Proxy vs Reverse Proxy

We often visualize the data transmitting on the internet as traffic. Today, the internet is not just one highway but many interconnected roads of various public and private networks.

Companies and organizations have a vested interest in securing their traffic between networks. After all, most businesses would rather not have sensitive applications or database systems be publicly accessible. Yet, just as how there must be roads and paths to reach even the most classified buildings and protected areas, there must be ways for organizations to give certain users access to their protected assets.

In real life, there are gateways and checkpoints to control who can even approach. For the digital space, we use proxies.

In this post, we will cover:

• Proxies: Forward Proxy vs Reverse Proxy
• Features of a Reverse Proxy
• Using a Reverse Proxy for Access Control

Proxies: Forward Proxy vs Reverse Proxy

A proxy server is a server as a gateway between a user or client requesting a resource and the actual server providing that resource. It may help to visualize a proxy as the waiter at a restaurant: you tell them what you want to order, they relay it to the chefs in the kitchen, which makes your food, and then the waiter brings your food to you. The waiter is the proxy server for your food request because customers are generally not allowed into the kitchen for hygiene purposes.

These are considered forward proxies — they hide the client’s identity and details from the server. In this analogy, the waiter acts as your forward proxy to “forward” your request to the kitchen. After all, most chefs in restaurants have no idea who they’re serving when they only see the incoming request.

On the other hand, a reverse proxy does the exact opposite. A reverse proxy is closer to an executive assistant or secretary, acting as a gateway point to filter and verify clients before allowing access without exposing any of the server’s details.

A good reverse proxy improves the server’s security, performance, and reliability, so businesses want to use reverse proxies to protect their internal servers and assets from revealing any internal details to potential hackers.

An easy way to remember the difference: Forward proxies protect the client, and reverse proxies protect the server.

Features of a Reverse Proxy

Now that we understand reverse proxies, we can begin to understand their role as part of access control infrastructure. To reiterate, proxy servers act as representatives for a client or a server. In practical terms, businesses will use reverse proxies to act on behalf of sensitive servers they do not want to expose directly to the internet.

After all, every entry point for a legitimate client is a potential point of entry for a malicious hacker.

Putting a reverse proxy in front of server assets enables network administrators to enforce security policy at a higher level than any individual server or application. This provides a good abstraction to ensure that all applications and servers have a certain baseline level of sec.

Just like executive assistants, reverse proxies are protecting the servers by verifying and filtering each client’s request.

With this setup, network administrators can simplify security administration and improve productivity workflow because clients only ever interact with the reverse proxy and not the server itself. Here are some examples of what a reverse proxy can do:

• Secure Legacy Applications: Some legacy applications should not be forcibly updated with modern security features — a reverse proxy can be deployed in front of those applications with granular access control configurations to instantly give the legacy application a standardized layer of security.
• Continuous Integration and Deployment: Because clients only ever interact with the proxy, backend administrators can easily update or change the servers without disrupting the end user experience.
• Load-Balancing: Because reverse proxies route the request to the service, businesses can configure the proxy to help manage traffic load by spreading it across multiple servers. Not only does this help the business keep costs down, it improves end user experience because end users never need to know their requests are being processed by a different server.
• Cache Content and DDoS Protection: Content Delivery Networks (CDNs) are just a specialized type of reverse proxy for delivering cached content.
• Implement Web Application Firewall (WAF): A reverse proxy can filter, monitor, and block HTTP traffic for your web service to prevent attacks that would exploit any known vulnerabilities.
• Improved Server Performance: By having the reverse proxy act as the intermediary for servers, there are some aspects of the traffic (such as encryption and decryption of SSLs) that can be offloaded from the server to the proxy. This means one less thing for the server to spend resources on, which may also enable developers to ship applications faster when their application server has one less necessary feature. (We call it fast-secure.)
• Centralized Access Control: A reverse proxy allows you to assert identity, state, and implement centralized access control via authentication and authorization. A properly configured reverse proxy can help onboard or offboard end users for sensitive internal servers.
• Context-Aware Access: By integrating external data sources into your access control decisions, your network infrastructure can make a more informed decision about granting access.

Using a Reverse Proxy for Access Control

Many organizations take advantage of the reverse proxy’s unique position in network infrastructure to implement a standardized form of access control at scale.

The more applications an organization deploys, the harder it is to scale each application’s individual security features according to a centralized access policy. On the other hand, organizations can enforce their access policies through a reverse proxy deployed everywhere in their network, allowing them to easily add a layer of authentication and authorization that scales with their needs.

More advanced reverse proxies can go the extra step of integrating context into their access decisions to mitigate damage from malicious insiders or socially engineered users.

If this is starting to sound like a reverse proxy is used everywhere by all services, that’s absolutely right. Most of the internet is reverse proxies, routing user requests to servers and back again.

Many users may think they are going directly to a website server when they navigate via the website address, but that’s rarely the case. Your request is passed through several reverse proxies (doing one or more of the activities listed above) before routing and delegating that request to a server.

Today, the internet is so specialized that multiple reverse proxy chains can be involved. For example, websites can have a CDN proxy for efficient caching of static resources such as images and videos. Another reverse proxy can oversee access control to that website. Then another is responsible for implementing WAF. These reverse proxies are chained together to serve users and protect the website’s actual server.

It is rare for you to be connecting to a server directly, as this exposes the server to an unnecessary direct line of attack by malicious actors.

Pomerium, a First-Class Open-Source Context-aware Access Reverse Proxy

Pomerium is the top choice for companies looking for an open-source context-aware reverse proxy to manage secure, identity-aware access to applications and services. Our customers depend on us to secure zero trust, clientless access to their web applications everyday.

Check out our open-source Github Repository or give Pomerium a try today!