Deploying django application to a production server
November 5, 2019
Deploy Django with Postgres, Nginx, and Gunicorn on Ubuntu 18.04
November 16, 2019
Show all

What’s the difference between a proxy server and a reverse proxy server?

What is a reverse proxy?

A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability. In order to better understand how a reverse proxy works and the benefits it can provide, let’s first define what a proxy server is.

What’s a proxy server?

A forward proxy, often called a proxy, proxy server, or web proxy, is a server that sits in front of a group of client machines. When those computers make requests to sites and services on the Internet, the proxy server intercepts those requests and then communicates with web servers on behalf of those clients, like a middleman.

For example, let’s name 3 computers involved in a typical forward proxy communication:

  • A: This is a user’s home computer
  • B: This is a forward proxy server
  • C: This is a website’s origin server (where the website data is stored)
Forward Proxy Flow

In a standard Internet communication, computer A would reach out directly to computer C, with the client sending requests to the origin server and the origin server responding to the client. When a forward proxy is in place, A will instead send requests to B, which will then forward the request to C. C will then send a response to B, which will forward the response back to A.

Why would anyone add this extra middleman to their Internet activity? There are a few reasons one might want to use a forward proxy:

  • To avoid state or institutional browsing restrictions – Some governments, schools, and other organizations use firewalls to give their users access to a limited version of the Internet. A forward proxy can be used to get around these restrictions, as they let the user connect to the proxy rather than directly to the sites they are visiting.
  • To block access to certain content – Conversely, proxies can also be set up to block a group of users from accessing certain sites. For example, a school network might be configured to connect to the web through a proxy which enables content filtering rules, refusing to forward responses from Facebook and other social media sites.
  • To protect their identity online – In some cases, regular Internet users simply desire increased anonymity online, but in other cases, Internet users live in places where the government can impose serious consequences to political dissidents. Criticizing the government in a web forum or on social media can lead to fines or imprisonment for these users. If one of these dissidents uses a forward proxy to connect to a website where they post politically sensitive comments, the IP address used to post the comments will be harder to trace back to the dissident. Only the IP address of the proxy server will be visible.

How is a reverse proxy different?

A reverse proxy is a server that sits in front of one or more web servers, intercepting requests from clients. This is different from a forward proxy, where the proxy sits in front of the clients. With a reverse proxy, when clients send requests to the origin server of a website, those requests are intercepted at the network edge by the reverse proxy server. The reverse proxy server will then send requests to and receive responses from the origin server.

The difference between a forward and reverse proxy is subtle but important. A simplified way to sum it up would be to say that a forward proxy sits in front of a client and ensures that no origin server ever communicates directly with that specific client. On the other hand, a reverse proxy sits in front of an origin server and ensures that no client ever communicates directly with that origin server.

Once again, let’s illustrate by naming the computers involved:

  • D: Any number of users’ home computers
  • E: This is a reverse proxy server
  • F: One or more origin servers
Reverse Proxy Flow

Typically all requests from D would go directly to F, and F would send responses directly to D. With a reverse proxy, all requests from D will go directly to E, and E will send its requests to and receive responses from F. E will then pass along the appropriate responses to D.

Below we outline some of the benefits of a reverse proxy:

  • Load balancing – A popular website that gets millions of users every day may not be able to handle all of its incoming site traffic with a single origin server. Instead, the site can be distributed among a pool of different servers, all handling requests for the same site. In this case, a reverse proxy can provide a load balancing solution which will distribute the incoming traffic evenly among the different servers to prevent any single server from becoming overloaded. In the event that a server fails completely, other servers can step up to handle the traffic.
  • Protection from attacks – With a reverse proxy in place, a web site or service never needs to reveal the IP address of their origin server(s). This makes it much harder for attackers to leverage a targeted attack against them, such as a DDoS attack. Instead the attackers will only be able to target the reverse proxy, such as Cloudflare’s CDN, which will have tighter security and more resources to fend off a cyber attack.
  • Global Server Load Balancing (GSLB) – In this form of load balancing, a website can be distributed on several servers around the globe and the reverse proxy will send clients to the server that’s geographically closest to them. This decreases the distances that requests and responses need to travel, minimizing load times.
  • Caching – A reverse proxy can also cache content, resulting in faster performance. For example, if a user in Paris visits a reverse-proxied website with web servers in Los Angeles, the user might actually connect to a local reverse proxy server in Paris, which will then have to communicate with an origin server in L.A. The proxy server can then cache (or temporarily save) the response data. Subsequent Parisian users who browse the site will then get the locally cached version from the Parisian reverse proxy server, resulting in much faster performance.
  • SSL encryption – Encrypting and decrypting SSL (or TLS) communications for each client can be computationally expensive for an origin server. A reverse proxy can be configured to decrypt all incoming requests and encrypt all outgoing responses, freeing up valuable resources on the origin server.

A proxy is simply a middleman for communication (requests + responses). Client <-> Proxy <-> Server

  • Client proxy: ( client <-> proxy ) <-> server

The proxy acts on behalf of the client. The client knows about all three machines involved in the chain. The server doesn’t.

  • Server proxy: client <-> ( proxy <-> server )

The proxy acts on behalf of the server. The client only knows about the proxy. The server knows the whole chain.

It seems to me that forward and reverse are simply confusing, perspective-dependent names for client and server proxy. I suggest abandoning the former for the latter, for explicit communication.

Of course, to further complicate the matter, not every machine is exclusively a client or a server. If there is an ambiguity in context, it’s best to explicitly specify where the proxy lies, and the communications that it tunnels.

First of all, the word “proxy” describes someone or something acting on behalf of someone else.

In the computer realm, we are talking about one server acting on the behalf of another computer.

For the purposes of accessibility, I will limit my discussion to web proxies – however, the idea of a proxy is not limited to websites.

FORWARD proxy

Most discussion of web proxies refers to the type of proxy known as a “forward proxy.”

The proxy event, in this case, is that the “forward proxy” retrieves data from another web site on behalf of the original requestee.

A tale of 3 computers (part I)

For an example, I will list three computers connected to the internet.

  • X = your computer, or “client” computer on the internet
  • Y = the proxy web site, proxy.example.org
  • Z = the web site you want to visit, www.example.net

Normally, one would connect directly from X --> Z.

However, in some scenarios, it is better for Y --> Z on behalf of X, which chains as follows: X --> Y --> Z.

Reasons why X would want to use a forward proxy server:

Here is a (very) partial list of uses of a forward proxy server:

  • 1) X is unable to access Z directly because
    • a) Someone with administrative authority over X‘s internet connection has decided to block all access to site Z.
      • Examples:
        • The Storm Worm virus is spreading by tricking people into visiting familypostcards2008.com, so the system administrator has blocked access to the site to prevent users from inadvertently infecting themselves.
        • Employees at a large company have been wasting too much time on facebook.com, so management wants access blocked during business hours.
        • A local elementary school disallows internet access to the playboy.com website.
        • A government is unable to control the publishing of news, so it controls access to news instead, by blocking sites such as wikipedia.org. See TOR or FreeNet.
    • b) The administrator of Z has blocked X.
      • Examples:
        • The administrator of Z has noticed hacking attempts coming from X, so the administrator has decided to block X’s IP address (and/or netrange).
        • Z is a forum website. X is spamming the forum. Z blocks X.

REVERSE proxy

A tale of 3 computers (part II)

For this example, I will list three computers connected to the internet.

  • X = your computer, or “client” computer on the internet
  • Y = the reverse proxy web site, proxy.example.com
  • Z = the web site you want to visit, www.example.net

Normally, one would connect directly from X --> Z.

However, in some scenarios, it is better for the administrator of Z to restrict or disallow direct access and force visitors to go through Y first. So, as before, we have data being retrieved by Y --> Z on behalf of X, which chains as follows: X --> Y --> Z.

What is different this time compared to a “forward proxy,” is that this time the user X does not know he is accessing Z, because the user X only sees he is communicating with Y. The server Z is invisible to clients and only the reverse proxy Y is visible externally. A reverse proxy requires no (proxy) configuration on the client side.

The client X thinks he is only communicating with Y (X --> Y), but the reality is that Y forwarding all communication (X --> Y --> Z again).

Reasons why Z would want to set up a reverse proxy server:

  • 1) Z wants to force all traffic to its web site to pass through Y first.
    • a) Z has a large web site that millions of people want to see, but a single web server cannot handle all the traffic. So Z sets up many servers and puts a reverse proxy on the internet that will send users to the server closest to them when they try to visit Z. This is part of how the Content Distribution Network (CDN) concept works.
  • 2) The administrator of Z is worried about retaliation for content hosted on the server and does not want to expose the main server directly to the public.
    • a) Owners of Spam brands such as “Canadian Pharmacy” appear to have thousands of servers, while in reality having most websites hosted on far fewer servers. Additionally, abuse complaints about the spam will only shut down the public servers, not the main server.

In the above scenarios, Z has the ability to choose Y.

Links to topics from the post:

Content Delivery Network

Forward proxy software (server side)

Reverse proxy software for HTTP (server side)

Reverse proxy software for TCP (server side)

See also:

Amir Masoud Sefidian
Amir Masoud Sefidian
Data Scientist, Researcher, Software Developer

Leave a Reply

Your email address will not be published. Required fields are marked *