如何在Windows服务器上为传出的HTTP和HTTPS请求设置转发代理? [英] How to setup forward proxy on Windows server for outgoing HTTP and HTTPS requests?
问题描述
我有一个Windows Server 2012 VPS,它在Cloudflare后面运行一个Web应用程序.该应用程序需要根据用户操作(例如,从URL上传图像)启动出站连接.问题在于,这泄漏"了我服务器的IP地址并增加了DDOS攻击的风险.
I have a windows server 2012 VPS running a web app behind Cloudflare. The app needs to initiate outbound connections based on user actions (eg upload image from URL). The problem is that this 'leaks' my server's IP address and increases risk of DDOS attacks.
因此,我想通过设置转发代理来防止发现服务器的IP.到目前为止,我的研究表明这不是简单的任务,并且需要设置另一个VPS来充当代理.
So I would like to prevent my server's IP from being discovered by setting up a forward proxy. So far my research has shown that this is no simple task, and would involve setting up another VPS to act as a proxy.
此额外的转发代理VPS是否必须运行Windows?他们是否有任何付费服务可以充当我的服务器的正向代理(例如cloudflare的反向代理系统)?
Does this extra forward proxy VPS have to be running windows ? Are their any paid services that could act as a forward proxy for my server (like cloudflare's reverse proxy system)?
Also, it seems that the suggested IIS forward proxy plugin, Application Request Routing, does not work for HTTPS.
是否有针对两种类型的传出(HTTPS + HTTP)请求的解决方案?
Is there a solution for both types of outgoing (HTTPS + HTTP) requests?
我真的在这里迷路了,所以任何帮助或建议都将不胜感激.
I'm really lost here, so any help or suggestions would be appreciated.
推荐答案
您正确需要转发代理".一个很好的类比是您的浏览器对出站请求的代理设置.在您的情况下,Web应用程序的行为类似于台式机浏览器,并且可以配置为通过代理发出资源请求.
You are correct in needing a "Forward Proxy". A good analogy for this is the proxy settings your browser has for outbound requests. In your case, the web application behaves like a desktop browser and can be configured to make the resource request through a proxy.
通常,您可以在应用程序层为单个请求控制此操作.使用C#的示例: C#通过代理连接
Often you can control this for individual requests at the application layer. An example of doing so with C#: C# Connecting Through Proxy
对于实际的代理服务器:不,它不需要运行Windows或IIS.是的,您可以使用代理服务.绝大多数代理服务都是针对消费者的,用于个人隐私或绕开网络限制.因此,我没有直接建议.
As far as the actual proxy server: No, it does not need to run Windows or IIS. Yes, you can use a proxy service. The vast majority of proxy services are targeted towards consumers and are used for personal privacy or to get around network restrictions. As such, I have no direct recommendations.
Cloudflare实际上对此有建议: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/.
Cloudflare actually has recommendations regarding this: https://blog.cloudflare.com/ddos-prevention-protecting-the-origin/.
应该配置诸如从URL上传"之类的功能,以允许用户从给定URL上传照片.这样,进行下载的服务器就不是网站原始服务器.
Features like "upload from URL" that allow the user to upload a photo from a given URL should be configured so that the server doing the download is not the website origin server.
这可能是一个更舒适的风险缓解工具,因为它不依赖于第三方代理服务.上载请求可以作为对专用文件下载器"服务器的Web服务调用来处理.请记住,如果您有一个排队的进程让另一台服务器来工作,并且该服务器托管在相同的基础架构中,则这两者都可能会受到DDoS的影响,具体取决于DDoS的类型.
This may be a more comfortable risk mitigator, as it wouldn't depend on a third party proxy service. A request for upload could be handled as a web service call to a dedicated "file downloader" server. Keep in mind that if you have a queued process for another server to do the work, and that server is hosted in the same infrastructure, both might be impacted by a DDoS, depending on the type of DDoS.
您的问题暗示您使用非Windows服务器可能会感到很舒服.存在许多可以作为代理运行的软件(大多数Web服务器),但是存在与ARR相同的问题-缺少对HTTP"CONNECT"动词的支持,现代浏览器使用它来启动HTTPS连接,发出"GET". SQUID是一种非常流行的开源软件,它支持一切连接到任何东西.设置并非易事.Apache在"mod_proxy_connect"中也对此提供了支持,但是我对此没有经验,在线文档也不是很可靠.但是,它是Apache,因此值得进行额外的研究.
Your question implies that you may be comfortable using a non-windows server. Many softwares exist that can operate as a proxy(most web servers), but suffer from the same problem as ARR - lack of support for the HTTP "CONNECT" verb, which is used by modern browsers to start an HTTPS connection before issuing a "GET". SQUID is very popular, open source, and supports everything to connect to.. anything. It's not trivial to set up. Apache also has support for this in "mod_proxy_connect", but I have no experience in that and the online documentation isn't very robust. It's Apache, though, so it may be worth the extra investigation.
这篇关于如何在Windows服务器上为传出的HTTP和HTTPS请求设置转发代理?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
