In computer networks, a reverse proxy is a type of proxy server that retrieves resources on behalf of a client from one or more servers. These resources are then returned to the client, appearing as if they originated from the proxy server itself. Unlike a forward proxy, which is an intermediary for its associated clients to contact any server, a reverse proxy is an intermediary for its associated servers to be contacted by any client. In other words, a proxy acts on behalf of the client(s), while a reverse proxy acts on behalf of the server(s).
Quite often, popular web servers use reverse-proxying functionality, shielding application frameworks of weaker HTTP capabilities. In this context, "weaker" means limitations in ability to handle excessive load, and limitation in handling the entire variety of request formats that can adhere to HTTP(S) 1.x, HTTP(S) 2.x, or requests which may be hard to detect. A reverse proxy in such cases could transform HTTPS requests into HTTP requests, buffer incoming requests based on the load of the "shielded" server(s), handle cookies/session data, or transform one request into multiple requests and then synthesize the responses, among other possibilities.
Uses of reverse proxies
- Reverse proxies can hide the existence and characteristics of origin servers.
- Application firewall features can protect against common web-based attacks, like a denial-of-service attack (DoS) or distributed denial-of-service attacks (DDoS). Without a reverse proxy, removing malware or initiating takedowns, for example, can be difficult.
- In the case of secure websites, a web server may not perform TLS encryption itself, but instead offload the task to a reverse proxy that may be equipped with TLS acceleration hardware. (See TLS termination proxy.)
- A reverse proxy can distribute the load from incoming requests to several servers, with each server supporting its own application area. In the case of reverse proxying web servers, the reverse proxy may have to rewrite the URL in each incoming request in order to match the relevant internal location of the requested resource.
- A reverse proxy can reduce load on its origin servers by caching static content and dynamic content, known as web acceleration. Proxy caches of this sort can often satisfy a considerable number of website requests, greatly reducing the load on the origin server(s).
- A reverse proxy can optimize content by compressing it in order to speed up loading times.
- In a technique named "spoon-feeding", a dynamically generated page can be produced all at once and served to the reverse proxy, which can then return it to the client a little bit at a time. The program that generates the page need not remain open, thus releasing server resources during the possibly extended time the client requires to complete the transfer.
- Reverse proxies can operate wherever multiple web-servers must be accessible via a single public IP address. The web servers listen on different ports in the same machine, with the same local IP address or, possibly, on different machines with different local IP addresses. The reverse proxy analyzes each incoming request and delivers it to the right server within the local area network.
- A reverse proxy can add basic HTTP access authentication to a web server that does not have any authentication.
Risks of reverse proxies
A HTTP/S reverse proxy can read and modify all traffic and IPs of web users going through it. In order to filter/cache/compress or otherwise modify the traffic, it must be able to decrypt and reencrypt the HTTPS traffic and thus posses the TLS certificate's corresponding private key. Thus it can obviously log all passwords going through it or inject malware into the web sites, and might do so if compromised or run by a malicious party. Reverse proxies are also another single point of failure if there is no obvious way to access the server directly.
Using the reverse proxy of a third party (e.g. Cloudflare, Imperva) places the entire triad of Confidentiality, Integrity and Availability in the hands of said third party.
If a reverse proxy is fronting many different domains, its outage (e.g. by a misconfiguration or DDoS attack) could bring down all fronted domains.
- "Forward and reverse proxies". The Apache Software Foundation. Retrieved 26 August 2018.
- "squid-cache wiki entry on "SpoonFeeding"". Francesco Chemolli. Retrieved 9 February 2011.
- "Possible to add basic HTTP access authentication via HAProxy?". serverfault.com.