This second post in the “What is … ” series looks into a (reverse) proxy.
The first thing to distinguish is that there are two types of proxies namely a forward proxy (or simply called proxy) and a reverse proxy. The difference between these types is pictured underneath.
WHAT IS IT?
A proxy is in most cases a dedicated server which has the necessary software (Apache with mod_proxy, Internet Information Services, Privoxy, Squid, etc.) to execute its proxy-function.
WHAT ARE THE GOALS?
A proxy server serves several goals:
Provide security in broad sense (by filtering the information during in- and outbound traffic, by providing audit capabilities, scanning for incoming and outgoing malware, …).
- Enhance the network performance by being the single point of entry (reverse proxy) and exit ((forward) proxy).
- Reduce the number of required public IP-addresses.
- Keep the machines behind it anonymous, etc.
From an end-user perspective, the presence of a proxy must be invisible when generating network traffic by for example accessing a website.
Security by the proxy is enforced as follows. The web requests of a company, that want to access the internet, are sent through the proxy. The proxy can prevent the users to access the requested webpage(s). Another possibility is that a reverse proxy is put in place to impede external users/requests to enter the company’s network.
To illustrate the use of the proxy as performance enhancer, suppose the following. A company has 200 employees that surf towards one website. Then, the use of a proxy can limit the required bandwidth because it will store the webpages of the website during the first visit (aka caching). The second visitor will then not access the webpage directly but will get the cached webpage from the proxy. Of course, the proxy needs to renewal its cached pages, else the user will see obsolete pages. On the other side, a reverse proxy can reduce the load of a web server (also known as offloading) by caching the static data (e.g. icons, pictures, captions, etc.) of a website.
Because public IP-addresses are scarce and expensive, it is in a company’s best interest to limit
the number of required addresses on the public web. The use of a proxy enables this goal by using one IP-address to regulate the outbound traffic. And by using a proxy in this kind of way for outgoing traffic, it is impossible to “see” the visiting computer, the proxy keeps the computers within the internal (company) network anonymously.
WHERE IS IT LOCATED IN THE NETWORK?
Proxies are in most cases situated in the DMZ (demilitarized zone) within a network. They can function as a gateway towards the internal network (left part in the underneath figure). But proxies can also operates as an agent for incoming network traffic.