Reverseproxies
Reverse proxy – Wikipedia
Example scenario: A client on the internet (cloud on the left) makes a request to a reverse proxy server (red oval in the middle). The proxy inspects the request, determines that it is valid and that it does not have the requested resource in its own cache. It then forwards the request to some internal web server (oval on the right). The internal server delivers the requested resource back to the proxy, which in turn delivers it to the client. The client on the internet is unaware of the internal network, and cannot tell whether it is communicating with a proxy or directly with a web server.
In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the reverse proxy server itself. [1] It is mainly used to balance load.
Large websites and content delivery networks use reverse proxies, together with other techniques, to balance the load between internal servers. Reverse proxies can keep a cache of static content, which further reduces the load on these internal servers and the internal network. It is also common for reverse proxies to add features such as compression or TLS encryption to the communication channel between the client and the reverse proxy. [2]
Reverse proxies are typically owned or managed by the web service, and they are accessed by clients from the public internet. In contrast, a forward proxy is typically managed by a client (or their company) who is restricted to a private, internal network, except that the client can ask the forward proxy to retrieve resources from the public internet on behalf of the client.
Reverse proxy servers are implemented in popular open-source web servers such as Apache, Nginx, and Caddy. This software can inspect HTTP headers, which, for example, allows it on a single IP address to relay requests to different internal servers based on the domain name of the HTTP request. Dedicated reverse proxy servers such as the open source software HAProxy and Squid are used by some of the biggest websites on the internet. Popular commercial providers of reverse proxy servers include Cloudflare and Imperva.
Uses[edit]
Reverse proxies can hide the existence and characteristics of origin servers.
Application firewall features can protect against common web-based attacks, like a denial-of-service attack (DoS) or distributed denial-of-service attacks (DDoS). Without a reverse proxy, removing malware or initiating takedowns, for example, can be difficult.
In the case of secure websites, a web server may not perform TLS encryption itself, but instead offload the task to a reverse proxy that may be equipped with TLS acceleration hardware. (See TLS termination proxy. )
A reverse proxy can distribute the load from incoming requests to several servers, with each server supporting its own application area. In the case of reverse proxying web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.
A reverse proxy can reduce load on its origin servers by caching static content and dynamic content, known as web acceleration. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin server(s).
A reverse proxy can optimize content by compressing it in order to speed up loading times.
In a technique named “spoon-feeding”, [3] a dynamically generated page can be produced all at once and served to the reverse proxy, which can then return it to the client a little bit at a time. The program that generates the page need not remain open, thus releasing server resources during the possibly extended time the client requires to complete the transfer.
Reverse proxies can operate wherever multiple web-servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines with different local IP addresses. The reverse proxy analyzes each incoming request and delivers it to the right server within the local area network.
Reverse proxies can perform A/B testing and multivariate testing without placing JavaScript tags or code into pages.
A reverse proxy can add basic HTTP access authentication to a web server that does not have any authentication. [4]
Risks[edit]
A reverse proxy can track all IP addresses making requests through it and it can also read and modify any non-encrypted traffic. Thus it can log passwords or inject malware, and might do so if compromised or run by a malicious party.
When the transit traffic is encrypted and the reverse proxy needs to filter/cache/compress or otherwise modify or improve the traffic, the proxy first must decrypt and re-encrypt communications. This requires the proxy to possess the TLS certificate and its corresponding private key, extending the number of systems that can have access to non-encrypted data and making it a more valuable target for attackers.
The vast majority of external data breaches happen either when hackers succeed in abusing an existing reverse proxy that was intentionally deployed by an organisation, or when hackers succeed in converting an existing Internet-facing server into a reverse proxy server. Compromised or converted systems allow external attackers to specify where they want their attacks proxied to, enabling their access to internal networks and systems.
Applications that were developed for the internal use of a company are not typically hardened to public standards and are not necessarily designed to withstand all hacking attempts. When an organisation allows external access to such internal applications via a reverse proxy, they might unintentionally increase their own attack surface and invite hackers.
If a reverse proxy is not configured to filter attacks or it does not receive daily updates to keep its attack signature database up to date, a zero-day vulnerability can pass through unfiltered, enabling attackers to gain control of the system(s) that are behind the reverse proxy server.
Using the reverse proxy of a third party (e. g. Cloudflare, Imperva) places the entire triad of Confidentiality, Integrity and Availability in the hands of the third party who operates the proxy.
If a reverse proxy is fronting many different domains, its outage (e. by a misconfiguration or DDoS attack) could bring down all fronted domains. [5]
Reverse proxies can also become a single point of failure if there is no other alternative obvious way to access the back end server directly.
See also[edit]
Network address translation
References[edit]
^ “Forward and reverse proxies”. The Apache Software Foundation. Retrieved 26 August 2018.
^ “Proxy servers and tunneling”. MDN Web Docs. Retrieved 6 December 2020.
^ “squid-cache wiki entry on “SpoonFeeding””. Francesco Chemolli. Retrieved 9 February 2011.
^ “Possible to add basic HTTP access authentication via HAProxy? “.
^ “Cloudflare outage knocks out major sites and services, including Discord”. Retrieved 14 December 2020.
Why is the Nginx webserver called a “reverse proxy”?
Why is the Nginx webserver called a “reverse proxy”? I know any “proxy” to be a “medium” and this touches a more basic question of “how can a medium be forward or reverse”.
A typical “forward” proxy (commonly just called “proxy”) is used to allow internal clients to reach out to external sites.
For example, a corporation may have desktop users who want to reach the internet, but firewalls block them. The users can configure their browser to reach a proxy server, which will make the connection for them.
A “reverse” proxy allows external clients to reach in to internal sites.
For example, a corporation may run a dozen different web sites behind a firewall. A reverse proxy would be programmed so that incoming requests for “” will be forwarded to the real web server for that site. In this way the corporation only needs to expose one real web server.
There are many use cases for both forward and reverse proxies.
nginx is a web server, similar to apache and IIS. Like many web servers it can be configured to work in forward proxy mode or reverse proxy mode.
The phrase “nginx reverse proxy” means the nginx server configured as a reverse proxy.
answered Feb 15 ’19 at 2:52
Stephen HarrisStephen Harris36. 5k5 gold badges78 silver badges103 bronze badges
Why is the Nginx webserver called a “reverse proxy”?
“Reverse proxy” refers to a specific function that a specific Nginx instance can take on. Other Nginx instances can be ordinary web servers, or mail proxies or even load balancers (which often refers to “reverse proxy across multiple servers”).
I know any “proxy” to be a “medium”
A more accurate term is “intermediary”, as in “I’m accessing some resources on your behalf”. “Medium” as a noun can also refer to the transport mechanism over which you’re communicating.
and this touches a more basic question of “how can a medium be forward or reverse”.
The difference between forward and reverse proxies lies in the association, which basically asks the question: “Whose interests am I serving? ”
In a forward proxy, the association is with the clients, i. e. “I’m helping my select group of users access arbitrary servers”.
In a reverse proxy, the association is with the servers, i. “I’m helping my select group of servers manage all incoming requests from arbitrary clients”.
answered Feb 15 ’19 at 3:35
AdrianAdrian1, 8261 gold badge8 silver badges9 bronze badges
What is a Reverse Proxy Server – Avast
What is a reverse proxy?
In a computer network, a basic reverse proxy sits between a group of servers and the clients who want to use them. A client is any hardware or software that can submit requests to a server — for example, your web browser is the client you’re using to read this article, which is hosted on our servers. The reverse proxy fields all requests from the clients to the servers, and it also delivers all responses and services back from the servers to the clients. From the client’s point of view, this makes it look as though everything is coming from one place.
Organizations and businesses use reverse proxies to consolidate their internet presence. Depending on how you configure it, a reverse proxy can provide one of several functions within a single server. It’s part receptionist, directing incoming requests to the right department, and part bouncer, keeping intrusive eyes away from your internal infrastructure.
Forward proxies vs. reverse proxies
A proxy server (or “forward proxy”) acts as an intermediary between you and the server of your choice. A proxy forwards a connection for you — it passes on your requests, receives the replies from the sites and services you’re using, then sends them to you.
In contrast, a reverse proxy receives requests from a client on another network, passes it to an internal server, receives the result, then relays it back to the client. That’s the basics of how proxies work: they pass data back and forth between clients and servers.
In other words, for anyone trying to discern the difference between a forward and reverse proxy, a reverse proxy is exactly the same as a proxy, only backwards: A forward proxy acts on behalf of a client, while a reverse proxy acts on behalf of the server.
What are reverse proxies used for?
Reverse proxies stand between clients and a network service, such as a website. The three most important features that reverse proxies provide are security, load balancing, and ease of maintenance. Reverse proxies can also play a role in identity branding and optimization.
Enhance online security
You can create and configure a reverse proxy to forward requests to one or more internal servers based on the nature of the client’s request. If it’s a website, one URL might be served by your customer support pages, while another might go to your shopping cart. The reverse proxy only forwards requests you want to serve. If you’re only serving web content, configure your reverse proxy to exclude all requests other than those for ports 80 and 443 — the default ports responsible for HTTP and HTTPS, respectively. This lets you divert traffic based on type, and it also means ne’er-do-wells can’t directly attack your internal services.
You can also upgrade a reverse proxy to a firewall, which is a type of proxy server with extra teeth, or additional security features.
Reverse proxy load balancing
If an excessive amount of internet traffic is slowing down your system, you can use load balancing, which distributes your traffic over one or more servers to improve overall performance.
Load balancing lets you replace your single overworked backend service with a more resilient cluster. This technique also ensures that your application no longer has a single point of failure. If one server goes down, its siblings can take over. That’s just good common sense.
A reverse proxy can use a technique called round-robin DNS to direct requests through a rotating list of internal servers. It’s crude, but surprisingly effective. If you grow to have more demanding requirements, you can swap to a more sophisticated setup that incorporates load-balancing features.
Improve site maintenance
When your internal services are hidden from public view, it’s easier to remove services, add new ones, upgrade them, or roll them back. With a reverse proxy, the site visitor only sees and not or
This makes improvements less stressful for both customers as well as professional IT staff. Rather than upgrade your one and only e-commerce site and pray it still works, you can just bring another server online with the new release. Then, configure your proxy to direct new customer sessions to the new server. Once you’re sure it works, shut down the old one. Since users are talking to your proxy and not directly to those internal services, they won’t notice the change.
This process works with load-balanced servers, too. Upgrade one of them, test, and then upgrade the rest in turn. Reverse proxies mean never getting a 3 a. m. phone call because your IT department needs to restore your old website from backup.
Identity branding
Businesses commonly host their website’s content management system or shopping cart apps with an external service outside their own network. Rather than tell site visitors that you’re sending them to another URL for payment, you can use a reverse proxy to conceal that detail. A reverse proxy can hide the presence of external vendors, such as your cloud service provider, who provide components of your customer experience.
Caching commonly-requested data to speed up performance
If you serve a lot of static content, such as images and videos, you can set up a reverse proxy to cache some that content. Doing so can relieve pressure on your internal services.
Are reverse proxies really secure?
Adding a welcome layer of security, a reverse proxy is effective in protecting systems against web vulnerabilities. The reverse proxy sits between external clients and your internal services, preventing anyone from directly accessing your network. The less of your IT infrastructure you expose, the less traction hackers will have against your important proprietary or customer data.
This lowers the risk of attacks for two reasons:
Your server is better protected from bad actors.
Hackers who prefer easy-to-crack websites will find yours slightly more secure and move on.
Because a reverse proxy acts as the face of your web presence, it can host the certificate and handle the SSL negotiation on behalf of all your internal servers. That means you don’t need to manage multiple certificates, nor do you need encryption on your internal network.
For even more security, construct an internet firewall, which is really just a proxy with extra teeth and a suspicious mind. You can swap out a basic reverse proxy with one that adds firewall features without changing how any of your internal services work.
For maximum security, consider using a VPN or Tor.
Reverse proxy for business, VPN for security at home
Reverse proxies offer a number of advantages for businesses and website administrators. Not only do they improve server efficiency and ease of maintenance, but they also provide an important layer of additional cybersecurity. It’s important to ensure that you’re receiving a similar degree of protection at home.
Avast SecureLine VPN enhances both your security and privacy while you’re online. By encrypting your internet traffic, VPN insulates you against anyone attempting to take advantage of an unsecured Wi-Fi network. It also conceals your activity from advertising trackers while allowing you to access the online content you want, no matter where in the world you are. For true online privacy with single click — or a tap on your mobile device — protect yourself with a VPN.
Frequently Asked Questions about reverseproxies
Why Nginx is called reverse proxy?
nginx is a web server, similar to apache and IIS . Like many web servers it can be configured to work in forward proxy mode or reverse proxy mode. The phrase “nginx reverse proxy” means the nginx server configured as a reverse proxy.Feb 15, 2019
Is reverse proxy secure?
Are reverse proxies really secure? Adding a welcome layer of security, a reverse proxy is effective in protecting systems against web vulnerabilities. The reverse proxy sits between external clients and your internal services, preventing anyone from directly accessing your network.Mar 11, 2020
Why it is called reverse proxy?
A reverse proxy is a type of proxy server. Unlike a traditional proxy server, which is used to protect clients, a reverse proxy is used to protect servers. … The client only communicates directly with the reverse proxy server and it does not know that some other server actually processed its request.Mar 31, 2021