How to test … a (reverse) proxy? (part 2)

The previous post about, “How to test … a (reverse) proxy? (part 1)”, covered some of its functionalities like a proxy as:

  1. a security provider,
  2. a performance enhancer by caching data and
  3. a “de-personalization” device

This post focuses on testing other items of a proxy like:

  1. SSL encryption/decryption,
  2. data compression,
  3. scanning for malware,
  4. scanning for outbound content (preventing data loss),
  5. load balancing and
  6. reporting on internet usage

1. SSL encryption/decryption

A reverse proxy can be used to encrypt or decrypt an SSL-stream for outbound and inbound traffic.  SSL stands for Secure Socket Layer which is an encryption protocol that ensures a more secure way of communication.  In fact, the (reverse) proxy offloads the internal network by de- or encrypting the communication.  By consequence, the webserver can focus on handling the web requests instead of first “translating” the SSL-stream.  The figure below shows the intended setup from a reverse proxy point of view.


Click to enlarge

This can easily be tested by using a packet sniffer (e.g. Wireshark, ngrep, …).  This enables the tester to check visually whether the traffic to the proxy happens through the SSL-protocol (see figure above from the internet towards the proxy) and traffic inside the company’s network can then be done using http.

2. Data compression

Static data, used in a website (e.g. figures, HTML, JavaScript, CSS-resources, etc.), can be stored on the proxy in a compressed way or the proxy can, ad hoc, decide to compress data.  The compression technique can be done in several ways: removing whitespace, removing comments, removing unnecessary metadata,… .  By compressing certain data, the proxy accelerates the load time of a webpage.  Gzip for example is a known program for compressing data on the proxy.  Google has also created its “SPDY Proxy” for mobile devices.  Be aware that compression itself should be traded off with speed.


Click to enlarge

Testing is done by checking whether the compression program and the compressed data is actually available on the proxy.  As there should also be an acceleration effect, testing the situation before and after should also result in a considerable lower response time.

3. Scanning for malware

Due to continuous improvement of hackers, it is possible that within an SSL encrypted message or page malware is embedded.  To prevent such an intrusion, malware scanning software is required on the reverse proxy.  A helpful program can be SpyProxy which is an execution-based detection tool for malware.

Testing this feature of the proxy is hazardous and should be done in a controlled environment.  However, it is not impossible and there are tools available to support a tester in this kind of testing (Tools for testing malicious sites).

4. Scanning outbound content

Outbound content is scanned to prevent data loss/leaks.  Suppose the following situation.  A security officer within a company has access to a wide variety of sensitive information.  A company might consider to protect specific data, even from its security officer (e.g. the wages of the management team).  It is possible to tag the data so the proxy server(s) can scan and identify the transmitted data.  This prevents that the sent data is used for malicious purposes even when it concerns an accidental error.  Therefore, if the security officer wants to mail the wages to his personal mailbox this can be anticipated by enabling the proxy server for DLP (Data Loss Prevention).  Other possible terms for this kind of practices are information loss prevention or extrusion prevention.  A product which addresses such risks is Symantec DLP server.


Borg vessels probing USS Voyager

To test this functionality within the proxy server, a tester needs to have “inside” information about the business rules and tagging that is used to indicate who may sent what type of data to which kind of addresses.  A simple state transition diagram can help the tester in defining the test cases.

5. Load balancing

The principle of load balancing is to divide the work to be “done” over a number of computers (servers).  Load balancing can be done on hard- or software level.  Here, the reverse proxy is the tool which enables this functionality.  A minimal setup for load balancing through a proxy server is pictured below.  Load balancing allows the backend system to act as one “big” system.  Hence, it does not matter to which server the reverse proxy delivers its packages.


Click to enlarge

Testing this can be done in two different ways.  The first one is as follows:

  • Start situation: All the backend servers are active,
  • send continuously requests through the proxy server and
  • kill the backend servers one by one until only one server is active.

The test result should be that even one server can handled the requests of the proxy.  In other words, the website under test remains active.

On the other hand, the test can be executed as follows:

  • Start situation: no backend server is active,
  • send continuously requests through the proxy server and
  • activate backend servers one by one until all the servers are active.

The test result should be that when all servers are brought up, all servers can handle the requests of the proxy.

Another “side test” of the latter option is to bring each server up individually without the other ones, so it is possible to determine that each server handles the proxy’s requests.  Afterwards, the test can be performed as described above.

6. Reporting on internet usage

Because of easy access to online resources that internet offers to everyone within a company, abuse is not far away (e.g. surfing social networks, writing private mails, etc.) and this poses sometimes a serious problem. Some cases report of a paralyzing effect on the company.  This is called cyberslacking or cyberloafing.  In these cases, the proxy can provide assistance by reporting on the internet usage.


Click to enlarge

Testing this feature of the proxy server(s) is done by monitoring the visited websites with the browser, and afterwards comparing these reports with the proxy’s reporting.  Mind you that the proxy may report into IP-addresses !!


Testing a proxy is never a piece of cake and without pretending to be complete, this article on testing a proxy should provide a tester with the basics to tackle the most common functions of a proxy server. 

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>