Proxy servers are a topic that you can expect to get quizzed on in the CompTIA Security+ exam. To make sure you can answer questions related to this, you need to a) understand what proxy servers are used for, and b) understand the difference between forward and reverse proxies.
Proxy servers are commonly used in IT because they help with:
- Controlling the flow of traffic
- Implementing caching or compression to save on bandwidth
What are proxy servers?
Proxy servers are intermediaries between two parties. For example, if a user is accessing a website, they are accessing that website through one or more proxy servers, which means the proxy server sits between them and the website’s servers.
This has a number of benefits since end-user traffic has to flow through this server in order to reach other back-end resources. That means we can implement host-based firewalls, we can filter traffic, we can intelligently route the traffic based on the request, we can potentially serve cached responses to conserve resources, and we can do all of that while hiding the identity and location of our back-end resources or of the client initiating the request.
The way that this works depends on the type of proxy that we’re using. In this lesson, we’ll talk about:
- Forward proxy
- Reverse proxy
Forward proxies sit in front of a group of client devices. When those devices make requests to websites on the Internet, the forward proxy will intercept those requests and then communicate with the web services on behalf of those clients.
Forward proxies are helpful in:
- Blocking access to certain content
- Protecting identity
If you want to enable certain restrictions in your corporate environment, or in some sort of government or educational building — like maybe you want to block social media platforms from being accessed — you could do that with a forward proxy. Since every request has to go through this proxy to access the Internet, the proxy can be configured to block certain domains, for example.
Another benefit is that since all requests are coming from the forward proxy, the web services being accessed only see the IP information of the proxy, and not of the end-user that initiated the request. This can be useful in bypassing government censorship and in maintaining general anonymity online.
What we’ve been talking about so far is referred to as a forward proxy. There’s also something called a Reverse Proxy.
Studying for the Security+? Get CompTIA Security+ Certified with our high-quality certification preparation course and practice exams
Reverse proxies sit in front of the back-end resources instead of sitting in front of end-user clients.
This type of configuration is especially helpful when you have multiple resources within your internal network, and you want a single point of entry.
With reverse proxies, your back-end resources get more privacy since the client only sees that single IP address coming from the proxy instead of the IP address coming from the back-end servers. This is also called a virtual IP address, or VIP.
A common example of this is using something like Cloudflare. If we configure Cloudflare to proxy traffic, then it will route requests to a domain name through its own infrastructure, and then forward that traffic to your infrastructure. The end user would only see IP addresses that belong to Cloudflare, and they wouldn’t be able to see your resource’s IP information.
You don’t have to use Cloudflare for this, of course, and you could configure your very own proxy server.
The benefits here are that, you can:
- Implement load balancing
- Achieve a higher level of security
- Implement caching and compression to save on bandwidth
- Implement SSL/TLS Termination
Load balancers are reverse proxies configured specifically to distribute traffic between back-end servers. They can have access to a pool of servers, but end-users don’t need to be concerned with that or see any of that information.
In fact, reverse proxies help achieve a higher level of security because it prevents exposing those back-end servers. If an attacker wanted to launch a DDoS attack, they wouldn’t be able to target those back-end servers directly, and they would instead have to launch the attack against the reverse proxy, which can be specifically designed to deal with this threat. This is one of the primary reasons that Cloudflare became very popular — they were being used to protect websites against very large DDoS attacks in a way that smaller websites wouldn’t otherwise have been able to do due to cost.
We can also cache content and/or implement other optimizations like compression on the reverse proxy so that some requests — or parts of requests — don’t even need to go to the back-end servers and can be served directly from the proxy.
Finally, we can use reverse proxies to implement SSL/TLS termination which we talked about when we discussed load balancers.
Proxy Servers for the Security+ Conclusion
While the difference is subtle, forward and reverse proxies are not used for the same reasons. Make sure that you understand their differences for the Security+ exam!