Reverse proxy server – core component in security architectures

The secure operation of Web or Exchange servers poses a problem for network administrators: although online services such as the Web or e-mail should be available via the public network, a direct connection to the Internet makes the systems vulnerable to malware and manual break-ins. This is why a network component is often used – a so-called reverse proxy.

What is a reverse proxy server?

Basically, a proxy server is a communication interface in the network that receives requests and forwards them to a target computer on its behalf. In corporate networks, such a structure is used to provide client devices with controllable access to the Internet. In this case, the server configured as a proxy is the only connection to the public network. This is referred to as a forward proxy.

A forward proxy channels all requests from the internal network and forwards them with their own sender address to the target servers on the Internet. Server responses also reach the proxy before being distributed to the corresponding client devices. These thus remain anonymous – unless it is a transparent proxy. In order to save bandwidth and speed up website retrieval, proxy servers are usually programmed in such a way that they can cache frequently requested content and thus play it back directly without a new server request.

Schematic representation of a forward proxy Source: https://commons.wikimedia.org/wiki/File:Forward_proxy_h2g2bob.svg

While a forward proxy protects client devices in a network against influences from the Internet, a reverse proxy works in the opposite direction to the name. Such a proxy server is connected as an additional security component in front of one or more web servers in order to receive requests from the Internet on its behalf and forward them to a backend server in the background.

Schematic representation of a reverse proxy Source: https://commons.wikimedia.org/wiki/File:Reverse_proxy_h2g2bob.svg

As a communication interface upstream of the network, a reverse proxy can assume various functions that serve the security of the backend servers and optimize data traffic.

Definition

  1. A reverse proxy („reverse proxy“) is an additional protective measure that can be switched in front of one or more web servers.
  2. In contrast to a proxy, address translation is performed in the opposite direction.
  3. The task of the reverse proxy is to accept requests from servers on behalf and forward them to the corresponding client.
  4. The reverse proxy grants one or more clients of an external network access to an internal network.

Reverse Proxy: Function and application areas

Reverse proxies are usually installed in a private network or an upstream demilitarized zone (DMZ), protected by a firewall. Like the forward proxy, the reverse proxy is the only connection between the Internet and the private network. All requests to the backend servers in the LAN thus pass through the same communication interface before being forwarded to the actual target systems. Such bundling makes it possible to control incoming data traffic, make several servers available under the same URL, distribute requests evenly among different servers, and accelerate data retrieval by caching. The following application areas result from the use of a reverse proxy server:

Anonymization: As the only access to the internal network, a reverse proxy intercepts all requests to servers in the background and acts towards client programs as if they were dealing with the actual target system. For this purpose, the proxy forwards the requests to the corresponding target systems in the LAN, receives their replies and plays them out to the requesting clients. The actual backend servers thus remain anonymous.

Protection and encryption: An upstream reverse proxy offers the option of installing control systems such as virus scanners or packet filters, which additionally secure the servers in the background. The proxy server thus represents a further link in the security chain between the Internet and the private network. In addition, reverse proxy servers can be used for encryption. The outsourcing of the SSL certificates to the proxy relieves the web servers in the background.

Load balancing: A reverse proxy can be used to link a URL to various servers in the private network. This makes it possible to distribute incoming requests to several servers. Load balancing prevents individual systems from being overloaded and compensates for failures. If a server cannot be reached due to hardware or software errors, the proxy’s load balancing module redistributes incoming requests to the remaining servers. The availability of server services is thus ensured even in the event of failures.

Caching: To speed up the speed of server services, the reverse proxy provides a function for caching server responses. This caching enables the proxy server to answer repeated requests either partially or completely by itself. Static content such as images or frequently accessed dynamic web pages are stored in the proxy’s cache. No or significantly less data has to be retrieved from the backend server, which significantly accelerates the access rate to web services. Since it is not always possible to ensure that the cache of the proxy contains the current version of content that changes quickly, there is a risk that requesting clients will be given outdated information.

Compression: Equipped with appropriate software, a reverse proxy can be used to compress incoming and outgoing data. A popular program for compressing websites is gzip, which is often used in combination with Apache or nginx.