After the deployment of hardware, software, and applications in the home data center is completed, the applications need to be released to the outside world. Unlike traditional home broadband applications, the application release of the home data center involves many applications, which is far from being solved by simply mapping a few ports on the router (provided that there is a public network address). At present, applications are basically released in the form of B/S architecture, so reverse proxy technology naturally becomes our best choice.
When talking about reverse proxy, we have to mention forward proxy. Let me briefly talk about my understanding of forward and reverse proxy.
First of all, everyone should understand that no matter whether it is forward or reverse, the proxy must be for access requests. The normal access process is that the client initiates a request to the server (application), and then the server (application) responds. This process only involves two parties:
If there is one more agent, the whole process is divided into two independent stages:
In this scenario, the web client actually initiates a request to the proxy server, and is unaware of the existence of the actual application; all requests received by the application are from the proxy server, and the only client it knows is the proxy server. Whether it is a forward proxy or a reverse proxy, the process is the same, so what is the difference between a forward proxy and a reverse proxy? In fact, the main difference is that the service objects are different.
Forward proxy:
If the proxy server mainly serves the client, and its main purpose is to aggregate client requests and then hide the client IP address when sending requests to the application (there are also cases where the client IP address needs to be transmitted, which requires separate settings), this is a forward proxy. Generally, the forward proxy is closer to the client, and may even be in a security domain. Because it sends proxy client requests to the server, which is consistent with the traffic direction of direct client access, it is called "forward". Generally, a forward proxy needs to be set up in the browser.
Reverse Proxy:
If the proxy server mainly serves the server (application), and its main purpose is to accept requests from the client and then distribute them to different servers (or different ports of the same server) according to the different contents of the host, this is a reverse proxy. Generally, the reverse proxy is located closer to the server, and may even be in a security domain. Because it is mainly oriented to the server, which is exactly the opposite of the forward proxy facing the client, it is called "reverse".
There is also a "transparent proxy", which mainly refers to a forward proxy that does not require configuration, so I won't go into details here.
There are different recommended deployment methods depending on whether the home broadband has a public network address.
1. Have a public IPv4 address
In this case, it is recommended to deploy a reverse proxy in the intranet (assuming the intranet IP is 192.168.1.1, using the https protocol to listen to port 443), and then use a port on the router as the unified entry port (assuming it is 44444), and point it to port 443 of 192.168.1.1 through port mapping. Next, you only need to correspond each application to a different third-level domain name (assuming the third-level domain name corresponding to app1 is app1.example.com), and you can do it through:https://app1.example.com:44444Access directly (of course, the premise is that app1.example.com is correctly configured on the reverse proxy).
Another: Regarding the issue of binding domain names and applications, since it is home broadband, the solution must be a dynamic domain name. At present, the most optimized way is to use the export router as a client of the dynamic domain name. When the public network IP of the interface changes, the router automatically goes to the domain name provider to modify the record (if the export supports multiple dial-ups, the dynamic domain name function of the router must also support the modification of multiple interface IPs). From my experience, AiKuai's dynamic routing client is very powerful. For details, see my other article:iKuai Soft Router Series The most powerful multi-dial soft router: iKuai
If you don't like the access method of adding a port after the link, you need to spend money:
1. Purchase a cloud host, register it, and then configure a first-level reverse proxy on the cloud host to point to the reverse proxy at home; or use CDN and use the home site as the source site (a public IP address is required, both IPv4 and IPv6 are acceptable). The most important thing is that the source site port of CDN is customizable, so you can perfectly avoid the problem that home broadband does not have ports 80 and 443.
2. The free version of Cloudflare can also customize the source port, which can also solve the problem of ports 443 and 80. It is the first choice for friends who do not want to register. However, the access experience is slightly worse, which may be 2-3 seconds slower than using domestic CDN. For specific configuration, please refer to my other article:Home data center series uses cloudflare's Origin Rules to solve the problem of having a public IP but no legal ports 80 and 443 when building a website).
2. Have a public IPv6 address
In this case, it is no longer necessary to map ports on the router (nonsense, each device has a public IP address). In theory, there is no need for a reverse proxy. The CDN directly points to the corresponding port of the application's IPv6 address (the CDN and the source station can use either IPv4 or IPv6 protocol, of course, forget about ports 80 and 443). However, if you simply want to allow yourself to access your own application, it is fine, but if you want to build a home data center to provide external access, this will definitely not work: Who dares to deploy a naked application directly on the public Internet? So in the end, even if there is an IPv6 public address, you must honestly build a reverse proxy. After receiving the access request, it will be filtered by the back-end security device (such as WAF, anti-DDOS equipment, etc.), and then forward the request to the application (enable public IPv6 on the reverse proxy device, and the specific application device does not need to enable IPv6. The communication between the reverse proxy and the application can use the intranet address, which is safer, although there are so many IPv6 addresses that they are not afraid of scanning~).
3. No public IP address
In this case, there is only one option: use the tunnel function of cloudflare. For specific configuration, please refer to my other article:Home Data Center Series: Use cloudflare to build a website quickly with no public IP in your home broadband (general purpose).
In general, no matter what type of home broadband you use, you can build a home data center, but there are more choices with public IPs and it is more playable.
