In the previous blog post, we discussed about proxy servers. Proxy servers basically act like buffers that monitor everything that comes into the user’s machine. We talked about why we need them and how they are used in real life scenarios. We used the analogy of what a person aims to achieve when he proxies for another person. He basically acts on behalf of that other person. Now how would we extend that analogy to explain reverse proxy? Just like how students proxy for fellow students, reverse proxy can mean professors proxying for each other. Does that sound right? What exactly is a reverse proxy and why do we need it?
Why do we care about this?
Let’s say we have a server that serves whatever webpage is requested by a user. Now, when a lot of people request something at the same time, it puts a lot of load on the server. So the server will slow down and everyone ends up waiting longer. To avoid that, what they do is that they have multiple servers. Whenever people browse stuff on the internet, if some server is busy, another server will take over and do the job. The user won’t have to wait. But how do we know which server to go to? Let’s say you have 10 servers and a majority of the users accidentally try to connect to, say, the 7th server. What is going to happen then? It will still slow down again. We need something that can distribute the load equally. This thing should look at the available servers and distribute the work load equally so that the speed remains constant from the user’s perspective. This is where a reverse proxy comes into picture. It is extremely critical to the web infrastructure.
What exactly is it?
A reverse proxy, also known as an “inbound” proxy, is a server that receives requests from the Internet and forwards them to a small set of servers. These servers are usually located on an internal network and are not directly accessible from outside. It is “reverse” because a forward proxy receives requests from a small set of clients on an internal network and forwards them to the Internet.
A reverse proxy can be used to allow authenticated users access the intranet even when they are located outside. Users on the internal network can access intranet servers directly (their IP address is their authentication), but users outside the network must authenticate themselves to the proxy server, usually with a username and password, in order to be allowed in.
As the name implies, a reverse proxy does the exact opposite of what a forward proxy does. While a forward proxy proxies on behalf of clients, a reverse proxy proxies on behalf of the servers. So if you consider our student-professor analogy, it’s as if somebody is proxying for the professor. It would be very interesting to see if that happens in real life! A reverse proxy accepts requests from external clients on behalf of servers stationed behind. To the client, it is the reverse proxy that is providing the file transfer services. The client is oblivious to the file transfer servers behind the proxy, which are actually providing those services. In effect, whereas a forward proxy hides the identities of clients, a reverse proxy hides the identities of servers.
Why do we need two levels of proxies?
Let’s say there is an attacker who is trying to gain access to the server. If we directly send the request to a particular server, it would be easier for the attacker to target that server. Now that we have reverse proxy, this attacker will find it considerably more difficult to acquire the data found in those file transfer servers. If he didn’t have had to deal with a reverse proxy, it would have been easier for him. Just like forward proxy servers, reverse proxies also provide a single point of access and control. You typically set it up to work alongside one or two firewalls to control the traffic and requests directed to your internal servers. Both types of proxy servers relay requests and responses between source and destination machines. But in the case of reverse proxy servers, client requests that go through them normally originate from the Internet. In the case of forward proxies, client requests normally come from the internal network behind them.
Where do we use it?
Reverse proxies can hide the existence and characteristics of an origin server or servers. Keeping that in mind, here are a few examples of its applications:
- Application firewall features can protect against common web-based attacks. Without a reverse proxy, removing malware or initiating takedowns can become difficult.
- In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware.
- A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. The speed wouldn’t reduce at any time due to overload.
- A reverse proxy can reduce load on its origin servers by caching static and dynamic content. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin servers.
- A reverse proxy can optimize content by compressing it in order to speed up loading times.