Reverse proxy

from Wikipedia, the free encyclopedia
A proxy server that connects the Internet to an internal network.
A reverse proxy in the works.
The inquirers from the Internet connect to the proxy. The internal network does not have to be known.

The reverse proxy fetches resources for an external client from one or more internal servers . The implementation of the address is atypical and opposite to the direction of the call (German " reverse proxy "). The real address of the internal target system remains hidden from the external client. This distinguishes it from the typical proxy, which grants multiple clients in an internal (self-contained) network access to an external network.

Forwarding module of a firewall

The reverse proxies of a firewall initially offer the same functionality as port forwarding and thus enable an externally initiated connection to be established to a server in the internal network behind the forwarding. As soon as they work as a dedicated proxy , they understand the network protocol and are then also able to analyze and process the data in the network packets. So you can z. B. perform a virus scan or apply rules that relate to the package contents.

On the other hand, there are also reverse proxies that are not part of the firewall software and still have the purpose of enabling access from the external network to an internal computer without having to configure the firewall accordingly. To do this, the internal computer first establishes a connection to a specific external computer, which means that the external computer can communicate with the internal computer via the firewall. If a reverse proxy is running on the external computer, any other computer in the external network can now access the internal computer behind the firewall by sending their requests to the reverse proxy of the external computer (the reverse proxy forwards the requests to the internal computer).

Performance optimization

A completely different task can be fulfilled by a reverse proxy, which accepts the requests for a service in order to improve the speed or access rate to the service or to expand it functionally. It can be installed locally on the target system or run on separate hardware and works, for example, as an HTTP accelerator , also known as a surrogate proxy . Connections from the Internet to a web server are processed by the proxy, which answers the requests itself, provided they are in its own cache , or otherwise forwards them to the downstream services or to a remote server.

Further application scenarios

There are several reasons for using a reverse proxy:

Network security
The reverse proxy represents a further link in the security chain and thus contributes to the security of the web server, because it is possible to install virus scanners, firewalls or packet filters on a reverse proxy.
Single sign-on
The reverse proxy can take over the user authentication for several web servers. This means that the user only needs to log in once to use the services of several servers.
Encryption / SSL acceleration
When creating secure websites, SSL encryption is occasionally not done by the web server itself, but by a reverse proxy equipped with the appropriate acceleration hardware . This also makes it possible to use an (SSL) certificate on the proxy (instead of on a web server behind it). With Squid (from version 2.6) this is also possible via software. Shifting the encryption to the proxy provides the following advantages:
  • The web server is relieved (possibly considerably) by outsourcing the encryption.
  • The proxy can cache the web content, which would otherwise not be possible and which further relieves the web server.
  • ACLs can also be used on encrypted pages as the proxy sees the headers in clear text.
Load sharing
The reverse proxy can distribute the load over several servers, with each server serving its field of application. In the case of web servers, the reverse proxy may have to rewrite the URLs in each website (translation of the externally known URLs to the internal locations)
Caching of content
A reverse proxy can relieve the web server by temporarily storing static content such as images as well as the results of frequently accessed dynamically created pages (from script languages ). In this way, a significantly higher number of website requests can be dealt with.

If the web server behind it fails (or in the event of an error: HTTP 500, for example), a "user-friendly" message can also be displayed.

Furthermore, a reverse proxy can also be used as an open proxy in order to send inquiries under "its name" to external servers without the operator having intended it that way. It can therefore be advisable to configure it in such a way that it only replies to requests to certain servers. As an example, this is done with Squidhttp_access allow using a rule with the final rule http_access deny all.

Individual evidence

  1. a b c d Reverse Proxy: Explanation and areas of application. In: WinTotal.de. VGL Verlagsgesellschaft mbH, May 29, 2019, accessed on February 29, 2020 .
  2. Forward and reverse proxies . The Apache Software Foundation. Retrieved May 27, 2020.
  3. a b Reverse proxy server - a core component in security architectures. In: IONOS - digital guide. 1 & 1 IONOS SE, January 11, 2018, accessed on February 29, 2020 .