Skip to Content

style=”font-size:10pt;”><font face=”Arial”>What is Reverse

Proxy?
style=”font-size:10pt;”>A reverse proxy server is a server
that acts as a broker between two entities, validating and processing a
transaction in such a way that the actual parties to the transaction do not
directly communicate with one another. It proxies on behalf of the backend HTTP
server not on behalf the outside client’s request, hence the term reverse. It is
an application proxy for servers using the HTTP protocol. It acts as a gateway
to an HTTP server or HTTP server farm by acting as the final IP address for
requests from the outside. The firewall works tightly with the Reverse Proxy to
help ensure that only the Reverse Proxy can access the HTTP servers hidden
behind it. From the outside client’s point of view, the Reverse Proxy is the
actual HTTP server.
style=”font-size:10pt;”>
h4. style=”font-size:10pt;”>

Benefits of using reverse
Proxy

style=”font-size:10pt;”>One of the most immediate benefits
of using a Reverse Proxy is that clients now have a single point of access to
your HTTP servers. This allows you to add another layer to your defenses that
might just help you catch an attack against your HTTP servers. Another benefit
is that you have a single point of control over who can access and to which HTTP
servers you allow access to. A third benefit is the easy replacement of backend
servers or host name changes. With a Reverse Proxy these types of changes will
not affect the outside clients, because these types of changes are made in the
Reverse Proxy rules or mappings; therefore no more messy waiting for names to be
republished to the outside DNS world.
style=”font-size:10pt;”>Placing
a reverse proxy (proxy gateway) in the DMZ protects the portal server from malicious
attacks as it provides an additional barrier. As the proxy gateway does not
contain any sensitive information, it has less exposure risk than the actual
Web server. Another advantage of having all the portal components in the secured
network is that no ports have to be opened beyond the inner firewall.

style=”font-size:10pt;”>The idea of having a single point of
access also helps in load balancing and failover either by using a DNS round
robin scheme or by appliance hardware or software solutions such as F5 Networks
Big IP, Cisco’s Content Switch, or Macromedia’s ClusterCat. Another benefit of
the Reverse Proxy is the ability to assimilate various applications running on
different Operating Systems behind a single facade. Another advantage is that
hardware costs can be lowered significantly because outside and inside clients
can access the same servers for the same HTTP requests. This reduction comes
from eliminating the duplication of hardware, as usually there are one or more
servers for inside clients and one or more servers for the outside clients.
Using a Reverse Proxy allows us to secure our backend databases that may be
required to service our HTTP server requests without exposing them to the
outside world.

style=”font-size:10pt;”><font face=”Arial”><br>How does it

work?

<font face=”Arial”> style=”font-size:10pt;”><br>Conclusion

style=”font-size:10pt;”>Just to recap here are some of the
do’s, don’ts, pros and cons to keep in mind when setting up a Reverse
Proxy.

style=”font-size:10pt;”>Do

    <LI

    Place backend servers that the
    Reverse Proxy will access on a segregated subnet and or Domain
    <LI

    Set Firewall rules to only allow
    outside access to backend servers from the Reverse Proxy
    <LI

    All HTTP content references should
    use non-qualified addresses (no domain prefixes)
    <LI

    Use aliases and static NAT addresses
    to reference the Reverse Proxy
    <LI

    If authentication is required,
    assign different users and cryptic passwords to access backend servers that are
    being accessed by the Reverse Proxy
    <LI

    Install intrusion detection and
    current patches on the Reverse Proxy and all backend servers
    <LI

    Use etc/hosts file instead of DNS to
    reference backend servers
    <LI

    To report this post you need to login first.

    6 Comments

    You must be Logged on to comment or reply to a post.

    1. Nicholas Holshouser
      Don’t forget another important benefit of setting up a reverse proxy infrastructure. Once you are putting all the back-end requests through a single point why not give your network and the back-end http servers the benefit of caching static content at the proxy so all those bothersome mime-types like .css, .jpg, .gif, .js, etc… only get pulled from the cache and do not ever go past the proxy – except occasionally when the content expires from the cache. Your network and your back-end servers will like you!

      Nick Holshouser
      SAP NetWeaver RIG , US

      (0) 
    2. Mich Wilhelmi
      Yasin , good job!

      Maybe one more PRO for your list..
      Another benefit of the reverse proxy mapping is that it will protect web sites against URLs that you do not want others to access.  Whether it was a URL that comes standard as part of a WebAS install ( hostname:5000/info) or the fact that you can shorten the name to /portal and not show the  full /irj/portal can reduce risk against one backing up the URL and going places that the reverse proxy will not map.   It can act as a partial URL firewall.

      (0) 
    3. Eddie Koehn
      Thank you Yasin for the informative blog!
      You mention that there are a special plugin for Apache which SAP provides. Where can we find this  plugin?

      Regards,

      Eddie

      (0) 

    Leave a Reply