Gotchas for reverse proxy setups

PROXYreverse-proxy

We run multiple web applications, some internal-only, some internal/external. I'm putting together a proposal that we use reverse proxy servers to isolate the origin servers, provide SSL termination and (when possible) provide load balancing. For much of our setup, I'm sure it will work nicely, but we do have a few lesser-known proprietary applications that may need special treatment when we move forward with reverse-proxying.

What kinds of traps tend to cause problems when moving an origin server from being on the front lines to being behind a proxy? (For example, I can imagine problems if an application needed to know the IP address of incoming requests.)

Best Answer

The most frequent pitfall are redirections generated in the application that you will have to rewrite in reverse proxy, the client ip address issue you already said, if using ssl termination maybe the server wants to check client certificate or get user information from it. For proper edge-side reverse proxy caching, application modifications may be needed (adecuate expire headers, unset unneeded cookies, etc.). If you are using windows integrated auth it may be unachievable or a true nightmare

Then you could have tunning issues but I think those will be much easier to resolve. My preferred toolset for this task would be:

Nginx in the outer layer for virtual host management and location mapping,compression,ssl, access logging
varnish for caching
haproxy for request queuing, load balancing and backend checking.
If you need high availability for you reverse-proxy box(es) keepalived does the job

Related Solutions

Nginx – How to set up Nginx as a caching reverse proxy

I don't think that there is a way to explicitly invalidate cached items, but here is an example of how to do the rest. Update: As mentioned by Piotr in another answer, there is a cache purge module that you can use. You can also force a refresh of a cached item using nginx's proxy_cache_bypass - see Cherian's answer for more information.

In this configuration, items that aren't cached will be retrieved from example.net and stored. The cached versions will be served up to future clients until they are no longer valid (60 minutes).

Your Cache-Control and Expires HTTP headers will be honored, so if you want to explicitly set an expiration date, you can do that by setting the correct headers in whatever you are proxying to.

There are lots of parameters that you can tune - see the nginx Proxy module documentation for more information about all of this including details on the meaning of the different settings/parameters: http://nginx.org/r/proxy_cache_path

http {
  proxy_cache_path  /var/www/cache levels=1:2 keys_zone=my-cache:8m max_size=1000m inactive=600m;
  proxy_temp_path /var/www/cache/tmp; 


  server {
    location / {
      proxy_pass http://example.net;
      proxy_cache my-cache;
      proxy_cache_valid  200 302  60m;
      proxy_cache_valid  404      1m;
    }
  }
}

The difference between Load Balancer and Reverse Proxy

Your confusion is reasonable - they are often the same thing. But not always. When you refer to a load balancer you are referring to a very specific thing - a server or device that balances inbound requests across two or more web servers to spread the load. A reverse proxy, however, typically has any number of features:

load balancing: as discussed above
caching: it can cache content from the web server(s) behind it and thereby reduce the load on the web server(s) and return some static content back to the requester without having to get the data from the web server(s)
security: it can protect the web server(s) by preventing direct access from the internet; it might do this through simple means by just obfuscating the web server(s) or it may have some more active components that actually review inbound requests looking for malicious code
SSL acceleration: when SSL is used; it may serve as a termination point for those SSL sessions so that the workload of dealing with the encryption is offloaded from the web server(s)

I think this covers most of it but there are probably a few other features I've missed. Certainly it isn't uncommon to see a device or piece of software marketed as a load balancer/reverse proxy because the features are so commonly bundled together.

Best Answer

Related Solutions

Nginx – How to set up Nginx as a caching reverse proxy

The difference between Load Balancer and Reverse Proxy

Related Topic