A reverse proxy is a web server that terminates connections with clients and makes new connections to backend servers on their behalf.

A backend server is defined as a server to which the reverse proxy makes a connection to fulfill the request from the client. These backend servers can take various forms, and reverse proxy can be configured differently to handle each of them.

A reverse proxy is also known as an inbound proxy, because the server receives requests from the Internet and forwards or proxies them to a small set of servers. The servers are usually located on an internal network and not directly accessible from outside. This proxy is reverse, because a traditional or outbound proxy receives requests from a small set of clients on an internal network and forwards them to the Internet.

The following diagram illustrates the typical configuration of reverse proxy for file transfer servers.

Advantages of Reverse Proxies

• Security:

  A reverse proxy can hide the topology and characteristics of backend servers by removing the need for direct internet access to them. You can place your reverse proxy in an internet facing DMZ, but hide your web servers inside a non-public subnet.

• Caching:

  The reverse proxy can also act as a cache. You can either have a dumb cache that expires after a set period, or better still a cache that respects Cache-Control and Expires headers. This can considerably reduce the load on the backend servers.

• Compression:

  To reduce the bandwidth needed for individual requests, the reverse proxy can decompress incoming requests and compress outgoing ones. This reduces the load on the backend servers that would otherwise have to compress outgoing requests. The reverse proxy makes debugging requests to, and responses from, the backend servers easier.

• Simplifies access control tasks:

  Clients only have a single point of access, you can concentrate access control on that single point.

• Aggregating Multiple Websites Into the Same URL Space:

  In a distributed architecture, different pieces of functionality can be served by isolated components. A reverse proxy can route different branches of a single URL address space to different internal web servers.

• Rewriting request URL:

  Sometimes the URL scheme that a legacy application presents is not ideal for discovery or search engine optimization. A reverse proxy can rewrite URLs before passing them on to your backend servers.

• Authentication:

  Reverse proxy can use client certificates to verify the identity of the client.

• Whitelisting of users:

  Whitelisting can be used to block or allow a specific set of user IP addresses to use the reverse proxy service. For example, if you add a whitelisted user IP address, all IPs other than the whitelisted IP are denied access to use the reverse proxy service.

• SSL Termination:

  The reverse proxy handles incoming HTTPS connections, decrypts the requests, and passes non-encrypted requests on to the web servers. This has several benefits:

  • Removes the need to install certificates on many backend web servers.

  • Provides a single point of configuration and management for SSL/TLS.

  • Takes the processing load of encrypting or decrypting HTTPS traffic away from web servers.

  • Makes testing and intercepting HTTP requests to individual web servers easier.