In this post, we focus on testing the configuration (further: config) of (reverse) proxies. Because a (reverse) proxy has several functions, this article will focus on three specific goals it can fulfill: as a security provider (1), as a network performance enhancer (2) and as a “de-personalization device” (3).
Just like testing a firewall, first look into the design of the infrastructural landscape. Due to its great number of features consult a designer and/or architect to know the details of the configuration (e.g. the caching is enabled, encryption and SSL acceleration, load balancing capabilities, …).
This article is based on the case where the (reverse) proxy server operates as a web proxy.
(1) A forward proxy can provide security by blocking websites when internal users (so: from the internal company’s network) want to access these websites. Therefore, it is imperative to know which websites are blacklisted
in the proxy. Testing this functionality can easily be done by surfing towards blacklisted sites. In this case, the proxy can provide the end-user a message why the website is blocked. When this error handling is in place, a tester should try to test each type of message. For example www.playboy.com can be blocked due to the “Adult entertainment”; www.twitter.com and www.facebook.com can result in an “access denied due to social media” , ….