What is the difference between a proxy (forward proxy) and a reverse proxy ? What is the difference between a proxy and a firewall? This post attempt to highlight the differences.

Reverse Proxy

A reverse proxy is a FRONT END to a WEB SERVER or a WEB SERVER farm.

It can help better distribute the load to the web server (In fact, all load balancers are reverse proxies, by definition).

In addition, reverse proxies hide the actual web server IPs by exposing their own IP – same as a single IP Load balancer (e.g. F5 load balancers).

What about my regular web server? Can it serve as a Reverse Proxy?

You can use IIS (or apache or your favorite WEB SERVER) as a REVERSE proxy server.  Why would you need this additional web server – when your existing web server already performs most of the relevant tasks (authentication etc.)?

There are several scenarios. For e.g. – if you wanted to conditionally send all SECURE requests (https) to another server.  You would need a RULE that looked something like this (in IIS ):

<configuration>
    <system.webServer>
        <rewrite>
            <rules>
                <clear />
                <rule name="Redirect to https" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions>
                        <add input="{HTTPS}" pattern="off" ignoreCase="true" />
                    </conditions>
                    <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Permanent" appendQueryString="false" />
                </rule>
            </rules>
        </rewrite>
    </system.webServer>
</configuration>

 

Other uses of Reverse Proxies

Since reverse proxies are full blown web servers, you CAN perform full blown authentication on incoming client requests. For e.g. – you want to add an additional stage of authentication (say an Open Identity Auth using Google or facebook) – and you want to perform this step BEFORE your web server gets to process the request. A reverse proxy is ideally suited to perform this task.

The key use case scenario here is that you want to do some web server specific task WITHOUT TOUCHING or MODIFYING your existing web server or application – and without letting clients know the proxy exists. Enter Reverse Proxy.

How does Reverse Proxy keep it’s identity UNKNOWN (you do not want anyone to know that a reverse proxy exists)?

The client sends the request directly to the origin server. When the proxy server is in reverse proxy mode, it intercepts the request before it reaches the origin server.

Typically, this is done by setting up the DNS entry for the origin server (i.e., the origin server’s advertised hostname) so it resolves to the Proxy Server IP address.

Proxy (Forward Proxy)

Forward proxies are in fact, not very different from REVERSE proxies – with one key difference.  A forward proxy works to SERVICE a client browser directly (typically a GROUP of client machines, on an internal network). The client user typically is AWARE of the FORWARD proxy (in fact, has to typically CONFIGURE it in his/her client browser, typically you configure this in IE—>Internet Settings—>Connections—>LAN Settings). This DIRECT SERVICE of a CLIENT Browser involves blocking a client browser request – (e.g. if a company employee browser is trying to access facebook.com ) – or it can block the client I.P. altogether (e.g. if the client machine is trying to hack into a server).

IE_proxy_server

In all other respects, A Forward proxy is very similar to a REVERSE proxy – it is a full blown WEB SERVER – it can control the incoming requests – and it can perform authentication etc.

KEY DIFFERENCE between REVERSE and FORWARD Proxy Server

The key difference lies in the use cases – it typically works to BLOCK access for a client machine (or a group of client  machines). In contrast, a REVERSE proxy works on behalf of the web server – and is completely INVISIBLE to the client machines. Client machines do not even KNOW that they are accessing a reverse proxy –as far as they are concerned, they are accessing the WEB SERVER.

Firewalls – Network Firewalls versus Application Firewalls

Firewalls can exist as software packages that run on your computer or as hardware firewalls in network routers. Unlike proxy servers, firewalls are designed more as traffic controllers than as re-routers.

Using BOTH as part of your SECURITY solution

  1. Use a PROXY server to control who or what connects to your NETWORK.
  2. Use firewalls on local computers to control what gets ONTO each computer.

Anuj holds professional certifications in Google Cloud, AWS as well as certifications in Docker and App Performance Tools such as New Relic. He specializes in Cloud Security, Data Encryption and Container Technologies.

Initial Consultation

Anuj Varma – who has written posts on Anuj Varma, Hands-On Technology Architect, Clean Air Activist.