"How to connect the network" reading notes - Web server request and response (4)

Key points of this chapter

• The position and function of firewall and the modern mainstream server deployment mode .
• The role and deployment of the cache server .
• Three ways of agency and their differences .
• What is a content distribution service ？ The impact of different deployment methods of cache servers .

Firewall and network access

If the server is not protected and streaks , There is a high probability of network attack , Nowadays, most companies use firewalls + How the server is deployed . The other is to buy a server provider directly, which is a common cloud service , Directly let the professional third-party server management to protect .

There are three main ways to protect against network attacks , One of the most used and effective is Packet filtering .

The first method is packet filtering , Packet filtering is very simple , Because the header of the network packet contains all the information requested by the network , Through the receiver IP The earth Address and sender IP Address , We can determine the start and end of the package . Because the destination of the request can be determined , That is to say WEB The server , So a firewall is added to isolate abnormal requests .

The second way is to use ports to limit , The firewall controls whether the request network of a port can release different requests IP Access to different ports .

The third is TCP Layer protection ,TCP You need to send and receive when performing the connection operation 3 A package , The first package usually uses other ports , It can be judged that it must be in Web The server Specially set in the program , So just adjust the firewall settings according to the server settings , Usually in this bag TCP In control bit SYN by 1, and ACK by 0.

These values are different in other packages , because As long as you follow this rule, you can filter to TCP The first package connected . because WEB The server is blocked from sending to the Internet , Therefore, the interception is realized , In the opposite direction , The first package is sent to WEB Server's , Return from WEB Back to , So Internet access WE B There is no problem .

Finally, this is achieved “ No entry, no exit ” The effect of , According to the working principle of address translation discussed in Chapter 3 , When using address translation , By default, the company's intranet cannot be accessed from the Internet , So we don't need to set another packet filter rule To prevent access to the company's intranet from the Internet .

Finally, it should be noted that packet interception and filtering is not a unique function of the firewall , It is an additional function based on the packet forwarding function of the router .

This mechanism is typical for firewalls “ Hustle outside but not inside ” The existence of , It means that although the external enemy is intercepted , But the emergence of an insider that the firewall cannot defend cannot be solved , So for the problems that the firewall cannot handle , It also extends several treatment methods ：

• The first is to repair the application BUG, these BUG It is usually a system vulnerability that the technical personnel do not consider in the development process , This kind of problem can be quickly fixed by artificial means .
• The second is to add one layer , Intercept abnormal traffic , For example, the most classic DDos attack , It is obviously not possible to use your own firewall , There must be an external monitoring protection server for protection .

Load balancing

Single machine load balancing is a meaningless pseudo load balancing , All the situations discussed below are introduced in the case of multi physical or multi host mapped virtual machines .

Load balancing usually uses cache servers , Cache server is a server that caches data through proxy mechanism .

The cache server is located at web There is a connection between the server and the client WEB Transfer function of , The main task is very simple WEB The data returned by the server is cached and serialized in the disk , The aim is to improve WEB The response speed of the server .

The biggest problem with the cache server is that the cache may not be synchronized and see old data after the server has finer data , This cache provides the maximum storage time of the cache and the feature of user access isolation , The simple understanding is that the content seen by different clients is different , However, from the perspective of the server, it is the cache server that interacts with it .

Determine when you need to directly return server data instead of caching data , A simple scheme is to check the change of network message information of the client , And you should also tell yourself whether to cache or server data when you return .

Finally, the biggest problem of caching is the cache hit rate , However, this problem is not within the scope of this chapter, and we will not introduce it too much .

Agent processing

Forward agency ： When forward proxies first appeared , One of its purposes is caching , This purpose is similar to The server The cache servers on the client side are the same . When you set Forward proxy , The browser will ignore the contents of the URL bar , Send all requests directly to the forward proxy The reason is . The content of the request message is also somewhat different .

Forward proxy is the simplest and most intuitive proxy method , It has the following characteristics ：

1、 Access internal nodes ： The springboard is usually used as a tool to access the intranet .

2、 Speed up access ： The proxy server can cache intranet resources , When a user requests a cached resource , Send it directly to the user , For example, Alibaba cloud in China MAVEN Warehouse .

3、 Access control ： The proxy server can set access permissions , Control the access of external hosts to intranet resources . Simple permission control prevents external access to the internal network .

Some good proxy tools ：

1.reDuh Source code https://github.com/sensepost/reDuh

2.reGeorg Source code https://github.com/sensepost/reGeorg

3.tunna Source code https://github.com/SECFORCE/Tunna

Reverse proxy

Just the opposite of forward proxy , For the client, the proxy server is like the original server , And the client does not need to make any special settings . Client to reverse proxy namespace (name-space) The content in sends a normal request , Then the reverse agent will determine where ( Original server ) Forward the request , And return the obtained content to the client .

The role of the reverse proxy server ：

Cluster deployment enables load balancing ,CDN technology （ A distributed content distribution network built on a data network ）, Front end servers ,Nginx（ Asynchronous framework web server ） etc. .

1、 User access web The service , You don't know that you are accessing a proxy server , The proxy server is web The server .

2、 Speed up access , Like the forward proxy, it can cache intranet data .

3、 Load balancing , Reduce the burden on a single server , Improve the utilization of overall resources .

Transparent proxy

It means that the client does not need to know the existence of a proxy server at all , It modifies your request message , And it will transmit the truth IP. Note that the encrypted transparent proxy belongs to the anonymous proxy , You don't need to set up a proxy . Is insensitive to the entire request . Also because it is imperceptible , So transparent proxy is not compatible with reverse proxy .

The role of transparent proxies ：

1、 The practical example is the behavior management software used by many companies nowadays .

2、 Client access web I don't know that it is accessed through a proxy server .

3、 Firewall setting transparent proxy , When PC Let the proxy server request web When the page is , The proxy server returns page data .

Content distribution service

Cache servers are deployed in different places , The effect will be completely different . See the following figure directly for different deployment methods , Here we mainly record the advantages and disadvantages of the third deployment method .

The third deployment method is to sign a contract with the network operator to deploy the cache server nearby （ similar CDN）, Of course, such expenses are obviously huge , So there are also middlemen who specialize in these things , These operators are called CDSP（ Content Delivery Service Provider, Content distribution service operators ）.

These operators will sign contracts with major Internet providers , And deploy many cache servers , The cache server can cache the data of multiple websites , therefore CDSP The cache server can To provide to multiple Web The operator of the server shares .

How to make the client find the nearest server

The answer is to use it like load balancing DNS Server to allocate access , about DNS towards Web return IP And return some additional information .

How to estimate the distance between the client and the nearest server , You can put all the routes into the routing table , The distance can be determined by the number of routes , Although not necessarily identical , But the position can be determined with great accuracy .

The other way is to find the nearest cache server through redirection , The redirection server collects the routing information from each router , And based on this information, find the most recent Cache server for .

In addition to collecting routing information , Redirection can also return a script that estimates the distance to the cache server by the round-trip time of network packets , Find the best cache server by running the script on the client .

Impact of cache updates

Cache updates will affect the efficiency of the cache server , So the update method is very important .

A common update method is to notify the cache server immediately every time the original server updates , Keep it up to date , The executor of this function is the content distribution service .

In addition to writing static pages , Another way is to choose not to save the page, but to separate the dynamic content and static content of the web page , For example, image server 、 File servers, etc .

summary

This chapter can be regarded as a more popular science chapter , In fact, it can also be regarded as a type that can be seen or not seen , Personally, I think the focus is on the part of agent processing , Understand the three proxy methods .

The content of load balancing needs further study Nginx Related content of , The content of this chapter is too shallow .

In a word, it is a relaxed and pleasant chapter .