Stay up to date with Pomerium news and announcements.
What's a forward proxy vs reverse proxy?
We often visualize the data transmitting on the internet as traffic. It's not incorrect to imagine data packets traveling the internet highway until it arrives to our computers. Today, the internet is not just one highway but many interconnected roads of various public and private networks.
The years may pass, but companies and organizations still have a vested interest in securing their traffic between networks. After all, most businesses would rather not have sensitive applications or database systems be publicly accessible. Just as how there must be roads to reach protected areas, organizations need avenues to access their protected assets. In real life, there are gateways and checkpoints to control who can even approach.
Conversely, we use proxies for the internet.
What is a Proxy?
Because forward and reverse proxies fall under the same umbrella we will first define their similarities as proxies before discussing the differences.
A proxy server acts as an intermediate server between a user's device requesting a resource and the origin server providing that resource. It does so by routing traffic between the two parties. When a user makes a request, the proxy server evaluates and forwards that request to the target server, retrieves the response, then sends that information or data back to the user.
It may help to visualize it as the waiter at a restaurant. You tell them your order, they relay it to the kitchen, and then the waiter brings your food to you. The waiter's job is to act as the intermediary between you and the cooks in the kitchen. As a result, this ensures that the customer gets what they ordered and the kitchen stays free from potential contamination.
Makes sense? Good, now let’s talk about forward and reverse proxies. A quick way to remember their difference: Forward proxies protect the client, and reverse proxies protect the server.
Forward Proxy
The waiter acts as a forward proxy by forwarding the client’s requests to the kitchen. After all, most chefs and cooks in restaurants have no idea who they’re serving when they only see the incoming request.
Aside from the benefit of keeping the kitchen tidy and hygienic, using a waiter means the client only needs to communicate with the waiter and not directly with the kitchen. Consider the chaos if every single customer could in to shout their orders at the kitchen staff. Instead, waiters translate customer orders to kitchen-lingo for the staff to understand in a digestible manner. In the same vein, forward proxies will often translate client requests for the servers.
In some cases, this protects the client's information — such as the IP address — from being known by the web server.
Reverse Proxy
On the other hand, a reverse proxy does the exact opposite. These are closer to an executive assistant or secretary acting as a filter to verify incoming traffic before allowing access. This protects the origin server's details from exposure.
Here's a good example of where this matters: hackers want to target your servers, but encounter the intermediary server accepting requests instead. This substitute will filter out their attempt and protects the backend server and business from malicious actors.
A good reverse proxy improves the server’s security, performance, and reliability. Businesses use them to protect their internal servers and assets from revealing any internal details to potential hackers.
It's proxies all the way down
If this is starting to sound like these are used everywhere by all services, they are! Most of the internet is reverse proxies, routing user requests to origin servers and back again.
Use Cases: Access Control and Access Management
Now that we understand reverse proxies, we can begin to understand their role as part of access control infrastructure. To reiterate, these servers act as representatives for a client or a server. In practical terms, businesses will use reverse proxies to act on behalf of sensitive servers they want to be accessible on the internet, but do not want to expose directly to the internet.
After all, every entry point for a legitimate client is a potential point of entry for a malicious hacker.
Putting a reverse proxy in front of server assets enables network administrators to enforce security policy. This provides a good abstraction to ensure that all applications and servers have a certain baseline level of security.
Just like executive assistants, reverse proxies are protecting the servers by verifying and filtering each client’s request.
This setup ensures clients only ever interact with the reverse proxy and not the server itself. The result is simplified security administration and secured workflow.
The Benefits of Using a Proxy
Here are some examples of what a these tools can do:
Faster
Cache Content and DDoS Protection: Content Delivery Networks (CDNs) are just a specialized type of server for delivering cached content. Certain products such as Cloudflare specialize in protecting origin servers from DDoS attacks.
Improved Server Performance: The intermediary server can offload server load and perform specialized tasks, such as encryption and decryption. This means one less thing for the server to spend resources on, which may also enable developers to ship applications faster when their application server has one less necessary feature.
Safer
Secure legacy applications: Some legacy applications should not be forcibly updated with modern security features. A proxy can be deployed to sit in front of those legacy applications with granular access control configurations to instantly give the legacy application a standardized layer of security.
Implement Web Application Firewall (WAF): Some solutions can filter, monitor, and block HTTP traffic for your web service to prevent attacks that would exploit any known vulnerabilities.
Centralized Access Control: Some solutions enable organizations to assert identity, state, and implement centralized access control via authentication and authorization. A properly configured reverse proxy can help onboard or offboard end users for sensitive internal servers.
Context-aware access: By integrating external data sources into your access control decisions, your network infrastructure can make a more informed decision about granting access.
SSL Encryption and inspection: This encrypts and secures data. It prevents malicious entities from intercepting or tampering with sensitive information.
Better
Continuous Integration and Deployment: Because clients only ever interact with the intermediary server, backend administrators can easily update or change the servers without disrupting the end user experience.
Load-Balancing: By routing the request to the service through a proxy, businesses can manage traffic and server loads by spreading it across multiple servers. This keeps costs down and improves end user experiences
Using a Reverse Proxy to Enable Remote Access Control
Many organizations take advantage of the proxy’s unique position in network infrastructure to implement a standardized form of access control at scale.
The more applications an organization deploys, the harder it is to scale each application’s individual security features according to a centralized access policy. On the other hand, organizations can enforce their access policies through a reverse proxy deployed everywhere in their network, allowing them to easily add a layer of authentication and authorization that scales with their needs.
Today's internet utilizes multiple proxy chains to function. For example, websites can have a CDN server for efficient caching of static resources such as images and videos. Another one can oversee access control to that website. Then another is responsible for implementing WAF. These reverse proxies are chained together to serve users and protect the website’s origin server.
Example on what a proxy server chain looks like (Source)
It is rare to connect to a server directly. Avoiding this prevents exposing the server to an unnecessary direct line of attack by malicious actors.
How to evaluated reverse proxies?
There are three criteria when evaluating potential solutions:
Usability
Speed
Security
Usability
User experience is a critical criteria for evaluating any solution. Because reverse proxies act as an intermediary for requests from clients to a server, they should ideally be transparent to the end user to ensure the experience remains seamless and intuitive. When correctly done, the end user should have no idea that their connection is being brokered through a reverse proxy.
On the administration side, the ease of setup and configuration is an important consideration, particularly when securing multiple web applications at a time. It should allow for straightforward configurations, allowing for quick adjustments and troubleshooting when adding new services and proxying new routes.
Speed
While technically part of the user experience, latency and speed directly impact workflow productivity and deserves its own criteria when evaluating potential solutions. Specifically, we are talking about network latency, or the speed at which data gets sent and transferred from user to server and vice versa.
If you're looking for the fastest speed, you want to use self-hosted solutions that are deployed at edge. This means the reverse proxy sits right in front of the service or application it is protecting, ensuring there is no added latency involved.
Hosted solutions like Cloudflare will be slower than self-hosted solutions. This is because the data needs to travel from the origin server to at least one intermediary server before traveling to the user. When the traffic goes both ways, that's an extra two destinations added to the back and forth. This extra travel distance adds to the total latency.
Security
A common use case for reverse proxies is to secure legacy applications and services that were not designed with modern access control in mind. Security is paramount for evaluating solutions as reverse proxies play a critical role in safeguarding network infrastructure and the services behind them. The role as gatekeeper allows the proxy to mitigate security threats such as:
Distributed Denial of Service (DDoS) attacks
SQL injection
Cross-site scripting
and more harmful attack vectors
Advanced solutions can fully implement access control, including:
Ultimately, your chosen solution should be ironclad in its security features to ensure the upstream application or service is not exposed to hackers or actions of malicious intent.
Try Pomerium
Pomerium’s place as an open-source context-aware reverse proxy helps prevent ransomware attacks on internal services and resources. Whether you’re spinning up a new application or trying to add access control to a legacy service, Pomerium builds secure, clientless connections to internal web apps and services without a corporate VPN. The result is:
Easier with clientless access.
Faster by being tunnel-free and deployed where your apps and services are.
Safer because every single action is verified before allowed to execute.
Tailored to your organization’s needs by integrating all data for context-aware access.
