Let’s talk about proxy: forward, reverse, half and full proxy

 

What is a proxy?

Proxies are hardware or software solutions that sit between the client and the server and their main goal is to retrieve data out of the Internet on behalf of a user. The most frequent use of the term proxy is to make web browsing anonymous. That’s because proxies sit between your browser and your desired destination and proxy the connection. This means that you connect only to the proxy server and the proxy server connects to the web server, and neither you nor the web server has any awareness of each other.

The proxy can perform some of the following functions:

• Access control: proxy server administrators may or may not allow certain users to access the Internet through restrictions on their own login or IP addresses, providing the environment with an additional layer of protection.
• Content filtering: being in the middle of the road, the server also allows, or does not allow, access to certain sites. Among the rules that can be applied are those for blocking specific websites, or even entire categories.
• Caching: the proxy, after accessing a page, stores the content of the page in its system. After that, other requests to this same page will not have to go to the Internet, because the content is already stored in the proxy’s memory.
• Privacy: Perhaps what we all associate the term “proxy” with, is anonymous and protected Internet browsing. This is because a proxy server can block scripts, cookies, and other objects that are hosted on websites. In addition, the web server you consult will not know your IP address but the proxy server’s, making your browsing more secure.

Proxies are not all the same. There are different types of proxies:

• Forward Proxy
• Reverse Proxy
• Half Proxy
• Full Proxy

Forward Proxy

Forward proxies are those that are located between two networks, usually a private internal network and a public network as the Internet. These are often referred to as “mega-proxies” because they managed such high volumes of traffic. Forward proxies are generally HTTP (Web) proxies that provide a number of services but are primarily focused on web content filtering and caching services.

The diagram below shows an example topology of the location of the Forward Proxy (located between the internal network and the Internet).

When one of the clients within the internal network accesses a web server or an application hosted on a remote server, its request first passes through the proxy. Depending on the proxy configuration, this request may be accepted or denied. Let’s assume it is accepted. The proxy then sends the request to the remote servers and from the point of view of the web servers or applications, it is the proxy server that issued the request. So, when the web server or application responds, it will send the response to the proxy server. Once the proxy server receives the response, it forwards it to the client that made the request on the internal network.

Reverse Proxy

A reverse proxy is a server located between a public network (e.g. Internet) and one or more web or application servers. They process requests for applications and content coming in from the public Internet to the internal, private network. Reverse proxies are typically implemented to help increase security, performance, and reliability.

Load balancers (application delivery controllers) are a great example of reverse proxies. A load balancer is a device that acts as a reverse proxy and distributes network or application traffic across multiple servers, increasing capacity (concurrent users) and application reliability.

Normally all requests from the internal private network would go directly to Web and Application Servers (W&A servers), and they would send responses directly to Internal Private Network. With a reverse proxy, all requests from the private network will go directly to the reverse proxy, and this last one will send its requests to and receive responses from W&A servers. The reverse proxy will then pass along the appropriate responses to the internal private network.

The main benefits of a reverse proxy are listed below.

• Load Balancing: Some high-traffic web and application servers need to handle hundreds of thousands (some even millions) of concurrent user or customer requests and deliver the information quickly and reliably. In order for these high-demand applications to be delivered quickly, they usually need to be located on a pool of servers. This is where load balancers play an important role. Load balancing is the capacity of some devices to distribute network traffic or concurrent connections to different servers in a way that maximizes the capacity and speed of application delivery and minimizes server overhead.
• Protection from attacks: With a reverse proxy between users and servers, it is more difficult for attackers to perform an attack (e.g. DDoS) against servers, as they do not expose their IP address or service port.
• Global Server Load Balancing (GSLB): It refers to the intelligent distribution of traffic across closest server resources located in multiple geographies. This decreases the distances that requests and responses need to travel, minimizing load times.
• Caching: Caching is very useful to improve the user experience when browsing through recurring web resources. It refers to the local storage that a server can have about the information requested over and over again by one or more clients (web browser).  By collecting that data locally on a server close to the requesting client, it can be delivered to the client extremely faster than if it had to be retrieved again from the backend server.
• SSL encryption: The reverse proxy server can decrypt incoming connections and encrypt outgoing connections once it has processed them. This saves resource consumption of the backend servers.

Half Proxy

Half Proxy refers to how a proxy server handles connections, regardless of whether it is a forward or reverse proxy. Let us describe its use in two different ways: the first one regarding how connections are handled. This means that incoming requests are proxied by the device but responses do not go through it, or vice versa, incoming connections go directly to the servers but responses go through the proxy server (this latter form is very rare to be seen, almost all half-proxies fall into the category of reverse proxies). This is why it is called half proxy because in one direction the connections are proxied and in the other, they are not. This deployment is very useful when dealing with streaming application traffic.

The second way in which the use of a half proxy can be described is known as delayed binding. This gives the proxy the ability to examine incoming connections, process them, and determine their destination. Once the proxy knows where to send requests, it ties the connection between client and server so that only the initial requests and the three-way handshake process pass through the proxy; subsequent connections would pass directly without interception from the proxy.

Full Proxy

A full proxy also refers to how connections are handled. The proxy server separates the connections into two parts. One between the client and itself, and one between itself and the servers. For this reason, the proxy server configured as a full proxy must understand the network protocols very well, and therefore implement them, since it is the originator and endpoint for these protocols. The latter is a significant difference between a full proxy architecture and a packet-based architecture.

A perfect example of an appliance that acts as a full proxy is the F5’s solution called BIG-IP Systems. A BIG-IP is a default deny system that can be configured as a full proxy and can have its own TCP connection behavior (buffering, retransmissions, and TCP options). This means that connections between the client and the proxy can be partially or totally different from the connections between the proxy and the server.