The Architecture of Section
October 23, 2015
At Section we wanted to enable people to use popular reverse proxies like Varnish Cache and ModSecurity to improve the performance and security of their websites but remove the hassle of dealing with deployments, high-availability, patching, TLS configuration, or instrumentation.
As such there are a set of components that the Section platform provides so you can focus on tailoring the caching and security rules that work best for your website.
The first component is the Edge proxy. The Edge is what your users’ browsers connect to. It is responsible for the TLS handshake, HTTP protocol negotiation, and routing requests to your chosen Varnish Cache or ModSecurity proxy. The Section team ensure that the TLS configuration in front of your website continues to receive a Qualys SSL Labs Grade A+ rating as the vulnerability landscape changes. The Edge also enables your users’ browsers to connect using the modern HTTP/2.0 protocol even if your origin does not implement it.
Immediately following the Edge proxy will be your chosen reverse proxy. This might be a particular version of Varnish Cache, or ModSecurity, or both in a chain. The Section platform ensures that there are always at least two instances of your proxy running in different locations to provide fault tolerance and high-availability. The platform can also provision more instances on demand to handle increases in traffic to your website.
After your chosen reverse proxy comes the Section Origin proxy. The role of the Origin proxy is to establish a secure HTTPS connection back to your origin webserver(s), and to ensure the time-to-live of your origin DNS records is honoured if your origin IP addresses are not static (e.g. if using an Amazon Web Services Elastic Load Balancer).
The Origin proxy is necessary because some reverse proxies do not implement HTTPS natively or do not acknowledge DNS TTLs but even when your chosen reverse proxy can support this, the Origin proxy provides a consistent mechanism connecting to your origin, regardless of which reverse proxy you use.
Logging and Messaging
Outside of the delivery pipeline, there are two other Section platform components worth mentioning: the logging system, and the messaging system.
The logging system ensures that all the web access logs from the Edge proxy, the Origin proxy, and your chosen reverse proxies are shipped to a central location for processing and made available to you for investigating and debugging (via Kibana) and for long-term trend analysis (via Graphite). This log aggregation also serves as a data feed upon which to configure monitoring and alerting (via Umpire).
Lastly, the messaging system provides the means by which the platform is able to quickly distribute your configuration changes, cache ban requests, and trace requests to all your running proxy instances in the Section global network, and report back any results.
While each of these individual components each performs a simple task, together they represent critical pieces of functionality needed to effectively operate a reverse proxy in front of your website and with Section taking care of this, you’re free to focus on what’s important: making your website faster, more resilient to high-traffic, and more secure.