Forward Proxy and reverse proxy
Proxy server types and uses for HTTP Server (powered by Apache)
This topic provides information about proxy server types and uses.
Important: Information for this topic supports the latest PTF levels for HTTP Server for iSeries . It is recommended that you install the latest PTFs to upgrade to the latest level of the HTTP Server for iSeries. Some of the topics documented here are not available prior to this update. See http://www.ibm.com/servers/eserver/iseries/software/http/services/service.htm for more information.
Proxy servers receive requests intended for other servers and then act to fulfill, forward, redirect, or reject the requests. Exactly which service is carried out for a particular request is based on a number of factors which include: the proxy server’s capabilities, what is requested, information contained in the request, where the request came from, the intended destination, and in some cases, who sent the request.
The two most attractive reasons to use a proxy server are its ability to enhance network security and lessen network traffic. A proxy server enhances network security by providing controls for receiving and forwarding (or rejecting) requests between isolated networks, for example, forwarding requests across a firewall. A proxy server lessens network traffic by rejecting unwanted requests, forwarding requests to balance and optimize server workload, and fulfilling requests by serving data from cache rather than unnecessarily contacting the true destination server.
HTTP Server (powered by Apache) has proxy server capabilities built in. Activating these services is simply a matter of configuration. This topic explains three common proxy concepts: forward proxy, reverse proxy, and proxy chaining.
Parent topic: Concepts of functions of HTTP Server
Forward proxy
A forward proxy is the most common form of a proxy server and is generally used to pass requests from an isolated, private network to the Internet through a firewall. Using a forward proxy, requests from an isolated network, or intranet, can be rejected or allowed to pass through a firewall. Requests may also be fulfilled by serving from cache rather than passing through the Internet. This allows a level of network security and lessens network traffic.
A forward proxy server will first check to make sure a request is valid. If a request is not valid, or not allowed (blocked by the proxy), it will reject the request resulting in the client receiving an error or a redirect. If a request is valid, a forward proxy may check if the requested information is cached. If it is, the forward proxy serves the cached information. If it is not, the request is sent through a firewall to an actual content server which serves the information to the forward proxy. The proxy, in turn, relays this information to the client and may also cache it, for future requests.
The above image shows a forward proxy configuration. An intranet client initiates a request that is valid but is not cached on Server A (Proxy Server). The request is sent through the firewall to the Internet server, Server B (Content Server), which has the information the client is requesting. The information is sent back through the firewall where it is cached on Server A and served to the client. Future requests for the same information will be fulfilled by the cache, lessening network traffic (proxy caching is optional and not necessary for forward proxy to function on your HTTP Server).
For information on how to configure a forward proxy, see Set up forward proxy for HTTP Server (powered by Apache).
Reverse proxy
A reverse proxy is another common form of a proxy server and is generally used to pass requests from the Internet, through a firewall to isolated, private networks. It is used to prevent Internet clients from having direct, unmonitored access to sensitive data residing on content servers on an isolated network, or intranet. If caching is enabled, a reverse proxy can also lessen network traffic by serving cached information rather than passing all requests to actual content servers. Reverse proxy servers may also balance workload by spreading requests across a number of content servers. One advantage of using a reverse proxy is that Internet clients do not know their requests are being sent to and handled by a reverse proxy server. This allows a reverse proxy to redirect or reject requests without making Internet clients aware of the actual content server (or servers) on a protected network.
A reverse proxy server will first check to make sure a request is valid. If a request is not valid, or not allowed (blocked by the proxy), it will not continue to process the request resulting in the client receiving an error or a redirect. If a request is valid, a reverse proxy may check if the requested information is cached. If it is, the reverse proxy serves the cached information. If it is not, the reverse proxy will request the information from the content server and serve it to the requesting client. It also caches the information for future requests.
The above image shows a reverse proxy configuration. An Internet client initiates a request to Server A (Proxy Server) which, unknown to the client, is actually a reverse proxy server. The request is allowed to pass through the firewall and is valid but is not cached on Server A. The reverse proxy (Server A) requests the information from Server B (Content Server), which has the information the Internet client is requesting. The information is served to the reverse proxy, where it is cached, and relayed through the firewall to the client. Future requests for the same information will be fulfilled by the cache, lessening network traffic and load on the content server (proxy caching is optional and not necessary for proxy to function on your HTTP Server). In this example, all information originates from one content server (Server B).
For information on how to configure a reverse proxy, see Set up reverse proxy for HTTP Server (powered by Apache).
Proxy chaining
A proxy chain uses two or more proxy servers to assist in server and protocol performance and network security. Proxy chaining is not a type of proxy, but a use of reverse and forward proxy servers across multiple networks. In addition to the benefits to security and performance, proxy chaining allows requests from different protocols to be fulfilled in cases where, without chaining, such requests would not be possible or permitted. For example, a request using HTTP is sent to a server that can only handle FTP requests. In order for the request to be processed, it must pass through a server that can handle both protocols. This can be accomplished by making use of proxy chaining which allows the request to be passed from a server that is not able to fulfill such a request (perhaps due to security or networking issues, or its own limited capabilities) to a server that can fulfill such a request.
The first proxy server in a chain will check to make sure a request is valid. If a request is not valid, or not allowed (blocked by the proxy), it will reject the request resulting in the client receiving an error or a redirect. If a request is valid, the proxy may check if the requested information is cached and simply serve it from there. If the requested information is not in cache, the proxy will pass the request on to the next proxy server in the chain. This server also has the ability to fulfill, forward, redirect, or reject the request. If it acts to forward the request then it too passes the request on to yet another proxy server. This process is repeated until the request reaches the last proxy server in the chain. The last server in the chain is required to handle the request by contacting the content server, using whatever protocol is required, to obtain the information. The information is then relayed back through the chain until it reaches the requesting client.
The above image shows a proxy chaining configuration. The intranet client makes a request to Server C (Content Server FTP). Server A (Proxy Server HTTP) does not contain the requested information in cache, so the request is passed through the firewall to Server B (proxy server HTTP/FTP). Server B has both HTTP and FTP protocols and is able to change the HTTP request to an FTP request. Server C receives the FTP request and passes back the requested information to Server B. Server B, in turn, passes the fulfilled request back to the intranet client using the HTTP protocol. The request is sent through the firewall and Server A where the request is cached and given to the intranet client.
Apache as Forward Proxy:
An ordinary forward proxy is an intermediate server that sits between the client and the origin server. In order to get content from the origin server, the client sends a request to the proxy naming the origin server as the target and the proxy then requests the content from the origin server and returns it to the client. The client must be specially configured to use the forward proxy to access other sites.
A typical usage of a forward proxy is to provide Internet access to internal clients that are otherwise restricted by a firewall. The forward proxy can also use caching (mod_cache) to reduce network usage.
The forward proxy is activated using the ProxyRequests directive. Because forward proxies allow clients to access arbitrary sites through your server and to hide their true origin, it is essential that you secure your server so that only authorized clients can access the proxy before activating a forward proxy.
ProxyRequests On
ProxyVia On
Order deny,allow
Deny from all
Allow from 192.168.1
Apache as Reverse Proxy:
A reverse proxy (or gateway), by contrast, appears to the client just like an ordinary web server. No special configuration on the client is necessary. The client makes ordinary requests for content the reverse proxy then decides where to send those requests, and returns the content as if it was itself the origin.
A typical usage of a reverse proxy is to provide Internet users access to a server that is behind a firewall. Reverse proxies can also be used to balance load among several back-end servers, or to provide caching for a slower back-end server. In addition, reverse proxies can be used simply to bring several servers into the same URL space.
A reverse proxy is activated using the ProxyPass directive or the flag to the RewriteRule directive. It is not necessary to turn ProxyRequests on in order to configure a reverse proxy.
ProxyRequests Off
Order deny,allow
Allow from all
ProxyPass /foo http://foo.example.com/bar
ProxyPassReverse /foo http://foo.example.com/bar
Configuring Apache to be a forward proxy
This configuration makes Apache act as an HTTP proxy:
ProxyRequests On
ProxyVia On
#ProxyRemote * http://…:8080 Uncomment to route requests through another proxy
Order deny,allow
Deny from all
Allow from all # Not a good idea, set to allowed IP ranges
CacheRoot “/tmp”
CacheMaxExpire 24
CacheLastModifiedFactor 0.1
CacheDefaultExpire 1
ServerName my-proxy
ErrorLog “/var/log/apache2/proxy-error.log”
CustomLog “/var/log/apache2/proxy-access.log” common
Also read this.
Tips
You can use mod_rewrite to rewrite requests. To rewrite root (/) to /temporary_outage you could use the following rewrite:
RewriteCond %{HTTP_HOST} ^(www\.)?xxx\.com
RewriteRule /$ http://%{HTTP_HOST}/temporary_outage/ [P,L]
Forward Proxy works
# webproxy server1
NameVirtualHost *:80
ServerName server1
ProxyPass / http://realserver1/
ProxyHTMLURLMap http://realserver1 /
ProxyPassReverse /
ProxyHTMLInterp On
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
# webproxy server2
NameVirtualHost *:80
ServerName server2
ProxyPass / http://realserver2/
ProxyHTMLURLMap http://realserver2 /
ProxyPassReverse /
ProxyHTMLInterp On
ProxyHTMLURLMap / /
RequestHeader unset Accept-Encoding
# realserver2 reverse proxy
NameVirtualHost *:80
ServerName realserver2
Order deny,allow
Allow from all
ProxyPreserveHost On
ProxyPass / http://localhost:32101/
ProxyPassReverse / http://localhost:32101/
really man this was the interesting website and the post was really awesome…
yes! you did an awesome job! the blog looks great. and a belated congratulations!
this is perfect, i am looking to do something similar very soon and this article makes perfect sense.
i love your post, thank you for sharing.
good blog. i will try it in my posts, and let’s see the result.
really an amazing article to read.