In
computer network
A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are ...
s, a reverse proxy is the application that sits in front of back-end applications and forwards client (e.g. browser) requests to those applications. Reverse proxies help increase scalability, performance, resilience and security. The resources returned to the client appear as if they originated from the web server itself.
Large websites and
content delivery network
A content delivery network, or content distribution network (CDN), is a geographically distributed network of proxy servers and their data centers. The goal is to provide high availability and performance by distributing the service spatially re ...
s use reverse proxies, together with other techniques, to
balance the load between internal servers. Reverse proxies can keep a
cache
Cache, caching, or caché may refer to:
Places United States
* Cache, Idaho, an unincorporated community
* Cache, Illinois, an unincorporated community
* Cache, Oklahoma, a city in Comanche County
* Cache, Utah, Cache County, Utah
* Cache County ...
of static content, which further reduces the load on these internal servers and the internal network. It is also common for reverse proxies to add features such as
compression
Compression may refer to:
Physical science
*Compression (physics), size reduction due to forces
*Compression member, a structural element such as a column
*Compressibility, susceptibility to compression
* Gas compression
*Compression ratio, of a ...
or
TLS encryption to the communication channel between the client and the reverse proxy.
Reverse proxies are typically owned or managed by the
web service, and they are accessed by clients from the public Internet. In contrast, a
forward proxy
In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.
Instead of connecting directly to a server that can fulfill a request ...
is typically managed by a client (or their company) who is restricted to a private, internal network, except that the client can ask the forward proxy to retrieve resources from the public Internet on behalf of the client.
Reverse proxy servers are implemented in popular
open-source
Open source is source code that is made freely available for possible modification and redistribution. Products include permission to use the source code, design documents, or content of the product. The open-source model is a decentralized sof ...
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
s such as
Apache
The Apache () are a group of culturally related Native American tribes in the Southwestern United States, which include the Chiricahua, Jicarilla, Lipan, Mescalero, Mimbreño, Ndendahe (Bedonkohe or Mogollon and Nednhi or Carrizaleño an ...
,
Nginx
Nginx (pronounced "engine x" ) is a web server that can also be used as a reverse proxy, load balancer, mail proxy and HTTP cache. The software was created by Igor Sysoev and publicly released in 2004. Nginx is free and open-source software ...
, and
Caddy. This software can inspect HTTP headers, which, for example, allows it to present a single
IP address
An Internet Protocol address (IP address) is a numerical label such as that is connected to a computer network that uses the Internet Protocol for communication.. Updated by . An IP address serves two main functions: network interface ident ...
to the Internet while relaying requests to different internal servers based on the
domain name
A domain name is a string that identifies a realm of administrative autonomy, authority or control within the Internet. Domain names are often used to identify services provided through the Internet, such as websites, email services and more. As ...
of the HTTP request. Dedicated reverse proxy servers such as the open source software
HAProxy
HAProxy is a free and open source software that provides a high availability load balancer and reverse proxy for TCP and HTTP-based applications that spreads requests across multiple servers. It is written in C and has a reputation for being fa ...
and
Squid
True squid are molluscs with an elongated soft body, large eyes, eight arms, and two tentacles in the superorder Decapodiformes, though many other molluscs within the broader Neocoleoidea are also called squid despite not strictly fitting t ...
are used by some of the biggest websites on the Internet.
Uses
* Reverse proxies can hide the existence and characteristics of
origin server
In computer networking, upstream server refers to a server (computing), server that provides service to another server. In other words, upstream server is a server that is located higher in a hierarchy of servers. The highest server in the hierarc ...
s.
*
Application firewall
An application firewall is a form of firewall that controls input/output or system calls of an application or service. It operates by monitoring and blocking communications based on a configured policy, generally with predefined rule sets to c ...
features can protect against common web-based attacks, like a
denial-of-service attack (DoS) or distributed denial-of-service attacks (DDoS). Without a reverse proxy, removing malware or initiating
takedowns, for example, can be difficult.
* In the case of
secure website
Hypertext Transfer Protocol Secure (HTTPS) is an extension of the Hypertext Transfer Protocol (HTTP). It is used for secure communication over a computer network, and is widely used on the Internet. In HTTPS, the communication protocol is enc ...
s, a web server may not perform
TLS encryption
In cryptography, encryption is the process of encoding information. This process converts the original representation of the information, known as plaintext, into an alternative form known as ciphertext. Ideally, only authorized parties can decip ...
itself, but instead offload the task to a reverse proxy that may be equipped with
TLS acceleration
TLS acceleration (formerly known as SSL acceleration) is a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to a hardware accelerator.
Typically this ...
hardware. (See
TLS termination proxy
A TLS termination proxy (or SSL termination proxy, or SSL offloading) is a proxy server that acts as an intermediary point between client and server applications, and is used to terminate and/or establish TLS (or DTLS) tunnels by decrypting and/or ...
.)
* A reverse proxy can
distribute the load from incoming requests to several servers, with each server supporting its own application area. In the case of reverse proxying
web server
A web server is computer software and underlying hardware that accepts requests via HTTP (the network protocol created to distribute web content) or its secure variant HTTPS. A user agent, commonly a web browser or web crawler, initiate ...
s, the reverse proxy may have to rewrite the
URL in each incoming request in order to match the relevant internal location of the requested resource.
* A reverse proxy can reduce load on its origin servers by
caching static content
A static web page (sometimes called a flat page or a stationary page) is a web page that is delivered to the user's web browser exactly as stored, in contrast to dynamic web pages which are generated by a web application.
Consequently, a static ...
and
dynamic content
A server-side dynamic web page is a web page whose construction is controlled by an application server processing server-side scripts. In server-side scripting, parameters determine how the assembly of every new web page proceeds, and includin ...
, known as
web acceleration. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin server(s).
* A reverse proxy can optimize content by
compressing it in order to speed up loading times.
* In a technique named "spoon-feeding",
a dynamically generated page can be produced all at once and served to the reverse proxy, which can then return it to the client a little bit at a time. The program that generates the page need not remain open, thus releasing server resources during the possibly extended time the client requires to complete the transfer.
* Reverse proxies can operate wherever multiple web-servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines with different local IP addresses. The reverse proxy analyzes each incoming request and delivers it to the right server within the
local area network
A local area network (LAN) is a computer network that interconnects computers within a limited area such as a residence, school, laboratory, university campus or office building. By contrast, a wide area network (WAN) not only covers a larger ...
.
* Reverse proxies can perform
A/B testing
A/B testing (also known as bucket testing, split-run testing, or split testing) is a user experience research methodology. A/B tests consist of a randomized experiment that usually involves two variants (A and B), although the concept can be al ...
and
multivariate testing without placing JavaScript tags or code into pages.
* A reverse proxy can add access authentication to a web server that does not have any authentication.
Risks
* A reverse proxy can track all IP addresses making requests through it and it can also read and modify any non-encrypted traffic. Thus it can log passwords or inject malware, and might do so if compromised or run by a malicious party.
* When the transit traffic is encrypted and the reverse proxy needs to filter/cache/compress or otherwise modify or improve the traffic, the proxy first must decrypt and re-encrypt communications. This requires the proxy to possess the TLS certificate and its corresponding private key, extending the number of systems that can have access to non-encrypted data and making it a more valuable target for attackers.
* The vast majority of external
data breaches
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, inf ...
happen either when hackers succeed in abusing an existing reverse proxy that was intentionally deployed by an organisation, or when hackers succeed in
converting
Converting companies are companies that specialize in modifying or combining raw materials such as polyesters, adhesives, silicone, adhesive tapes, foams, plastics, felts, rubbers, liners and metals, as well as other materials, to create new produ ...
an existing Internet-facing server into a reverse proxy server. Compromised or converted systems allow external attackers to specify where they want their attacks proxied to, enabling their access to internal networks and systems.
* Applications that were developed for the internal use of a company are not typically hardened to public standards and are not necessarily designed to withstand all hacking attempts. When an organisation allows external access to such internal applications via a reverse proxy, they might unintentionally increase their own attack surface and invite hackers.
* If a reverse proxy is not configured to filter attacks or it does not receive daily updates to keep its attack signature database up to date, a
zero-day vulnerability can pass through unfiltered, enabling attackers to gain control of the system(s) that are behind the reverse proxy server.
* Using the reverse proxy of a third party (e.g.
Cloudflare
Cloudflare, Inc. is an American content delivery network and DDoS mitigation company, founded in 2009. It primarily acts as a reverse proxy between a website's visitor and the Cloudflare customer's hosting provider. Its headquarters are in San ...
, Imperva) places the entire
triad of confidentiality, integrity and availability in the hands of the third party who operates the proxy.
* If a reverse proxy is fronting many different domains, its outage (e.g. by a misconfiguration or DDoS attack) could bring down all fronted domains.
* Reverse proxies can also become a
single point of failure
A single point of failure (SPOF) is a part of a system that, if it fails, will stop the entire system from working. SPOFs are undesirable in any system with a goal of high availability or reliability, be it a business practice, software appl ...
if there is no other way to access the back end server.
See also
*
Network address translation
References
{{Use dmy dates, date=November 2017
Computer networks
Internet architecture