Improved Network Security and Performance with a Reverse Proxy

Providing services on the Internet is part and parcel of day-to-day work in a company nowadays, but you don’t always want the server to be directly accessible from the Internet when doing so. A reverse proxy can control access in such cases using ACLs (access control lists). The reverse proxy can also reduce the number of IP addresses required, as it can provide access to multiple systems behind one IP.

Web Proxy and Reverse Proxy

There are two different types of proxy servers. They differ in the direction from which access occurs.

A typical web proxy, like Squid, for example, calls up web content requested by clients, caches it, and supplies the cached version to all subsequent clients. Websites can send an expiry date for the cached contents via their header. If they do not do so, Squid can be equipped with an overall refresh pattern to update the cached content accordingly.

The second type of proxy functions in precisely the opposite way. The proxy provides content from one or multiple internal web servers to external clients. The number of clients and services is of no importance.

What are the Advantages Offered by a Reverse Proxy?

Reverse proxies can increase network security as they make it possible to configure access to web content and the web server is only made available via a defined and controlled intermediate step instead of being placed directly on the Internet. Besides, the caching can relieve the strain on the web servers, and the reverse proxy can distribute accesses to the websites across multiple web servers in a classic load-balancing scenario. A reverse proxy also works as an SSL endpoint. All SSL-encrypted connections terminate at the proxy system, which can also relieve the strain on the web servers and, under certain circumstances, allows other options such as effective caching, which might not be possible with encrypted connections. Last, but not least, a reverse proxy can also reduce the number of external IP addresses. In this case, one proxy provides multiple services under different DNS names. These can also be made available in an encrypted form again.

Where do we Use Web Proxies?

As a standard web proxy, Squid is among the feature of UCS@school. In this setting, Squid caches frequently visited websites to be able to provide clients at the school with a high-performance version. Caching is a considerable advantage in sites with poorer Internet connections in particular. Additionally, Squid performs the user authentication – in other words, only users with an account in UCS and who can log in are permitted access to the Internet. In the case of Squid, the authentication is performed automatically in the background via Kerberos or NTLM – no user interaction is required. SquidGuard works together with Squid in UCS@school to block and approve Internet sites.

Together with customers and partners, we have also implemented reverse proxies for different scenarios. For example, there is a UCS base system with Squid as a reverse proxy connected upstream in an internal wiki. Access from outside is enacted via an external web address, under which the reverse proxy is the first component reached. Here the SSL connection terminates, the certificate classifies the connection as trustworthy and connects the internally available web server with the wiki installation. In this way, a system which was initially only available internally is now also made available for external accesses.

In a second scenario, HAProxy is used to make multiple services available externally. The proxy offers all the services under one external name with a public certificate. With this approach, the customer not only secures his environment with an SSL certificate but also saves a multitude of IP addresses and with it considerable costs. Central authentication via SAML also functions via a reverse proxy.

What Software do we Use for Reverse Proxies?

There are different software solutions available in UCS for use as reserve proxies. The selection can be narrowed down depending on the desired functions.

Squid is an excellent choice for a simple one-to-one connection between an external IP and service. Squid is easy to install and configure in UCS. The wiki article Cool Solution – Squid as Reverse SSL Proxy, details the necessary steps.

Nginx and HAProxy are practical choices for the forwarding of entire network sections such as the Univention portal, its services, and the single sign-on environment, for example. They offer a wide variety of possibilities for the forwarding and handling of SSL encryption. Nginx offers the best options for rewriting HTTP queries and facilitating the efforts required on the part of the server. HAProxy, in contrast, is particularly advantageous if not only web applications but also services such as IMAP are to be made available.