Proxy versus Reverse Proxy, Firewall versus Reverse Proxy

What is the difference between a proxy (forward proxy) and a reverse proxy ? What is the difference between a proxy and a firewall? This post attempt to highlight the differences.

Reverse Proxy

If you understand a web-server, you understand a REVERSE proxy server. It is JUST A WEB SERVER. With a few additional capabilities – such as URL forwarding. In other words, you can use IIS (or apache or your favorite WEB SERVER) as a REVERSE proxy server.  Why would you need this additional web server – when your existing web server already performs most of the relevant tasks (authentication etc.)?

There are several scenarios. For e.g. – if you wanted to conditionally send all SECURE requests (https) to another server.  You would need a RULE that looked something like this (in IIS ):

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

 

Other uses of Reverse Proxies

Since reverse proxies are full blown web servers, you CAN perform full blown authentication on incoming client requests. For e.g. – you want to add an additional stage of authentication (say an Open Identity Auth using Google or facebook) – and you want to perform this step BEFORE your web server gets to process the request. A reverse proxy is ideally suited to perform this task.

The key use case scenario here is that you want to do some web server specific task WITHOUT TOUCHING or MODIFYING your existing web server or application – and without letting clients know the proxy exists. Enter Reverse Proxy.

How does Reverse Proxy keep it’s identity UNKNOWN (you do not want anyone to know that a reverse proxy exists)?

The client sends the request directly to the origin server. When the proxy server is in reverse proxy mode, it intercepts the request before it reaches the origin server.

Typically, this is done by setting up the DNS entry for the origin server (i.e., the origin server’s advertised hostname) so it resolves to the Proxy Server IP address.

Proxy (Forward Proxy)

Forward proxies are in fact, not very different from REVERSE proxies – with one key difference.  A forward proxy works to SERVICE a client browser directly (typically a GROUP of client machines, on an internal network). The client user typically is AWARE of the FORWARD proxy (in fact, has to typically CONFIGURE it in his/her client browser, typically you configure this in IE—>Internet Settings—>Connections—>LAN Settings). This DIRECT SERVICE of a CLIENT Browser involves blocking a client browser request – (e.g. if a company employee browser is trying to access facebook.com ) – or it can block the client I.P. altogether (e.g. if the client machine is trying to hack into a server).

IE_proxy_server

In all other respects, A Forward proxy is very similar to a REVERSE proxy – it is a full blown WEB SERVER – it can control the incoming requests – and it can perform authentication etc.

KEY DIFFERENCE between REVERSE and FORWARD Proxy Server

The key difference lies in the use cases – it typically works to BLOCK access for a client machine (or a group of client  machines). In contrast, a REVERSE proxy works on behalf of the web server – and is completely INVISIBLE to the client machines. Client machines do not even KNOW that they are accessing a reverse proxy –as far as they are concerned, they are accessing the WEB SERVER.

Firewalls – Network Firewalls versus Application Firewalls

Firewalls can exist as software packages that run on your computer or as hardware firewalls in network routers. Unlike proxy servers, firewalls are designed more as traffic controllers than as re-routers.

Using BOTH as part of your SECURITY solution

  1. Use a PROXY server to control who or what connects to your NETWORK.
  2. Use firewalls on local computers to control what gets ONTO each computer.

Cloud Advisory Services | Security Advisory Services | Data Science Advisory and Research

Specializing in high volume web and cloud application architecture, Anuj Varma’s customer base includes Fortune 100 companies (dell.com, British Petroleum, Schlumberger).

All content on this site is original and owned by AdverSite Web Holdings, Inc. – the parent company of anujvarma.com. No part of it may be reproduced without EXPLICIT consent from the owner of the content.

Anuj Varma – who has written posts on Anuj Varma, Technology Architect.


Leave a Reply

Your email address will not be published. Required fields are marked *