A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from a web server. Unlike a forward proxy (which sits in front of clients to protect them from external servers), a reverse proxy sits in front of servers.
This article explains what a reverse proxy is and how it differs from a forward proxy. The explanation will likely delve into the architecture, illustrating where a reverse proxy sits within a network and how it intercepts client requests before forwarding them to backend servers.
What is a reverse proxy?
A reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or multiple servers. It forwards clients’ requests, like web browsers, to those servers.
All the requests from the user’s device would go to the internet and then go to the reverse proxy server before reaching the client’s web server. The web server then sends information to the proxy server, which uses the internet to send it back to the client’s user device.
How does a reverse proxy work?
Imagine you have a website. Normally, when someone types your website’s address into their browser, their request goes directly to your web server.
With a reverse proxy, the client’s request goes to the reverse proxy first. The reverse proxy then forwards that request to the appropriate web server and returns the server’s response to the client. The client only sees the reverse proxy and never directly communicates with the actual web server.
Here’s an illustration of how a reverse proxy works:
What is the difference between proxy and reverse proxy?
While both proxy (or forward proxy) and reverse proxy acts as an intermediary server, they serve different purposes and operate from different perspectives.
The key distinction lies in who they serve and where they sit in relation to the client and the origin server. While a forward proxy sits in front of the clients, reverse proxy sits in front of web servers to ensure that no client ever communicates.
Forward proxy server positions on the client’s side of the network, acting as a gateway to the internet. Clients are aware that they are using a proxy server, and they hide their IP addresses from the external web servers. All requests appear to come from the proxy’s IP address.
Reverse proxy servers are located in front of backend servers, intercepting requests from external clients before forwarding them to the appropriate backend server. Clients are generally unaware they are connecting to a reverse proxy.
| Feature | Forward proxy (proxy) | Reverse proxy |
|---|---|---|
| Who it serves | Clients (protects/serves client-side interests) | Servers (protects/serves server-side interests) |
| Who knows about it | Clients are configured to use it. | Clients are typically unaware of its existence. |
| Position | Sits in front of clients (client-side) | Sits in front of servers (server-side) |
| Primary goal | Client anonymity, access control, client-side caching | Load balancing, security for servers, server-side caching |
| Hides | Client IP addresses from external servers | Server IP addresses from external clients |
What are some risks of using reverse proxies?
Though it provides security, there are some risks involved with using reverse proxies as well:
- Risk of information stored: Since a reverse proxy can track IP addresses and encrypt/decrypt information, it can also store sensitive data, such as passwords. This can be a problem if a malicious party were to run it. Moreover, with such sensitive information, it can be risky using a reverse proxy of a third party as they need to adhere to the triad of confidentiality, integrity, and availability.
- HTTP request smuggling: This is a web application attack that exploits differences between web servers and their reverse proxies. It can allow the attacker to submit a request with a user’s session and interfere with the processing of HTTP requests.
- Risk of failure: If the proxy is fronting many different domains, its outage can bring down all of those. Additionally, if there is no direct access to the back-end server, the blackout can disrupt operations.
What are the benefits of using a reverse proxy?
Just like using any proxy, using reverse proxies also has several benefits:
- Encryption tool: Encryption can be expensive for an origin server but using reverse proxies can help with this. They can decrypt all incoming traffic and encrypt all outgoing requests (SSL/TLS).
- Caching (for servers): Reverse proxies can also cache content, improving the performance speed, reducing page load times, and improving content delivery to clients.
- Load balancing: Reverse proxies can help with the traffic flow on the main server. They can reduce the load on the main server by evenly distributing the load on all the servers. This prevents any single server from becoming overwhelmed. These proxies will also send clients to the servers that are located nearest to them, reducing response times.
- Security: Your origin server’s IP address is masked, which protects against potential attacks, such as DDoS attacks. You can also place a web application firewall on your reverse proxies for further protection against hackers and bots.
- A/B testing: Reverse proxies can perform A/B testing and multivariate testing without JavaScript tags or coding.
What are some popular reverse proxy software/services?
- Nginx reverse proxy: It is a free and open-source web application software that can be used as a load balancer, HTTP cache, and reverse proxy.
- Apache HTTP Server (with mod_proxy): A versatile web server that can also function as a reverse proxy.
- HAProxy: Specifically designed for high-availability load balancing and proxying TCP and HTTP-based applications.
- Envoy Proxy: An open-source edge and service proxy, often used in microservices architectures.
- Cloudflare: A well-known CDN and security service that acts as a global reverse proxy.
Reverse proxy FAQs
Can a reverse proxy improve website performance?
Yes, A reverse proxy acts as a performance enhancer for several reasons such as load balancing, content rewriting,and SSL/TLS Termination. For example, reverse proxy serves cached content directly, avoiding backend server processing.
The reverse proxy can store copies of frequently requested static content such as images, CSS files, and JavaScript files for static sites.
How does a reverse proxy enhance security?
The most fundamental security benefit is that the reverse proxy acts as an intermediary, hiding the real IP addresses of your backend servers from external clients. It becomes the single public-facing entry point. It can be configured to absorb or mitigate Distributed Denial of Service (DDoS) attacks by rate-limiting requests.
Does a reverse proxy add latency?
Yes, any additional network hop adds a tiny amount of overhead. However, in practice, a reverse proxy almost always reduces the overall perceived latency and improves the user experience.
Can I use a reverse proxy for internal services only?
Yes, you can use a reverse proxy for internal services only. Reverse proxy server provides a single entry point for various internal applications, analyzes and distributes each incoming request across multiple backend servers for the same service.
Comments
Your email address will not be published. All fields are required.