Why You Should Use Reverse Proxies on Alibaba Cloud

Image for post
Image for post

By Muaaz Sarfaraz, Alibaba Cloud Community Blog author.

In this blog article, we talk about why you should use a reverse proxy, how is a reverse proxy different to a load balancer. We also look into how reverse proxies can be used on Alibaba Cloud. The NGINX tool would be used as a reverse proxy for this article as it is the most common open source tool used worldwide as web-service.

What Is a Reverse Proxy?

In other words, within a network of workstations, a reverse proxy requests information from the application server on the request of a client, and takes the request to the relevant application server based on the client request (in case there are more than one application servers), for client this would be seamless. The client would get the required response as expected.

Why Use Reverse Proxies?

What Is a Load Balancer?

Now a natural question to ask would is “what’s the difference between a reverse proxy and load balancer”. Both seem quite similar, because SLB can also relay the request of the client to the server and is the one exposed on public IP. However, one difference, of course, is that there are the application servers are behind it.

So What Is the Difference between Reverse Proxy and Load Balancer?

A reverse proxy’s main function is to act as an additional line of defense for the back-end servers, while load balancer’s main function is to offer high availability and load balancing. There are some tasks that both can perform but are not specialized for and there are some tasks that one can perform and the other cannot. For example, a reverse proxy caches request, while SLB does not, this means reverse proxy can return a response to the client from its cache. Moreover, reverse proxies can proxy to any back-end this back-end could be any website, an ECS instance, container, OSS, while in case of an SLB you are limited to an ECS instance, container or limited cloud products. But with SLB scaling is inherently easy as it’s built specifically for that purpose, while with a reverse proxy this is challenging.

Tutorial: How to Set up a Reverse Proxy

Firstly, we need to install NGINX. The rpm file for CentOS NGINX can be downloaded from here.

Command for downloading the rpm binary package for NGINX is as follows:

wget http://nginx.org/packages/centos/7/x86_64/RPMS/nginx-1.14.2-1.el7_4.ngx.x86_64.rpm

This would download the file in the directory this command was called from. In case you have other Linux distribution look for the relevant packages under the required Linux distribution athttp://nginx.org/packages/

2. Install NGINX by running the command below:

rpm -ivh nginx-1.14.2-1.el7_4.ngx.x86_64.rpm

3. Once NGINX is installed, you can test it by the nginx –v command, which prints the nginx version.

  • Now we would have to edit that configuration file of NGINX, in order to make the desired reverse proxy.

For example, a clients HTTP request has to be served by a backend server with the IP 10.1.244.35, in order to establish the setup shown below.

Image for post
Image for post

Once made sure that the relevant ports are open for communication between the relevant nodes, edit the configuration file present in the directory at /etc/nginx/nginx.conf.

Keep the default file as is and create a new file in the nginx.conf directory with a relevant name 'application.conf'.

Write the following in the configuration file

---------------------------------------------------------
#Configuration file
#Disable all logs
#Load balancing with sticky session enabled minimum one session
Upstream anynameofyourchoice {
#ip_hash;
keepalive 100;
server 10.1.244.35;
}
server {
listen 80;
listen [::]:80
server_name yourpublicwebsite.com
location /
{
proxy_pass http://anynameofyourchoice;
proxy_send_timeout 60m;
send_timeout 15m;
proxy_read_timeout 60m;
proxy_connect_timeout 60m;
client_max_body_size 0;
#enable websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

In case your configuration is simple you can also try the basic setting wit this configuration file shown below (Only use one of the two configuration files provided here, not both).

Configuration File 2 (For simpler cases)

---------------------------------------------------------------
server {
listen 80;
listen [::]:80
server_name yourpublicwebsite.com
location /
{
proxy_pass http://10.1.244.35;
}
}

Note: In both the configuration files replace the relevant text with your own public domain and backend server IP.

  • Replace <yourpublicwebsite.com> with your own public domain
  • Replace <10.1.244.35> with your own backend server IP

The upstream saves the backend server IP where traffic has to be routed and an alias(anynameofyourchoice) is given to it to make it easy to refer in the 'server' section. The port at which the server would receive the connection form public domain usually its an http traffic (it could be https as well) hence 80 is mentioned. Later you would have to mention your public domain name. The other settings ensure that the timeout limit is enough for the page to respond and in certain cases you would need websocket to be enabled.

4. You can use any one of the following commands to activate the nginx now:

  • sudo nginx
  • Sudo service nginx start
  • systemctl start nginx

It would read and initiate as per the configuration file.

At this stage the nginx should be up and running, and if the configuration file is right, it would start acting as reverse proxy.

To edit and re-start the service you would have to follow these steps:

A. Stop the nginx service (cmd: sudo kill nginx)

B. Edit the configuration file

C. Restart the services (cmd: sudo nginx)

Use Case

Scenario

Image for post
Image for post

The purpose of the setup is to get the public website visitor access the static web pages through our reverse proxy, and once subscribed to the dashboard, access the dashboard which can be filtered by nginx based on permalink /global or /form or /hub etc.

The steps shown above would stay the same apart from the configuration file. Below we would be sharing the configuration file for achieving this use case.

Configuration file

#Configuration file 
#Disable all logs
#Load balancing with sticky session enabled minimum one session
Upstream qlikwebsocket {
#ip_hash;
keepalive 100;
server 10.14.14.24;
}
server {
listen 80;
listen [::]:80
server_name dashboard.com
location /global/
{
proxy_pass http://qlikwebsocket;
proxy_send_timeout 60m;
send_timeout 15m;
proxy_read_timeout 60m;
proxy_connect_timeout 60m;
client_max_body_size 0;
#enable websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /form/
{
proxy_set_header Host $http_host;
proxy_pass http:// 10.14.14.24:4244;
proxy_read_timeout 60m;
#enable websocket
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
location /{
proxy_pass http:/ 10.13.13.23/;
}
}

The above configuration file would set the nginx as a reverse proxy enabling the website visitors enjoy our backend application without realizing that they have been served by a reverse proxy, while on the enterprise end we would stay secure by not exposing our backend server IPs.

Please note, for this configuration to work the network shown in the diagram above should be whitelisted so the ECS instance at Alibaba cloud being used as reverse proxy should be accessible by both the backend servers. This can be achieved if they are all in the same security group with the relevant port and IP allowed. Also, you would have to ensure that the websocket protocol is allowed in case of Qlik dashboard access otherwise dashboard would not load.

Original Source

Follow me to keep abreast with the latest technology news, industry insights, and developer trends.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store