This blog post introduces the concept of proxy and reverse proxy.
The servers that intercept communication between clients and servers are called proxies or proxy servers. They are responsible for various important tasks. In this article, we will cover different types of proxies and their responsibilities.
Forward Proxies
Forward proxies send requests and receive responses to and from servers on behalf of clients. They can be used to cache requests and responses to avoid making redundant requests, provide anonymity for clients, monitor client activities, block certain websites, and more. They can also be used to switch protocols when the client doesn't support the server's protocol (such as HTTP 1.1 to HTTP 2.0). For example, a company might set up a forward proxy for all employee computers to monitor online activity, improve security, and enhance performance through caching.
Reverse Proxies
Reverse proxies receive requests and send responses on behalf of servers. Like forward proxies, they can cache requests and responses to avoid processing redundant requests, monitor server performance, block malicious attacks, and more. They can also facilitate microservices using different protocols (such as HTTP 1.1 to gRPC). Additionally, they can distribute requests to multiple servers for horizontal scaling (load balancing) and for canary deployments, where traffic is split between old and new versions to test the new version.
Load Balancers
While reverse proxies perform various tasks, load balancing is arguably the most critical, as it significantly impacts the scalability and performance of a service. A reverse proxy is often set up solely for load balancing, and these dedicated proxies are commonly referred to as load balancers.
There are various ways to distribute tasks to servers, from simply assigning requests one by one (Round Robin) to measuring the number of tasks each server has and picking the one with the least load (Least Connections). You can also measure server response times and prioritize high-performing servers for better performance (PEWMA). For more on load balancing algorithms, I highly recommend the article Load Balancing by Sam.
L4 vs L7 Proxies
Proxies can operate at the Layer 4 (transport layer) or Layer 7 (application layer) of the OSI model. Layer 4 (L4) proxies use NAT, as discussed in the article Network Engineering #2 - DNS, to translate the destination and source addresses of data packets. Therefore, they do not decrypt or inspect the data content. However, Layer 7 (L7) proxies decrypt the content and inspect the data for more flexible processing.
L4 proxies, like TCP proxies, only translate packet addresses and ignore the content, allowing them to use a single TCP connection between the client and the server. However, because they don't inspect the content, they cannot perform caching, advanced load balancing, or handle microservices using different protocols. L7 proxies, such as HTTP proxies, can handle all of the above, but they require two TCP connections (one between the client and proxy, and one between the proxy and server) and take additional time to decrypt and process content (though this time is usually negligible).
HTTP vs HTTPS Proxies
When all devices—client, proxy, and server—are within the same private network, using TLS to encrypt communications might be unnecessary. In such cases, HTTP proxies make sense, as they do not use TLS.
However, when proxies communicate with devices outside the private network, securing those communications becomes crucial. In this case, HTTPS proxies are used. There are two types of HTTPS proxies: TLS termination proxies and TLS forward proxies. A TLS termination proxy sets up TLS only with devices outside the private network. For example, if you set up a load balancer within the same private network as your web server, you would use HTTPS with the client but HTTP with your web server.
If your private network is compromised, however, all data would be exposed to the attacker. To mitigate this risk, you can also set up HTTPS between your proxy and server, which is called a TLS forward proxy. The performance cost of using HTTPS is minimal, making the TLS forward proxy a preferred approach in general.
Conclusion
In this article, we covered various types of proxies and the important roles they play in improving security and performance. Many services offer proxy solutions, and you can also set up your own reverse proxies or load balancers for your web services using tools like Nginx, which we will cover in a future article.
Resources
- Nasser, H. 2020. Proxy vs Reverse Proxy Server Explained. YouTube.
- Nasser, H. 2019. Load balancing in Layer 4 vs Layer 7 with HAPROXY Examples. YouTube.
- Nasser, H. 2019. SSL/TLS Termination, TLS Forward Proxy Pros and Cons. YouTube.