Reverse proxy

A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests to the proxy may not be aware of the internal network.

In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client as if they originated from the proxy server itself.^[1] While a forward proxy acts as an intermediary for its associated clients to contact any server, a reverse proxy acts as an intermediary for its associated servers to be contacted by any client.

Quite often, popular web servers have also some reverse-proxying functionality, acting as shields for application frameworks with weaker HTTP capabilities.

Uses of reverse proxies

• Reverse proxies can hide the existence and characteristics of an origin server or servers.
• Application firewall features can protect against common web-based attacks, such as DOS or DDOS. Without a reverse proxy, removing malware or initiating takedowns, for example, can become difficult.
• In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware. (See SSL termination proxy.)
• A reverse proxy can distribute the load from incoming requests to several servers, with each server serving its own application area. In the case of reverse proxying in the neighborhood of web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.
• A reverse proxy can reduce load on its origin servers by caching static content, as well as dynamic content - also known as web acceleration. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin server(s).
• A reverse proxy can optimize content by compressing it in order to speed up loading times.
• In a technique known as "spoon-feed"^[2] a dynamically generated page can be produced all at once and served to the reverse-proxy, which can then return it to the client a little bit at a time. The program that generates the page need not remain open, thus releasing server resources during the possibly extended time the client requires to complete the transfer.
• Reverse proxies can operate whenever multiple web-servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines and different local IP addresses altogether. The reverse proxy analyzes each incoming request and delivers it to the right server within the local area network.
• Reverse proxies can perform A/B testing and multivariate testing without placing JavaScript tags or code into pages.
• Commercial or enterprise level out-of-box solutions exist and can have an agent installed on user systems to ensure a constant connection to a cloud proxy / reverse proxy server also a SaaS solution. An example of this is McAfee Web Protection Gateway - SaaS solution.^[3]
• A reverse proxy can add basic HTTP access authentication to a web server that does not have any authentication.^[4]

See also

• Network address translation

References

1. "Forward and reverse proxies". The Apache Software Foundation. Retrieved 9 February 2011.
2. "squid-cache wiki entry on "SpoonFeeding"". Francesco Chemolli. Retrieved 9 February 2011.
3. http://www.mcafee.com/us/resources/data-sheets/ds-web-gateway-reverse-proxy.pdf
4. http://serverfault.com/questions/239749/possible-to-add-basic-http-access-authentication-via-haproxy