Kemp Technologies Blogs

Forward Proxy Vs. Reverse Proxy: Differences and Similarities

Doug Barney | Posted on | Load Balancer
Many, even some IT pros, are confused over the difference between a forward proxy and a reverse proxy. Of those who know the difference, not all understand when to use what form of proxy and what are the relative benefits. Let’s start with basic definitions.

What is a Proxy?

In the world of computing, a proxy mediates connections between two systems, often a client and server. In the case of a client and server, the client request goes to the proxy, which passes it to the server, which sends the data back to the proxy, which then passes it back to the client.


Proxy servers are intermediaries between clients and web servers. They serve a variety of purposes such as speeding up web access by caching previously visited pages, providing firewall and load balancing services, using proxy identities to protect an IP address or real identity and filtering web tracking, allowing unwanted content to be blocked.

What is a Forward Proxy?

A forward proxy, the most common of all the proxy servers, sits in between a user or client and intercepts user requests to a web server. Instead of sending it directly to that server, it transfers the request on the user’s behalf, hiding the user’s identity. The forward proxy inspects the response and forwards it back to the user if approved. A forward proxy often includes a firewall to determine the safety of the data in the response.

The proxy function means that the internet server identifies the proxy server as the requester, instead of the actual user. For example, a web proxy appliance accepts requests from client machines, then passes them to the internet. 

What is a Reverse Proxy?

The term reverse proxy is normally applied to a service that sits in front of one or more servers (such as a webserver), accepting requests from clients for resources located on the server(s). From the client point of view, the reverse proxy appears to be the web server and so is totally transparent to the remote user.

As we explain in our post, Dude. Where's My Reverse Proxy?, a reverse proxy is a proxy configured to handle requests from a group of remote or arbitrary clients to a group of known resources under the control of the local Administrator. An example of this is a load balancer (a.k.a. application delivery controller) that provides application high availability and optimization to workloads such as Microsoft Lync, Exchange and SharePoint. The purpose of a reverse proxy is to manage the server systems.

So. What is the Difference Between a Forward Proxy and a Reverse Proxy?

With a forward proxy, websites do not communicate directly with a client. With a reverse proxy, clients never interact directly with back-end servers.


Source: Microsoft 

What are the types of forward proxies?

There are several key types of forward proxies mainly defined by where they reside or which locations they serve.

  • Residential proxy: Residential proxies generally come from an Internet Service Provider (ISP) and mask the actual physical location. In fact, users can generally pick a location, such as country or city, and because the residential proxy address has an actual physical location, the user appears to be from that area.
  • Datacenter proxy: This proxy type is generally used by an enterprise and does not come from an ISP. Datacenter proxies can assign IP addresses that come from the data center proxy’s own address pool and or from third-party cloud providers.
  • Mobile proxy: While a mobile proxy sounds as if it is made for mobile devices, instead, the proxy IP address itself is from a mobile network in contrast to a residential or data center proxy—named for their fixed point of origin. However, a mobile proxy, by not having a fixed location, makes it appear that that device is using a mobile data network. Mobile proxies are often used by cybercriminals and scammers.

Why Should I Use a Forward Proxy?

Forward proxies boost security for users in a private network, mask the original IP address to ensure anonymity and control and regulate traffic that passes back to the end user. 

There are several key uses of forward proxies. Here are some key details:

  • Getting content from restricted geo-locations: Sometimes, it is important to access data from restricted geo-locations, such as a US-based end user wanting or needing content from Italy. A forward proxy, by masking the identity and geo-location of the client, can access content otherwise restricted to specific countries.
  • Keeping web servers anonymous: A forward proxy server hides the real IP address of web server, replacing it with its own proxy’s IP address and keeping the web server secure.
  • Web scraping: Web scraping is perhaps the most common proxy use and helps companies gather information off other sites, often from a competitor to provide market intelligence.

What are the Types of Reverse Proxies?

Reverse proxies have the same basic functions or underpinnings, but there are several distinct types.

Some reverse proxies are basic intermediaries, sitting between users and a web server and obscuring the IP addresses. Others have deeper functions such as load balancing and firewall services. The best, such as Kemp LoadMaster, have a bevy of features.

  • Load Balancers: A load balancer can be deployed as software or hardware to a device that distributes connections from clients between a set of servers. A load balancer acts as a ‘reverse-proxy’ to represent the application servers to the client through a virtual IP address (VIP). This technology is known as server load balancing (SLB). SLB is designed for pools of application servers within a single site or local area network (LAN).
  • Application Delivery Controllers: An Application Delivery Controller (ADC), sometimes referred to as a load balancer, is a network server that takes processor-intensive tasks off the web servers so they can focus on application tasks. ADC is a core component of an Application Delivery Network, which is made of a suite of technologies deployed in concert to deliver applications efficiently over a network.
  • Encryption Servers: Here, the proxy includes encryption services such as TSL and certificate management.
  • Caching Servers: These servers are designed mainly to speed web performance by caching frequently accessed content.
  • Content Delivery Networks (CDN): These networks, designed for high-traffic websites, cache traffic to locations closer to the end users for quicker content delivery and have data centers spread across geographies to hold this content.
  • Web Application Firewall: A Web Application Firewall (WAF) builds on and enhances traditional firewall security protection. Traditional firewalls don't stop encrypted HTTPS traffic as they have no visibility of the content within. A Web Application Firewall, which is logically placed between standard firewalls and web servers, operates at Layer 7 of the network stack. It can decrypt HTTPS traffic and inspect the data content. In conjunction with lists of known attack methods, the Web Application Firewall can deny access to web servers when it detects malicious activity. 

What is the Difference Between a Load Balancer and Reverse Proxy?

A reverse proxy tends to be a simpler approach in which the proxy gets a request from a client, passes it onto a server to be processed and then sends the server’s response to the client making the request.

Reverse proxies present a layer of abstraction between the client and the server—thus the term proxy. This way a hacker doesn’t directly interact with the server and can’t launch successful attacks such as DDoS.

In contrast, a load balancer takes client requests and distributes them amongst a defined group of servers, and, in that process, the server best suited for the request handles the processing and sends the response back to the client. Often this is the server with the least load which means it can process the request the fastest and not load an already heavily used server.

A load balancer is a reverse proxy. It presents a virtual IP address (VIP) representing the application to the client. The client connects to the VIP and the load balancer makes a determination through its algorithms to send the connection to a specific application instance on a server. The load balancer continues to manage and monitor the connection for the entire duration.

What Does a Load Balancer Do?

Application Workloads/Servers

Load balancers provide availability and scalability to the application. The application can scale beyond the capacity of a single server. The load balancer works to steer the traffic to a pool of available servers through various load-balancing algorithms. If you require more resources, you can add additional servers.

Availability

Load balancers health check the application on the server to determine its availability. If the health check fails, the load balancer takes that instance of the application out of its pool of available servers. When the application comes back online, the health check validates its availability, and the server is put back into the availability pool.

Proxy 101: Three Frequently Asked Questions

Is VPN a forward proxy?

Yes. A VPN is a forward proxy. However, unlike basic forward proxies, the VPN encrypts data that is passed back and forth. 

While a VPN has functions much like a proxy, including hiding an end-user IP address, a VPN is a more broad-based approach for providing end-user security. A VPN applies to all the sites, apps, and remote locations an end user accesses. 

Proxies operate at the application level, rerouting traffic of a single browser or program. In contrast, a VPN works at the operating system level and redirects all the VPN user’s traffic through the VPN server.

What is DNS forwarding proxy?

A DNS proxy can forward both requests and replies between DNS clients and a DNS server. This provides faster DNS response and reduces network latency. Perhaps more critical, DNS forwarding via a proxy protects DNS addresses and protects them from malicious actors.

With DNS forwarding, a DNS request is forwarded from one DNS server to a different server, such as forwarding internal DNS server requests to a DNS server at an internet service provider.

Which proxy is better for my business?

The proxy you choose is based on what you want to protect, such as clients versus web servers, and what functions you require. If you only need to protect identities, very basic proxies are probably adequate. However, high-end proxies such as Kemp LoadMaster can come with an array of features such as application delivery, encryption management and web firewall functionality.

A forward proxy protects a website by making it so it doesn’t reveal its IP address or communicate directly with end users. These proxies can speed end-user responses by caching data related to popular common requests. If you care about your website performance and security, forward proxies are the answer. 

Reverse proxies do the opposite, making it so end users do not communicate directly with a website or back-end servers. If you want to improve end-user response, reverse proxies (and load balancers in particular) direct end-user requests to the most available resource. They can also provide end-user security via anonymity and sometimes through encryption such as SSL. 

Can a forward proxy act as a reverse proxy?

A forward proxy server cannot act as a reverse proxy server, as the two proxy types have exactly opposite purposes. 

Learn More

Learn all you need to know about ADCs and how your enterprise can benefit on the Application Delivery Controllers page. Or learn more about Web Application Firewalls on this page