Modern load balancer solutions can deliver much more functionality than the one specifically contained in the name. One of these functions is to work as a reverse proxy server.
There are two types of proxy servers: forward proxies and reverse proxies. A forward proxy is often called a proxy or a web proxy and is a server that sits in front of a group of client computers, such as a collection of PCs in an office or multiple servers in a data center. When these individual machines make requests that connect with sites on the internet, the forward proxy server intercepts their traffic and connects and communicates with the web server or other services on the internet. Stated succinctly, a proxy server acts as an intermediary between clients sending requests and services on the internet.
In many deployments, the forward proxy server is also the firewall at the network perimeter.
This may seem like an unnecessary process that only adds complexity, but there are crucial benefits in using proxy to separate clients and servers from direct communication with services on the internet, including when you need to:
Restrict the sites and services that users can access from an organization’s computers. Some content is illegal in many jurisdictions and preventing access falls within an organization’s duty of care responsibility.
Enhance security by blocking access to sites known to be used by cybercriminals and other bad actors who deploy malware, crypto mining, and other cyberattack software on PCs and other devices that visit the sites. These are drive-by attacks, and cyber defense companies maintain known blocklists. These blocklists can be loaded on forward proxy servers to prevent accidental or induced visits due to malicious links in phishing emails.
Protect the identity of the computers and users accessing services on the internet. Organizations can use the proxy server to hide the IP address and other identifiable characteristics of the outgoing connections. In some cases, this is a requirement. In all instances, it is generally good practice. It restricts the information available to malicious actors who build falsified company and user profiles used in cyberattacks like phishing and other social engineering attacks.
As the name suggests, a reverse proxy flips the scenario outlined above. A reverse proxy sits in front of web servers and other origin servers providing services to clients. Reverse proxies are the public face of the services that the backend servers are providing. When client machines send requests to use a web application or a web server, the reverse proxy server accepts this web traffic and then passes the requests to a single server than can handle the request.
This can mean there are clients behind forward proxy servers using web services that are also behind reverse proxy servers. For clients and web servers, this is invisible. This is shown schematically in the diagram below. Keep in mind that the firewall is often what provides forward proxy services.
The fact that a reverse proxy server accepts incoming requests from clients and then passes them on to multiple servers shows why modern load balancers are ideally suited for providing reverse proxy services.
Load balancers are optimized to analyze client requests and use various algorithms and techniques to select the optimal server to send the request onto.
Can a Reverse Proxy and Load Balancer be Paired Together?
Combining reverse proxy services with a feature-rich modern load balancer such as Progress Kemp LoadMaster means that a holistic grouping of access requests, web traffic patterns, web HTTP requests, and more provides the optimal delivery of both static and dynamic content.
The benefit of using a load balancer with a reverse proxy is a truly enhanced user experience for any clients accessing the application or website.
A reverse proxy server boosts web application security by isolating the backend servers from direct interaction with clients or malicious actors on the internet, in much the same way as a forward proxy makes clients more secure by mediating user requests to websites and servers on the internet.
Learn about load balancing and see how you can benefit from the technology in your IT architecture.
Hides backend servers from the internet
Makes it easier to secure, manage, and maintain a pool of multiple backend servers
Provides TLS/SSL offloading services to remove load from application servers
Distributes the load across multiple servers and sends requests to servers optimized for specific functions — I.E., shopping cart or video streaming services
Delivers web caching for both dynamic and static content to improve the web application experience for end-users
Delivers enhanced authorization and authentication for access requests, including multi-factor authentication, integration with LPAD directories such as Microsoft Active Directory on-premises, and in the Cloud on Azure via federation
The terms reverse proxy server and load balancer get used interchangeably, and while every load balancer must be a reverse proxy server, the opposite is not true. Reverse proxy servers can exist without load balancing functionality. Case in point: all load balancers are reverse proxy servers, but not all reverse proxy servers are load balancers.
In addition to delivering the functionality and client separation for enhanced security, easier server management, and a better user experience, many benefits flow from a well-designed IT infrastructure with reverse proxy servers to manage client access to backend servers.
Load Balancing – As outlined above, load balancing and reverse proxy servers go hand in hand. They are ideally suited for deployment together on the same network or in cloud instances. In most deployments, there will be a way that is unique to each organization’s application delivery and application experience needs.
Global Server Load Balancing (GSLB) - Many online services need delivering across regions or globally. GSLB is an extension to load balancing that allows the same servers to get delivered from multiple data centers or cloud providers across widespread areas. This allows the optimal delivery of content and services from locations close to people and provides geographic spread to protect service delivery from local and regional outages.
Content Caching – A lot of content on web pages and in some application is static or doesn’t change over certain predefined periods. A reverse proxy can cache this static information and serve it to clients directly without requesting it from a website’s servers. This speeds up the response sent to clients interacting with reverse proxy load balancers and the web applications.
Cyberattack Protection – A reverse proxy hides the details of the backend application servers from the internet. This makes it hard for attackers to target origin servers with DDoS attacks. They can target the reverse proxy server, but strategic placement of these servers will minimize the impact. For example, when using multiple nodes in a content delivery network (CDN) to dissipate DDoS attack traffic over many proxy server endpoints. This nullifies their impact and avoids a single point of failure to exploit.
Encryption – Encryption using TLS (which has replaced SSL) is essential for all traffic flowing over the internet. TLS encryption and decryption can place a significant overhead on communications between clients and servers. The server must expend resources decrypting incoming network packs and then encrypting outgoing responses. This takes away processing power from the servers for application delivery tasks. Reverse proxy servers, such as LoadMaster, can offload this encryption function from backend servers. Some hardware LoadMaster modelscontain custom ASIC silicon chips designed and optimized for rapid TLS encryption and decryption. For high-traffic websites that need strong security and fast response times, this TLS offloading is essential. Virtual and cloud instances for LoadMaster already do TLS encryption via optimized software routines.
Being able to forward traffic to more than one server opens up many ways to improve service uptime. Application resilience can be implemented by deploying more than one server. The reverse proxy would balance web traffic between servers using a basic scheme such as round-robin or something more advanced. It is this feature of a reverse proxy that allows web services to scale. Web servers can be added and removed as demand changes without any change to the client-facing part of the service.