First written: 22-11-28
Translated: 25-02-07
Uploaded: 25-02-07
Last modified: 23-02-28
We need to know 'proxy server' before talking about 'forward proxy' and 'reverse proxy'. In cambridge dictionary, 'proxy' means "authority given to a person to act for someone else." Proxy server also act for someone else, especially for the client or the server. It seems like a computer that acts as a proxy for a certain computer, located right in front of the 'real' computer and acts as an intermediary between the 'real' computer and the internet network.
When proxy server is located in front of the client computer, it's called a 'forward proxy'. If the proxy server is located in front of the server computer, it's named a 'reverse proxy'.
pic ref: https://www.baeldung.com/nginx-forward-proxy
'Proxy' means 'forward proxy' in general. I guess it's because the reverse proxy is only visible to server developer, especially infra developer. The client, even backend developer may doesn't know whether the server is running as reverse proxy or not. On the other hand, the client need to go through the process to connect to the forward proxy, like the intranet that many company use. Many people are familiar to this forward proxy, and I guess that the thinking that "proxy equals to forward proxy" have spread out.
If the client send certain request to the server, forward proxy server receives the request before it goes out to internet network. Forward proxy server sends the request instead of the client.
The forward proxy server is widely used both at work and on personal computers at home. First, let's talk about the forward proxy server used for personal computers. If someone uses the forward proxy on one's computer, one can hide IP and improve security. The IP that the server gets is different from the personal computer IP because it's the IP of the forward proxy server. Other informations also belong to the forward proxy server. This guarantees anonymity, although the forward proxy basically applies only to the internet.
Company uses this technology to block a connection to specific contents or websites. For example, computers in educational campus have forward proxy server to block betting websites or illegal websites, and even inappropriate requests such as stock trading, web game.
The forward proxy server also can attribute to optimization, caching frequently visited websites to reduce network traffic and balance internal network load. Caching also improves the speed. Additionally, if the proxy server writes logs or network usage, it might be useful.
When I first met the forward proxy, I though of VPN, which also can hide and change user's IP. Let's compare the forward proxy and VPN briefly.
Both have something in common: they have an additional process before we send a request to a server. So they're excellent for hiding IP (also called masking IP address), ensuring anonymity for the user and increasing security hiding personal informations. But many developer say that these two are very similar but VPN is better in terms of security. What's the difference?
First, forward proxy is operated at the application level; on the other hand, VPN is operated at the OS level. That's the reason why forward proxy operates at certain applications, such as web browser, but VPN operates on every traffic that comes from not only web browsers, but also from user applications and background applications. You would clearly feel the difference between the two when playing the game.
Als, VPN encrypt traffic itself. As a result, VPN may be better than forward proxy when managing important information. But the forward proxy may gets an advantage in the case where small time differences are important, because VPN costs a bit more time to encrypt every traffic.
And almost every VPN costs more than a forward proxy, so maybe for a general user, the forward proxy may be a better option.
Just for reference, Apache supports Forward Proxy; however, Nginx does not.
pic ref: https://rb.gy/eamftj
Is it a Reverse Proxy in the sense that the Forward Proxy is reversed? Yes. There is a server at the opposite side of a client and the proxy server located in front of the server is called 'reverse proxy (server)'. Reverse proxy server is the technology that will not be explored in depth except by the infra developers, but is still very useful if a company wants to manage various services with limited number of computers.
Reverse proxy server also receives requests instead of the server and it decides what WAS (Web Application Server) is the owner of the request. The WAS server that receives the request from the reverse proxy server sends back a response to the client. In this case, the response is sent through the Reverse Proxy, too.
WAS is the server actually works to make a response to the client. WAS is related to backend part of the web development. And 'web server', which has very similar name, belongs to infrastructure of the web development, and routes the request from the outside internet network to the WAS, like Nginx or Apache. The process of the web server is shown below.
So, every backend code that web backend developers make is WAS. DB is also included in here. And the application that running as a reverse proxy server at the infrastructure, like Nginx, belongs to the web server.
Reverse proxy server improves the security. Normally the company makes special zone between intranet and outside network, called DMZ, which is blocked from external network by a firewall. Every request or response that needs to get into intranet have to go to through DMZ. The company puts applications that provide services to the external network, such as DNS server and mail server.
pic ref: https://rb.gy/eamftj
WAS also provides a service to the external network, so the company can leave WAS in the DMZ and have it communicate with the external network right away. But WAS normally has informations related to DBMS, which means that if the primary firewall is broken and WAS becomes vulnerable, the DBMS server can also become dangerous.
On the other hand, the company place the reverse proxy server at DMZ and WAS on the internal network, it can be said that security is imporved because the secondary firewall between DMZ and internal network still can respond to bad request even when the primary firewall has been broken. The end point of a request from client also points to the reverse proxy server, which improves the security of WAS too.
As we see at the previous post, reverse proxy server can do load balancing, which prevents overload. Caching that reverse proxy server performs reduces the workload of WAS and increases the speed of the response. Many CDNs are also the cache servers that operate as reverse proxy servers.
Canary testing, a testing technique that exposes a new version of an application to only a limited number of users when a new version of an application is released to respond to new problems in the new version before they affect a larger number of users, can be done using reverse proxy.
The disadvantage? I would say that it's a bit difficult to develop web server (not WAS) because you have to understand well about this structure.
We've studied already in the previous post about directives related to reverse proxy. So if you can't understand code below or want to deep-dive those directives, read the previous post first. This code shows example with basic directives that is used for making reverse proxy using Nginx.
(/etc/nginx/nginx.conf)
upstream backend {
ip_hash;
server backend1.example.com/ weight=3;
server http://127.0.0.1:8001/;
server http://127.0.0.1:8002/ down;
server http://127.0.0.1:8003/ max_fails=3 fail_timeout=30s;
keepalive 32;
sticky cookie srv_id expires=1h domain=.example.com path=/;
}
upstream apiserver {
least_conn;
server http://127.0.0.1:9001/;
server http://127.0.0.1:9002/;
server http://127.0.0.1:9003/;
}
server {
server_name helloworld.com www.helloworld.com;
location / {
proxy_pass http://backend;
}
}
server {
server_name helloworld.api.com www.helloworld.api.com;
location / {
proxy_pass http://apiserver;
}
}
When a request comes in with a that adds location to server_name, the request is passed to WAS at proxy_pass in location. The code above shows web server that controls two application service. Since there are a lot of clients, it appears to have multiple WAS, running with load balancing.
Website refs:
포워드 프록시(forward proxy) 리버스 프록시(reverse proxy) 의 차이
VPN 대 프록시 서버: 차이점은 무엇일까요?
Reverse Proxy vs Load Balancer, 리버스 프록시 vs 로드 벨런서
Using Nginx as a Forward Proxy
Copyright © 2025. moyqi. All rights reserved.