Suppose an external user wants to linkhttps://app1.example.comHow to access the application corresponding to app1 in the home data center? You can see the following flowchart (assuming that the home broadband has a public IPv4 address. The process will be simpler if it has an IPv6 public address. The process without a public address is slightly different from this one, so I will write a special article about it later):

Next, we will sort out the various technical knowledge points involved in the entire access process according to the above flowchart. The processes marked in orange indicate that the relevant technical configuration needs to be completed in the cloud, and the processes marked in green indicate that the relevant technical configuration needs to be completed locally.

I used a total of 3 secondary domain names in the construction of the entire home data center:

First, it is used directly at the home broadband outlet. All applications are published through this domain name. This can be regarded as a backup access method. Even if the cloud is completely interrupted, it can be accessed directly using https plus port. The domain name provider is Alibaba Cloud (because home broadband is a dynamic IP address, this method requires a dynamic domain name client on the home broadband intranet to update the A record corresponding to the domain name on Alibaba Cloud in real time. I use the dynamic domain name client that comes with iQiyi to solve this problem).

Second, it is used to provide public access to solve the problem that home broadband does not have port 80 and port 443. It is mainly used for domain name resolution of Tencent Cloud CDN and cloud hosts. The domain name provider is Tencent Cloud and needs to be registered.

Third, it is used to accelerate overseas access. The main purpose is to use Cloudflare’s free CDN. The domain name provider is Tencent Cloud and needs to be registered.

To use CDN acceleration for the domain name app1.example.com, you only need to add a CNAME for app1 in the domain name console of example.com, and point the record value to the address specified when configuring the CDN.

Theoretically, two domain names are enough (one can be used for home broadband export, CDN, and cloud host). The main reason is that I can’t bear to part with the domain name on Alibaba Cloud that I’m used to, and I want to take advantage of the newbie discount on Tencent Cloud, so I simply bought two more on Tencent Cloud. Of course, I also have a bit of obsessive-compulsive disorder, so I use one domain name for each scenario to avoid making mistakes when writing the plan.

Regarding the issue of filing, I would like to briefly mention that it does not matter which provider you buy the domain name from (whether domestic or foreign). The domain name is just a function of resolving IP. The key is that if the resolved IP is a domestic IP address, the access request (http and https) must enter the domestic network and access domestic resources. The domain name it accesses will be extracted and compared with the domestic filing database. If the domain name is not in the registered database, it will be forced to redirect (http is plain text, and the access domain name can be directly seen; although https is encrypted, SNI will expose the access domain name), so as long as you build a website in China, the filing problem cannot be avoided (unless you can tolerate manually adding a port after the access link). The advantage of purchasing a domain name on several large cloud providers (such as Alibaba Cloud, Tencent Cloud, etc.) is that it is convenient to file, and there are free customer service instructions (if you submit a personal filing request and do not meet the requirements, someone will call you to teach you how to change it~).

This part involves the specific configuration of CDN. To configure CDN, it is best to purchase cloud hosting and domain name services from the corresponding cloud provider, which will simplify many steps (such as deploying SSL certificates, deploying CNAME, etc.). Of course, it is not necessary, and it does not matter if you do not buy them together, but there will be some extra steps.

When configuring CDN, you will be asked to configure back-to-origin parameters, acceleration type, access control, cache configuration, HTTPS, and other advanced features. We will explain these in a dedicated article later.

This part involves the self-owned source site address specified when configuring the CDN earlier. The source site address is determined by the dynamic public IP of the home broadband outlet. We mentioned earlier that iKuai can automatically update the A record information of the corresponding domain name in the domain name provider according to the change of the public IPv4 address of the WAN port, so the source site address in the CDN can directly point to the specific dynamic domain name of the home broadband outlet (it can be a specially planned source site domain name, or it can be used by a certain application. If it is multi-dial, it is also necessary to consider the balance of published traffic on multiple WAN ports).

It is not necessary to use AiKuai here, but I use AiKuai, and it is convenient to write. If it is not a multi-dial environment, it does not matter whether it is AiKuai or not, as long as it supports automatic update of dynamic domain names for multiple applications (the dynamic domain name client function that comes with AiKuai is really powerful). Because the reverse proxy deployed on the intranet only needs to listen to one https port, AiKuai only needs one port to be published to the outside world (it is recommended to be consistent with the port listened to by the reverse proxy deployed on the intranet. This is purely to avoid confusing yourself with various port conversions when troubleshooting applications later. It is not a mandatory requirement). Through port mapping, all requests to the published port of AiKuai WAN port can be forwarded to the listening port of the reverse proxy on the intranet.

This mainly involves the configuration of reverse proxy. Reverse proxy needs to be configured for all domain names of published applications (it is best to plan the third-level domain names corresponding to each application in advance). At the same time, in order to prevent malicious IP resolution, it is necessary to configure the default site and the wrong SSL certificate (otherwise the other party will reverse check your domain name through the IP). Of course, the most critical thing is to configure it on the cloud host. Home broadband has a dynamic IP, which is not as dangerous as the fixed IP of the cloud host. However, for the sake of safety, it should still be configured.

After the reverse proxy determines that the HOST of the access request is a legitimate domain name, it will insert some parameters in the original access request into the new request sent to the WEB application firewall (everyone must understand that this is a new request sent by the reverse proxy to the WEB application firewall as the client, rather than forwarding the original request, and by default the reverse proxy does not carry the various parameters in the original request, so there is a saying that the original access request parameters are passed to the next station).

This mainly involves the configuration of the WEB application firewall. Since it is a home data center, the application release must at least be filtered by the WEB firewall. This WEB application firewall is preferably open source, free, and has a graphical interface; it can prevent common scans and attacks, support multiple semantic analysis, human-machine verification, high-frequency access interception, etc. After the WEB firewall confirms that the access request is legitimate, it will be sent to the next destination: the load balancing device.

A basic function of load balancing devices is health monitoring. If the application in the primary environment is detected to be down, the request will be directly forwarded to the same application in the backup environment (this is called the primary-backup mode. It can also be sent to the same application in two environments at the same time, using round-robin, ratio, etc., but this involves another problem, which is database synchronization, which I will talk about later). Load balancing devices are not a must, because there is a prerequisite that there are two business environments, primary and backup. I introduced a load balancing device because I have two environments and don’t want to waste them. Friends who only have one environment don’t need it. Load balancing is a large field, and we will use a special section to talk about it later.

To sum up, although the client only enters the domain name in the browser and presses Enter to see the application content, the actual process is very complicated. This is just a home data center with a relatively simple structure. If it is an enterprise data center, the business systems and security areas are divided into more and more detailed areas, which will be much more complicated. However, logically speaking, the context is the same, and you can get a glimpse of it.