Vault 📚

06_forward_proxies

6 min read

Proxies in Network Architecture

Proxies function as intermediaries in the communication flow between clients and servers, performing tasks such as request routing, caching, encryption offloading, and IP masking. By inserting themselves between the client and the destination server, proxies can manage connections in ways that provide anonymity, load balancing, and performance improvements. Below is an expanded discussion with ASCII diagrams and practical explanations of how proxies are organized and used.

A Layer of Indirection

# General Proxy Setup

   +-----------+        +---------+         +------------+
   |   Client  | -----> |  Proxy  |  -----> |  Server(s) |
   +-----------+        +---------+         +------------+
          ^                   |                   ^
          |                 (Network)             |
          +---------------------------------------+

  1. Client

    • Initiates the request (e.g., a user’s web browser, a mobile app, or an API consumer).
    • Sees the proxy as the destination server in many configurations.

  2. Proxy

    • Receives requests, optionally modifies them, then forwards them to the actual server.
    • Returns the server’s response to the client as if it were the origin itself.

  3. Server

    • Hosts the actual resources or services the client is trying to access.
    • May see all traffic as originating from the proxy rather than from the real client IP.

Varieties of Proxy Servers

Open Proxies

  • Definition: Freely accessible by any user on the internet.
  • Primary Use: Anonymizing online traffic by masking user IPs.
  • Risks:
    • Often unverified or maintained by unknown third parties.
    • Potential for malicious activity, e.g., monitoring user data or distributing malware.
# Simple Open Proxy

 Client  ->  Public/Open Proxy  ->  Destination Server

Anonymous Proxies

  • Definition: Reveals its proxy status to the server but does not disclose the client’s IP address.
  • Benefits:
    • Balance between concealing the client IP and performing request-forwarding tasks.
    • Often used for safer browsing or bypassing content filters while announcing “This is a proxy.”

Transparent Proxies

  • Definition: Neither hides the proxy server’s identity nor the client’s IP address.
  • Main Role: Caching and content filtering without providing anonymity.
  • Typical Usage:
    • Organizational networks or ISPs to improve performance by caching frequently accessed data.
    • Example: A hotel Wi-Fi service that intercepts HTTP requests to apply usage policies.

Reverse Proxies

  • Definition: Deployed in front of servers to handle inbound requests.
  • Roles:
    • Load balancing: Distributing requests among multiple back-end servers.
    • SSL Offloading: Terminates SSL/TLS so back-end servers handle only plain HTTP.
    • Security: Filters incoming traffic, blocks suspicious or malicious payloads.
ASCII DIAGRAM: Reverse Proxy in Front of Web Servers

           Internet
              |
       (Requests/Responses)
              v
    +--------------------+
    |     Reverse Proxy  |
    |  (Load Balancer)   |
    +---------+----------+
              |
   (Distributes traffic)
      +-------+-------+
      |               |
      v               v
+-----------+   +-----------+
|   Server1 |   |   Server2 |
+-----------+   +-----------+

Forward Proxy Architecture

A forward proxy is typically set up on the client side of a connection. It receives outbound requests from clients and relays them to the internet. This can provide privacy (the server sees only the proxy’s IP), caching, or traffic filtering.

ASCII DIAGRAM: Forward Proxy Setup

    Clients           Forward Proxy            Internet
--------------------------------------------------------
|      |            |            |             |      |
|  C1  |---Request--|            |---Request-->|  W1  |
|      |<--Response-|    FP      |<--Response--|      |
|------|            |            |             |------|
|  C2  |---Request--|            |---Request-->|  W2  |
|      |<--Response-|            |<--Response--|      |
|------|            |            |             |------|
|  C3  |---Request--|            |---Request-->|  W3  |
|      |<--Response-|            |<--Response--|      |
--------------------------------------------------------
  • Clients (C1, C2, C3): Send outbound web requests.
  • Forward Proxy (FP): Intercepts and relays requests to external websites (W1, W2, W3).
  • Use Cases:
    • Corporate networks restricting external access.
    • Individuals bypassing geographical restrictions or content filters.
    • Caching frequently accessed resources (e.g., OS updates) to save bandwidth.

Reverse Proxy Architecture

A reverse proxy stands before your internal servers to receive incoming traffic from the internet. Users make requests to the proxy’s IP or domain name, and the proxy decides which server in the back-end should handle each request.

ASCII DIAGRAM: Reverse Proxy Setup

 Internet              Reverse Proxy              Internal Network
-------------------------------------------------------------------------
|        |            |            |            | WS1 | WS2 | ... | WSn  |
|        |            |            |            |-----|-----|     |-----|
|  WWW   |---Request--|     RP     |---Request--|     |     |     |     |
|        |<--Response-|            |<--Response-|-----|-----|-----|-----|
|        |            |            |            |     |     |     |     |
-------------------------------------------------------------------------
  • Reverse Proxy (RP): Terminates incoming requests from external clients, selects an internal server (WS1, WS2, etc.) for processing, and then sends the server’s response back to the client.
  • Common Tasks:
    • Load Balancing: Distributes requests based on server health or capacity.
    • Security: May filter suspicious requests, hide back-end servers behind private IPs, or handle DDoS mitigation.
    • SSL/TLS Offloading: Terminates SSL/TLS connections, passing unencrypted traffic to internal servers.

Easy Way to Remember: Forward vs. Reverse

  1. Forward Proxy

    • Acts on behalf of the client.
    • Clients connect to resources through it.
    • Provides client anonymity, caching, or content filtering.

    Analogy: A personal assistant (forward proxy) obtains data from the outside world, so external services see the assistant rather than the real person making the request.

  2. Reverse Proxy

    • Acts on behalf of the server.
    • Internet clients see the proxy as the “server.”
    • Balances load, hides internal infrastructure, adds security layers.

    Analogy: A receptionist or front desk (reverse proxy) routes incoming callers or visitors to the correct department, ensuring they never directly see or contact internal offices without going through the receptionist.

Additional Advantages of Proxies

  • Anonymity & Privacy

    • Masks the client’s IP, ensuring the destination server sees only the proxy IP.
    • Can also encrypt traffic, preventing eavesdropping on intermediate hops.

  • Geo-Restriction Bypass

    • A client can connect through a proxy in a different geographic region, accessing content that might otherwise be blocked.

  • Traffic Filtering and Security

    • Proxies can enforce organizational policies, like blocking malicious or time-wasting sites.
    • Reverse proxies can filter harmful requests, scanning for suspicious patterns to protect back-end servers.

  • Load Balancing

    • Reverse proxies distribute incoming requests across multiple servers, improving uptime and response times.

  • Caching

    • Both forward and reverse proxies can cache content. Forward proxies typically cache external content for local users; reverse proxies cache content for external users, reducing load on servers.
ASCII DIAGRAM: Combined Reverse Proxy / Cache

+--------------+      +---------------+      +---------------+
|   Internet   | ---> | Reverse Proxy | ---> |   Web Server  |
+--------------+      |  + Cache      |      +---------------+
                       +---------------+
  • When clients request popular resources, the proxy can serve them from its cache instead of hitting the origin server, leading to faster responses and reduced server load.

Considerations

  • Performance Impact

    • Proxies add an extra network hop, so choose or configure them carefully to avoid becoming a bottleneck.
    • Memory and CPU overhead for caching or SSL termination can be substantial in high-traffic scenarios.

  • Security Risks

    • Improperly configured proxies can leak private data or become open entry points for attacks.
    • Open proxies, in particular, can be associated with illegal activities if not monitored.

  • Logging and Analytics

    • Proxies see all traffic, making them prime points for monitoring, usage control, and access logs.
    • Must handle privacy concerns and comply with data protection regulations.

  • Scalability

    • Large-scale architectures may deploy multiple proxy nodes in a cluster, sometimes behind a load balancer, to handle increased throughput.

  • Compatibility

    • Some protocols (e.g., WebSockets, HTTPS) require additional considerations to function properly through proxies.
    • Reverse proxies dealing with TLS might need special configurations (SNI, ALPN).

Graph View