REVERSE PROXY & WEB CACHE

BY : ELMAHDI BENZEKRI

Proxy vs Reverse Proxy

Reverse proxy in 4 questions – What is a reverse proxy ?• Bridge between the local entreprise network and the

external.• Avoid to expose frontal servers.• Intended to be securized and to absorb large loads of

traffic.

Reverse proxy in 4 questions – What are it’s additionnal features?• Access logs• Cache • Load balancing• Data compression, firewall• Authentication and SSL encryption

Reverse proxy in 4 questions – Can reduce the complexity of a web architecture?• Yes.

Reverse proxy in 4 questions – Can reduce the complexity of a web architecture?• Yes.• All the requests pass trough => uniform error pages,

access logs..• Expose only one address to the external

Reverse proxy in 4 questions – What are the most used reverse proxy?• Depending of the majoritary web server• Free• Nginx• Apache• Squid• HAProxy

• Proprietary• Microsoft ISA Server• Big IP

• Traffic management appliances that also fulfill this task : F5 network, Cisco…

NGINX• Global syntax• C10K problem• Open source writen in 2002 in C by Igor Sysoev

<section> {<directive> <parameters>}

Apache HTTPD• Hyper Text Transfer Protocol Daemon• <> Tomcat• The most popular (39% in 2015)• Writen in C In 1995 as ad-on to NCSA HTTPd• Version 2 comes with lot of features

Apache vs Nginx - Connection handeling architecture• Apache httpd provide multi processing modules• mpm_prefork• mpm_worker• mpm_event

• Nginx asynchronous, non blocking, event driver connection • One master and several worker processes

Apache vs Nginx - Connection handeling architecture

Web caching management• Improved responsiveness• Increased performance on the same hardware• Availability of content during network interruptions

Web caching management• Caching

headers:• Expires• Cache-Control• Etag• Last-Modified• Content-Length

• Cache-Control flag• No-cache• No-store

• What cannot be cached ?• Dynamic pages• Content with authentication cookie• Content linked to user or cart…

• Terminology• Origin server• Cache hit ratio• Stale content• Validation• invalidation

Web caching management - nginx• proxy_cache_valid any 10m;• proxy_cache_path /var/www/cache levels=1:2 keys_zone=my-cache:8m

max_size=1000m inactive=600m;• proxy_temp_path /var/www/cache/tmp;• proxy_cache_use_stale error timeout updating http_500 http_502 http_503

http_504;

• Location /{• Proxy_cache my-cache

• }

Web caching management- varnish• By Paul Henning

Kamp(FreeBSD dev) in 2006• Reverse proxy cache

server• http processor• Optimized for Linux• Custom configuration

langage

Web caching management- varnishDAEMON_OPTS="-a :6081 \ -T localhost:6082 \ -f /etc/varnish/default.vcl \ -S /etc/varnish/secret \ -s malloc,256m“Subroutines :• sub vcl_recv {}• sub vcl_hash {}• sub vcl_backend_response {}• sub vcl_deliver {}…

Request and response VCL object:• Req, bereq,beresp,resp,obj

Return in each subroutine : • Return(pass)• Return(fetch)• Return(deliver)• …

Load balancing• Traffic is intelligently distributed amongst multiple servers(app instances)• Features

• Optimizing resource utilization• Reducing latency• Ensuring fault tolerance

• Some load balancing solutions• Open source

• Nginx• Haproxy

• Corporate Standard• F5• Citrix

Load balancing - comparisonNGINX HAPROXYONLY HTTP TCP BASED On request health check Out of band health checkThree algorithmes Multiple algorithmesComplicated tasks based on HTTP infos -HTTP2 & SSL in v 1,9 Only in dev versionFree & commercial version Free

Load balancing with Nginx• Load balancing methods• Round robin• Least connected• Ip-hash

• Session persistence• Weighted load balancing• Health check(passive)

Optimizing Nginx • Number of workers

• grep processor /proc/cpuinfo | wc –l• Worker_connections

• Ulimit –u• Limiting the Buffer size

• client_header_buffer_size 1k;• client_max_body_size 8m;• large_client_header_buffers 2 1k;

• Timeouts • client_body_timeout 12;• client_header_timeout 12;• keepalive_timeout 15;

• Gzip compression

DEMO• 2 Tomcat • Nginx > tomcat• Nginx if / break / set / rewrite• Nginx headers• Nginx cache• Nginx log + blacklist• Nginx > 2tomcat• Nginx > varnish > tomcat

DEMO

TOMCAT A

TOMCAT B

THANK U