache反向proxyserver.
- Apache反向proxyserver根据configuration识别request应该转发 to 哪个 after 端server.
- Apache反向proxyserver将request转发 to after 端server.
- after 端serverprocessingrequest并生成response.
- Apache反向proxyserver接收 after 端server response.
- Apache反向proxyserver将response返回给客户端.
启用Apache反向proxymodule
要usingApache 反向proxyfunctions, 需要启用mod_proxymodule及其相关子module.
# Ubuntu/Debian
sudo a2enmod proxy proxy_http proxy_ajp proxy_balancer lbmethod_byrequests
# 重启Apache
sudo systemctl restart apache2
# CentOS/RHEL
# 编辑/etc/httpd/conf/httpd.conffile, 取消comment以 under 行
# LoadModule proxy_module modules/mod_proxy.so
# LoadModule proxy_http_module modules/mod_proxy_http.so
# LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
# LoadModule proxy_balancer_module modules/mod_proxy_balancer.so
# LoadModule lbmethod_byrequests_module modules/mod_lbmethod_byrequests.so
# 重启Apache
sudo systemctl restart httpd
basic反向proxyconfiguration
单 after 端serverconfiguration
以 under is a basic 反向proxyconfiguration, 将所 has request转发 to 一个 after 端server:
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:80>
ServerName example.com
# configuration反向proxy
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# otherconfiguration...
</VirtualHost>
各指令 含义:
ProxyPass: 将指定path request转发 to after 端server.ProxyPassReverse: modify after 端serverresponsein Location and Content-Location头部, 确保客户端重定向 to 正确 URL.
pathmapconfiguration
您可以将不同 pathmap to 不同 after 端server:
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:80>
ServerName example.com
# 将/apipathmap to after 端APIserver
ProxyPass /api http://api-server:8080/
ProxyPassReverse /api http://api-server:8080/
# 将/apppathmap to after 端applicationserver
ProxyPass /app http://app-server:8080/
ProxyPassReverse /app http://app-server:8080/
# otherconfiguration...
</VirtualHost>
反向proxy advancedconfiguration
1. SSL终止
SSL终止 is 指 in 反向proxyserver on processingSSL/TLS连接, 然 after 以明文形式 and after 端server通信. 这样可以减轻 after 端server 负担, 集inmanagementSSLcertificate.
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:443>
ServerName example.com
# SSLconfiguration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem
# configuration反向proxy
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# otherconfiguration...
</VirtualHost>
# 重定向HTTP to HTTPS
<VirtualHost *:80>
ServerName example.com
Redirect permanent / https://example.com/
</VirtualHost>
2. load balancing
through反向proxy, 您可以implementation simple load balancing, 将request分发 to many 个 after 端server:
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:80>
ServerName example.com
# configurationload balancing
<Proxy balancer://mycluster>
BalancerMember http://server1:8080
BalancerMember http://server2:8080
BalancerMember http://server3:8080
</Proxy>
# configuration反向proxy
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
# otherconfiguration...
</VirtualHost>
3. session粘性
session粘性 is 指将来自同一客户端 request始终分发 to 同一 after 端server, 确保sessionstatus consistency:
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:80>
ServerName example.com
# configurationload balancing
<Proxy balancer://mycluster>
BalancerMember http://server1:8080 route=server1
BalancerMember http://server2:8080 route=server2
BalancerMember http://server3:8080 route=server3
ProxySet stickysession=JSESSIONID
</Proxy>
# configuration反向proxy
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
# otherconfiguration...
</VirtualHost>
4. cacheconfiguration
您可以configurationApache反向proxycache静态 in 容, reducing after 端server load:
# 启用cachemodule
sudo a2enmod proxy_http proxy_html cache disk_cache
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:80>
ServerName example.com
# configurationcache
CacheEnable disk /
CacheRoot /var/cache/apache2/proxy
CacheDirLevels 2
CacheDirLength 1
CacheDefaultExpire 3600
# configuration反向proxy
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# otherconfiguration...
</VirtualHost>
5. healthycheck
您可以configurationApache定期check after 端server healthystatus, 自动剔除不healthy server:
# in 虚拟主机configurationin添加以 under in 容
<VirtualHost *:80>
ServerName example.com
# configurationload balancing
<Proxy balancer://mycluster>
BalancerMember http://server1:8080 status=+H
BalancerMember http://server2:8080 status=+H
BalancerMember http://server3:8080 status=+H
ProxySet lbmethod=byrequests
</Proxy>
# configurationstatus页面
<Location /balancer-manager>
Setprocessingr balancer-manager
Require ip 127.0.0.1
</Location>
# configuration反向proxy
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
# otherconfiguration...
</VirtualHost>
反向proxy application场景
1. 隐藏 after 端server
through反向proxy, 您可以隐藏 after 端server 真实IP地址 and structure, improvingsecurity性. 客户端只能看 to 反向proxyserver IP地址, 无法直接访问 after 端server.
2. load balancing
反向proxy可以将request分发 to many 个 after 端server, implementationload balancing, improvingsystem reliability and performance. 当一个 after 端serverfailure时, 反向proxy可以自动将request分发 to otherhealthy server.
3. SSL终止
反向proxy可以processingSSL/TLS连接, 然 after 以明文形式 and after 端server通信. 这样可以减轻 after 端server 负担, 集inmanagementSSLcertificate.
4. cache静态 in 容
反向proxy可以cache静态 in 容, such asgraph片, CSS and JavaScriptfile, reducing after 端server load, improvingresponse速度.
5. in 容filter and modify
反向proxy可以filter and modifyrequest and response, such as添加HTTP头部, modify in 容etc..
6. 统一authentication
反向proxy可以providing统一 authenticationmechanism, 所 has request都需要through反向proxy authentication, 然 after 才能访问 after 端server.
7. APIgateway
反向proxy可以serving asAPIgateway, managementAPIrequest routing, authentication, 限流etc.functions.
反向proxy best practices
- using合适 module: 根据需要选择合适 proxymodule, such as
mod_proxy_http用于HTTPproxy,mod_proxy_ajp用于AJPproxy. - 启用必要 module: 只启用必要 proxymodule, reducingmemory占用 and securityrisk.
- configuration适当 超时: 设置合理 超时时间, 避免 after 端serverfailure导致反向proxyserver挂起.
- 启用压缩: 启用HTTP压缩, reducing传输data量.
- configurationcache: 合理configurationcache, reducing after 端server load.
- monitor after 端server: 定期monitor after 端server healthystatus, 及时发现 and 解决issues.
- usingSSL/TLS: in 反向proxyserver and 客户端之间usingSSL/TLSencryption通信.
- 限制request big small : 限制request体 big small , 防止DoS攻击.
- configuration访问控制: 限制 for 反向proxyserver 访问, 只允许authorization 客户端访问.
- 定期update: 定期updateApache and 相关module, 修复security漏洞.
Notes
in configurationApache反向proxy时, 应注意以 under 几点:
- 确保 after 端server可以接收来自反向proxyserver request.
- configuration适当 超时时间, 避免 after 端serverfailure导致反向proxyserver挂起.
- 启用
ProxyPreserveHost指令, 确保 after 端server接收 to 正确 Host头部. - for 于需要session粘性 application, configuration适当 session粘性mechanism.
- 定期monitor反向proxyserver performance and healthystatus.
实践case: Apache反向proxyserver
步骤1: 启用反向proxymodule
# 启用反向proxymodule
sudo a2enmod proxy proxy_http proxy_ajp proxy_balancer lbmethod_byrequests
# 重启Apache
sudo systemctl restart apache2
步骤2: configurationbasic反向proxy
# creation虚拟主机configurationfile
sudo nano /etc/apache2/sites-available/reverse-proxy.conf
# 添加以 under in 容
<VirtualHost *:80>
ServerName proxy.example.com
# configuration反向proxy
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# 保留原始Host头部
ProxyPreserveHost On
# configuration超时
ProxyTimeout 60
# otherconfiguration...
</VirtualHost>
# 启用虚拟主机
sudo a2ensite reverse-proxy
# 重启Apache
sudo systemctl restart apache2
步骤3: configurationSSL终止
# installationLet's Encryptcertificate
sudo apt install certbot python3-certbot-apache
sudo certbot --apache -d proxy.example.com
# 编辑虚拟主机configurationfile
sudo nano /etc/apache2/sites-available/reverse-proxy-le-ssl.conf
# 确保configurationpackage含以 under in 容
<VirtualHost *:443>
ServerName proxy.example.com
# SSLconfiguration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/proxy.example.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/proxy.example.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf
# configuration反向proxy
ProxyPass / http://backend-server:8080/
ProxyPassReverse / http://backend-server:8080/
# 保留原始Host头部
ProxyPreserveHost On
# configuration超时
ProxyTimeout 60
# otherconfiguration...
</VirtualHost>
# 重启Apache
sudo systemctl restart apache2
步骤4: configurationload balancing
# 编辑虚拟主机configurationfile
sudo nano /etc/apache2/sites-available/reverse-proxy.conf
# modify for 以 under in 容
<VirtualHost *:80>
ServerName proxy.example.com
# configurationload balancing
<Proxy balancer://mycluster>
BalancerMember http://server1:8080
BalancerMember http://server2:8080
BalancerMember http://server3:8080
</Proxy>
# configurationstatus页面
<Location /balancer-manager>
Setprocessingr balancer-manager
Require ip 127.0.0.1
</Location>
# configuration反向proxy
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
# 保留原始Host头部
ProxyPreserveHost On
# configuration超时
ProxyTimeout 60
# otherconfiguration...
</VirtualHost>
# 重启Apache
sudo systemctl restart apache2
# 访问status页面
# http://proxy.example.com/balancer-manager
步骤5: configurationcache
# 启用cachemodule
sudo a2enmod cache cache_disk
# creationcacheTable of Contents
sudo mkdir -p /var/cache/apache2/proxy
sudo chown www-data:www-data /var/cache/apache2/proxy
# 编辑虚拟主机configurationfile
sudo nano /etc/apache2/sites-available/reverse-proxy.conf
# 添加cacheconfiguration
<VirtualHost *:80>
ServerName proxy.example.com
# configurationcache
CacheEnable disk /
CacheRoot /var/cache/apache2/proxy
CacheDirLevels 2
CacheDirLength 1
CacheDefaultExpire 3600
CacheMaxExpire 86400
# configurationload balancing
<Proxy balancer://mycluster>
BalancerMember http://server1:8080
BalancerMember http://server2:8080
BalancerMember http://server3:8080
</Proxy>
# configurationstatus页面
<Location /balancer-manager>
Setprocessingr balancer-manager
Require ip 127.0.0.1
</Location>
# configuration反向proxy
ProxyPass / balancer://mycluster/
ProxyPassReverse / balancer://mycluster/
# 保留原始Host头部
ProxyPreserveHost On
# configuration超时
ProxyTimeout 60
# otherconfiguration...
</VirtualHost>
# 重启Apache
sudo systemctl restart apache2
互动练习
练习1: basic反向proxyconfiguration
configurationApache反向proxyserver, 将所 has request转发 to 一个run in 端口8080 after 端server. 确保configuration正确 ProxyPass and ProxyPassReverse指令.
练习2: pathmapconfiguration
configurationApache反向proxyserver, 将不同 pathmap to 不同 after 端server:
- /apipathmap to run in 端口8081 APIserver
- /apppathmap to run in 端口8082 applicationserver
- /staticpathmap to run in 端口8083 静态fileserver
练习3: SSL终止configuration
configurationApache反向proxyserver, implementationSSL终止:
- 获取并installationLet's Encryptcertificate
- configurationHTTPS虚拟主机
- 将HTTPSrequest转发 to after 端server
- 重定向HTTPrequest to HTTPS
练习4: load balancingconfiguration
configurationApache反向proxyserver, implementationload balancing:
- configuration3个 after 端server
- implementationbasic load balancing
- configurationsession粘性
- configurationload balancingstatus页面