Secure & Accelerate Web Servers with IQ Reverse Proxy
Fastream IQ Proxy Server supports all RFC-compliant web servers including Apache, IIS, OWA (yes from v2.3+, we also support WebDAV), IQ Web Server, Abyss, and Zeus as well as all HTTP/1.0/1.1-compliant web-cams.
IQRP features a state-of-the-art multiple-connections/thread asynchronous architecture, providing the fittest architectural design for Windows by utilizing multiple CPUs/CPU-cores and avoiding the so-called "thread hell". This unique design enables the application to support more than 10k connections at the same time!
Caches static and dynamic content for ultra-hi-speed later on serving
IQP features a 3 Giga bits per second memory cache and unlimited disk cache as well. This performance level could be achieved with only a 32/64-bit single core P4/Athlon CPU! You can limit the maximum cache object size and the total capacity for both caches. Cache contents can be viewed using the remote GUI and emptied.
256-bit SSL/TLS accelerator with support for self-signed certificate creation
Secure Sockets Layer and its version 3.1 incarnation called Transport Layer Security (TLS) is the industry standard for secure transmission on the web. With the ultimate latest open source OpenSSL library that IQP utilizes, it is capable of supporting the highest grade of security level possible for commercial use: 256-bits! This is so high that it used to be impossible to imagine on the web in the '90s. Now as of version 3.3+, IQP supports the new SNI (Server Name Indication) protocol for serving multiple certificates on single IP/port--also with intermediate certificates.
One important aspect of SSL that makes it better than SSH (Secure Shell) is the capability of signing with certificates. With this feature, Alice and Bob can really be sure that they are in fact talking with each other and no "man-in-the-middle" attack is taking place. Since certificates sometimes could be expensive to acquire from certificate authorities (CA) such as Verisign and Thawte, IQP provides the facility of generating itself. However these "self-signed" certificates cannot be verified by parties for integrity.
Load balancing with failover in URL-aware fashion: point each domain/path to different target LAN server/port
In IQP, rule-based load balancing supports load balance among web servers on a LAN server farm. Each domain, sub domain and path (including wildcards) can be routed to a different physical IP. For example:
*.fastream-test.com/images
*.fastream-test.com/videos
*.fastream-test.com/sounds
*.fastream-test.*/catalog
can all be forwarded different IP/ports with a scanner algorithm that scans from top to bottom to seek the matching rule.
Anti Hot-Linking
With IQP's built-in anit hot-linking function, you can now control which file extensions could be linked from sites other than yours and even can whitelist sites such as Google images. This way you will be saving bandwidth and a customizable error page will be shown instead of blocked pages.
URL Rewrite
Using standard regular expressions, you are now in total power to have links such as
/path/index/1/test
to work and be rewritten as
/path/index.aspx?id=1&user=test
using standard regular expressions, with the same format as in Apache mod_rewrite, yet without the hassle.
Bandwidth limiting per URL rule per IP/port
Similar to load balancing, each URL rule can also be assigned a bandwidth rule (in terms of kilo bytes per second) to be applied for the entire rule domain instead of per socket connection! This enables an admin to limit the total site bandwidth usage or sub parts of the site. This feature is, of course, optional.
GZip compression accelerator with configurable compression rates for each object extension
HTTP protocol as defined in RFC2616 -which IQP fully complies to- defines a mechanism for compression support negotiation between client and server. Compression saves bandwidth and speeds up web object load times. GZip is the most prevalent format and it is implicitly supported by IQP. You can configure IQP to get content directly w/o compression from the web server (which would not hurt the LAN as bandwidth is plenty there) and compress on the fly. This could even be done at a configurable ratio with respect to object MIME type! This way the proxy does not get exhausted trying to compress MP3s and AVIs which was already compressed.
Another usage would be to let the web server compress and use the proxy just for tunneling. This would be ok if the load on web servers are not too high and on proxy is indeed high. There is a maximum object size to compress setting which prevents the proxy to bog its RAM with big objects such as videos in case they are configured to be compressed. Now as of v2.5+ you can also specify the minimum object size to compress!
Able to listen on multiple IP/ports and scalable up to tens of thousands of simultaneous connections
If IQP supported only one listener IP/port in a single process, then there would be no way to listen on another IQP proxy port as in Windows only one instance of a service can run at a moment. Therefore IQP supports multiple proxies each in its own thread to support multiple listeners. We chose to listen each port in a distinct high priority thread for maximum performance and robustness. For each configurable number of async-connections, a worker thread is assigned. While choosing the to-be-assigned worker thread, IQP uses load balancing. This approach provided the best performance in our benchmarks despite its high complexity. If IQP was designed to open a thread for each connection, it would get stuck in 1,000 concurrent sync connections/threads but now it is estimated to support more than ten thousand of them!
Failover protection with both ICMP and HTTP server validation
IQP continuously polls the servers in the LAN with two protocols: ICMP pings and HTTP. This way problematic hosts are automatically suspended for a definable period of time so that the clients are not shown error pages. After that period ends, the servers are taken into service automatically once again without an admin command! This enables if the proxy admin is different than web server admin and a web server in the farm is taken offline for maintenance, then the proxy admin needs to do absolutely nothing to take the server online once it is fixed. One other interesting feature is the dynamic discovery: if a request was unable to be answered by a specific target server then other servers are automatically polled for THAT request--no need to upset clients for a server being down!
Ping times are also used for determining which server is tired and which ones are to be given priority in assignment of client requests.
Cookies created make session persistence possible among client-to-target-server matching
For each URL, in the first time a client is assigned a web server, it is best to keep that assignment. This is because the server and client could be conducting a transaction such as an e-commerce one and if during the transaction we redirect to another server in the farm, it might fail. To assure session persistence, IQP optionally creates cookies in browser end to "tie" the client to a specific server for that URL. This is the best way for session persistence compared to hashing.
Again, if the server for some reason goes offline, then another server is replaced.
TCP firewall: Filter with respect to IP, reverse DNS and even client IP country
IQP features a firewall that can filter and pass with respect to IP addresses, DNS records of clients and even client countries! If you are getting an attack from a specific country, why not just block them all?! Or you can say you only want to accept incoming requests from your home country and nowhere else. Reverse DNS enables you to block with respect to client ISPs. For example you can forward all of comcast.net and block the rest.
High performance on-the-fly HTML absolute link transformer
If your web pages contain hyperlinks such as,
Click for logo
then you might be in trouble with reverse proxies as some of our competition does not support absolute URL translation. Here is why: when you replace the URL with www.myproxysite.com or for example in terms of numeric IPs, then the URL would get broken and the user experience would suffer. To overcome this, IQP optionally replaces all the hyper links including the image tags with the URL of the proxy.
This feature can slow down page delivery but luckily with IQP you can define which object extensions you wish to replace hyperlinks. For example, by default you only replace extensions of types like asp, php, html and pl. This way the server does not get bogged down with and corrupt files such as mpegs and jpgs.
DynDNS.org and No-IP.com dynamic DNS auto updater client built-in
If you are running your site on dynamic IP instead of a static one, and if you desire a domain name, then you are out-of-luck with static DNS servers as it takes days to update a record with them. To overcome this problem, Fastream partnered with two great dynamic DNS providers and we even integrated our custom dynamic DNS client that runs in the same service (even when you are not logged in) and detects and updates your IP address every 5 mins. So even if you disconnect and reconnect again, you need to no worry.
User-friendly HTTP/XML controller interface for remote admin access
One cool feature of NETFile Server is the ability to remotely control the server with a GUI controller. This enables you to control servers on the other side of the globe fast and securely. The protocol is XML over HTTP so no firewalls complain at all! And it even detects your browser proxy settings so it does not give boring connection errors and saves you from headache with your network admins.
HTTP/1.1 basic and digest as well as Windows/NTLM and HTML authentication with users definable per URL rule
So you want to pass-protect a part of your site and also want to do it in the gate of the servers? This is very easy with IQP. All you need to do is to select the URL-rule, click a button, and enter user information!
IQP now (1.2+) supports basic, digest, NTLM and HTML in a selectable fashion. You can configure your IQP setup to connect to NTLM-domain controllers so that you can use your existing ActiveDirectory database. Even HTML-auth can connect to NTLM database!
Supports W3C Extended Log Format with selectable fields and NFServer v2 screen and file logging--configurations setable in URL granularity
By supporting the W3C Extended Log format, which is by far the most flexible log format on the entire Internet, IQP lets you log every aspect of client communication and the matched server. These include but not limited to client referrer and cookie as well as IP address and server IP/port.
Customizable pages for "target server not found" and "authorization required" errors
With IQP two kinds of errors could occur: a 401 for authentication failure and a 404 a target server not found. For these, wouldn't you want to be able to assign custom pages with your company logo in it? What about a custom "sorry" message for 404? All is possible so why not!
In your setup, the first request went to server 192.168.1.10 and the next one needs to do the same? Why disconnect and reconnect? Instead we offer a HTTP/1.1 "keep-alive" based solution that pools the client connections (hundreds of them!) in single thread for fast access.
Runs as NT-service on all 32/64-bit Windows (2000/XP/2003/Vista/2008/7) with very little resources (1GHz Pentium+ CPU, 256MB RAM,...)
IQP runs on any NT-based 32/64-bit Windows system such as Windows 2000/XP/2003 and Vista. Since Windows is the easiest to use and most ubiquitous platform, this compatibility enables IQP to be installed on the largest possible system base. If you have IIS or IQWF Server on your server, you can install IQP on the same machine provided that your usage needs are not too high. IQP does not use much resources: for most cases, a P4/Athlon CPU and 256MB RAM would be sufficient. IQP does not use any hard drive space for storage other than configuration and -optional- log files so consumes at most 10MB.
If you have many servers and want to use the load balancing feature, you may want to install IQP on a separate computer in your LAN. Unless you expect to get millions of hits daily, Professional versions of Windows 2000 or XP might be enough. For serious usage, we recommend a server version of Windows 2000 or 2003. IQP does not utilize Microsoft servers such as DNS or IIS so Windows 2003 Web Services Edition could be favored instead of Enterprise Edition to reduce cost.
Since IQP runs as a service, it runs even though no login takes place--in the background. So if a server restart takes place for some maintenance reason by another) admin, you would not need to manually restart.