Reverse Proxy Security

A reverse proxy functions as a bastion host. It is configured as the only machine to be addressed directly by external clients, and thus obscures the rest of the internal network. Use of a reverse proxy enables the application server to be placed on a separate machine in the internal network, which is a significant security objective.

DMZ is a network architecture in which an additional network is implemented, enabling you to isolate the internal network from the external one. Although there are a few common implementations of DMZs, this section discusses the use of a DMZ and reverse proxy in a back-to-back topology environment.

The following are the main security advantages of using a reverse proxy in such an environment:

• No DMZ protocol translation occurs. The incoming protocol and outgoing protocol are identical (only a header change occurs).
• Only HTTP or HTTPS access to the reverse proxy is allowed, which means that stateful packet inspection firewalls can better protect the communication.
• A static, restricted set of redirect requests can be defined on the reverse proxy.
• Most of the Web server security features are available on the reverse proxy (authentication methods, encryption, and more).
• The reverse proxy screens the IP addresses of the real servers as well as the architecture of the internal network.
• The only accessible client of the Web server is the reverse proxy.
• This configuration supports NAT firewalls.
• The reverse proxy requires a minimal number of open ports in the firewall.
• The reverse proxy provides good performance compared to other bastion solutions.

• Using a secure reverse proxy architecture is easier to maintain. You can add patches to your reverse proxy as needed