Use > Hardening > Using a Reverse Proxy > Security Aspects of Using a Reverse Proxy Server

Security Aspects of Using a Reverse Proxy Server

A reverse proxy server functions as a bastion host. The proxy is configured to be the only machine addressed directly by external clients, and thus obscures the rest of the internal network. Using a reverse proxy enables the application server to be placed on a separate machine in the internal network.

This section discusses the use of a DMZ and reverse proxy in a back-to-back topology environment.

The following are the main security advantages of using a reverse proxy in such an environment:

  • No DMZ protocol translation occurs. The incoming protocol and outgoing protocol are identical (only a header change occurs).
  • Only HTTP access to the reverse proxy is allowed, which means that stateful packet inspection firewalls can better protect the communication.
  • A static, restricted set of redirect requests can be defined on the reverse proxy.
  • Most of the Web server security features are available on the reverse proxy (authentication methods, encryption, and so on).
  • The reverse proxy screens the IP addresses of the real servers as well as the architecture of the internal network.
  • The only accessible client of the Web server is the reverse proxy.
  • This configuration supports NAT firewalls (as opposed to other solutions).
  • The reverse proxy requires a minimal number of open ports in the firewall.
  • The reverse proxy provides good performance compared to other bastion solutions.