Proxy Server

277px Proxy concept en.svg
Figure 1. Communication between two computers (shown in grey) connected through a third computer (shown in red) which acts as a proxy server. Bob does not know to whom the information is going, which is the reason that proxies can be used to protect privacy.

In computer networking, a proxy server is a server application that acts as an intermediary between a client requesting a resource and the server providing that resource.

Instead of connecting directly to a server that can fulfill a requested resource, such as a file or web page, the client directs the request to the proxy server, which evaluates the request and performs the required network transactions. This serves as a method to simplify or control the complexity of the request, or provide additional benefits such as load balancing, privacy, or security. Proxies were devised to add structure and encapsulation to distributed systems. A proxy server thus functions on behalf of the client when requesting service, potentially masking the true origin of the request to the resource server.

A proxy server may reside on the user’s local computer, or at any point between the user’s computer and destination servers on the Internet. A proxy server that passes unmodified requests and responses is usually called a gateway or sometimes a tunneling proxy. A forward proxy is an Internet-facing proxy used to retrieve data from a wide range of sources (in most cases anywhere on the Internet). A reverse proxy is usually an internal-facing proxy used as a front-end to control and protect access to a server on a private network. A reverse proxy commonly also performs tasks such as load-balancing, authentication, decryption and caching.

Open proxies

An open proxy is a forwarding proxy server that is accessible by any Internet user.

280px Open proxy h2g2bob.svg

  • Anonymous proxy – This server reveals its identity as a proxy server but does not disclose the originating IP address of the client. Although this type of server can be discovered easily, it can be beneficial for some users as it hides the originating IP address.

  • Transparent proxy – This server not only identifies itself as a proxy server but with the support of HTTP header fields such as X-Forwarded-For, the originating IP address can be retrieved as well. The main benefit of using this type of server is its ability to cache a website for faster retrieval.

Reverse proxies

A reverse proxy (or surrogate) is a proxy server that appears to clients to be an ordinary server. Reverse proxies forward requests to one or more ordinary servers that handle the request. The response from the proxy server is returned as if it came directly from the original server, leaving the client with no knowledge of the original server. Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the neighborhood’s web servers goes through the proxy server. The use of reverse originates in its counterpart forward proxy since the reverse proxy sits closer to the web server and serves only a restricted set of websites. There are several reasons for installing reverse proxy servers:

280px Reverse proxy h2g2bob.svg
Figure 2. A reverse proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.
  • Encryption/SSL acceleration: when secure websites are created, the Secure Sockets Layer (SSL) encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. Furthermore, a host can provide a single "SSL proxy" to provide SSL encryption for an arbitrary number of hosts, removing the need for a separate SSL server certificate for each host, with the downside that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates.

  • Load balancing: the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).

  • Serve/cache static content: A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.

  • Compression: the proxy server can optimize and compress the content to speed up the load time.

  • Spoon feeding: reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly "spoon feeding" it to the client. This especially benefits dynamically generated pages.

  • Security: the proxy server is an additional layer of defense and can protect against some OS and web-server-specific attacks. However, it does not provide any protection from attacks against the web application or service itself, which is generally considered the larger threat. Extranet publishing: a reverse proxy server facing the Internet can be used to communicate to a firewall server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.

Proxy chaining

A proxy chain uses two or more proxy servers to assist in server and protocol performance and network security. Proxy chaining is not a type of proxy, but a use of reverse and forward proxy servers across multiple networks. In addition to the benefits to security and performance, proxy chaining allows requests from different protocols to be fulfilled in cases where, without chaining, such requests would not be possible or permitted. For example, a request using HTTP is sent to a server that can only handle FTP requests. In order for the request to be processed, it must pass through a server that can handle both protocols. This can be accomplished by making use of proxy chaining which allows the request to be passed from a server that is not able to fulfill such a request (perhaps due to security or networking issues, or its own limited capabilities) to a server that can fulfill such a request.

rzal8504
Figure 3. The above image shows a proxy chaining configuration. The intranet client makes a request to Server C (Content Server FTP). Server A (Proxy Server HTTP) does not contain the requested information in cache, so the request is passed through the firewall to Server B (proxy server HTTP/FTP). Server B has both HTTP and FTP protocols and is able to change the HTTP request to an FTP request. Server C receives the FTP request and passes back the requested information to Server B. Server B, in turn, passes the fulfilled request back to the intranet client using the HTTP protocol. The request is sent through the firewall and Server A where the request is cached and given to the intranet client.

Forwarded HTTP Extension

Proxies can make requests appear as if they originated from the proxy’s IP address. This can be useful if a proxy is used to provide client anonymity, but in other cases information from the original request is lost. The IP address of the original client is often used for debugging, statistics, or generating location-dependent content. A common way to disclose this information is by using the following HTTP headers.

Forwarded

The standardized Forwarded header contains information from the reverse proxy servers that is altered or lost when a proxy is involved in the path of the request.

The alternative and de-facto standard versions of this header are the X-Forwarded-For, X-Forwarded-Host and X-Forwarded-Proto headers.

This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user’s privacy must be kept in mind when deploying this header.

Syntax
Forwarded: by=<identifier>;for=<identifier>;host=<host>;proto=<http|https>
Examples

Using the Forwarded header

Forwarded: for="_mdn"

# case insensitive
Forwarded: For="[2001:db8:cafe::17]:4711"

# separated by semicolon
Forwarded: for=192.0.2.60;proto=http;by=203.0.113.43

# multiple values can be appended using a comma
Forwarded: for=192.0.2.43, for=198.51.100.17

Transitioning from X-Forwarded-For to Forwarded

If your application, server, or proxy supports the standardized Forwarded header, the X-Forwarded-For header can be replaced. Note that IPv6 address are quoted and enclosed in square brackets in Forwarded.

X-Forwarded-For: 123.34.567.89
Forwarded: for=123.34.567.89

X-Forwarded-For: 192.0.2.43, "[2001:db8:cafe::17]"
Forwarded: for=192.0.2.43, for="[2001:db8:cafe::17]"

X-Forwarded-For

The X-Forwarded-For (XFF) header is a de-facto standard header for identifying the originating IP address of a client connecting to a web server through an HTTP proxy or a load balancer. When traffic is intercepted between clients and servers, server access logs contain the IP address of the proxy or load balancer only. To see the original IP address of the client, the X-Forwarded-For request header is used.

This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user’s privacy must be kept in mind when deploying this header.

Syntax
X-Forwarded-For: <client>, <proxy1>, <proxy2>
Examples
X-Forwarded-For: 2001:db8:85a3:8d3:1319:8a2e:370:7348

X-Forwarded-For: 203.0.113.195

X-Forwarded-For: 203.0.113.195, 70.41.3.18, 150.172.238.178

The usefulness of XFF depends on the proxy server truthfully reporting the original host’s IP address; for this reason, effective use of XFF requires knowledge of which proxies are trustworthy, for instance by looking them up in a whitelist of servers whose maintainers can be trusted.

X-Forwarded-Host

The X-Forwarded-Host (XFH) header is a de-facto standard header for identifying the original host requested by the client in the Host HTTP request header.

Host names and ports of reverse proxies (load balancers, CDNs) may differ from the origin server handling the request, in that case the X-Forwarded-Host header is useful to determine which Host was originally used.

The Host request header specifies the host and port number of the server to which the request is being sent.

If no port is included, the default port for the service requested is implied (e.g., 443 for an HTTPS URL, and 80 for an HTTP URL).

This header is used for debugging, statistics, and generating location-dependent content and by design it exposes privacy sensitive information, such as the IP address of the client. Therefore the user’s privacy must be kept in mind when deploying this header.

Syntax
X-Forwarded-Host: <host>
Examples
X-Forwarded-Host: id42.example-cdn.com

X-Forwarded-Proto

The X-Forwarded-Proto (XFP) header is a de-facto standard header for identifying the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer. Your server access logs contain the protocol used between the server and the load balancer, but not the protocol used between the client and the load balancer. To determine the protocol used between the client and the load balancer, the X-Forwarded-Proto request header can be used.

Syntax
X-Forwarded-Proto: <protocol>
Examples
X-Forwarded-Proto: https

Via

The Via general header is added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers. It is used for tracking message forwards, avoiding request loops, and identifying the protocol capabilities of senders along the request/response chain.

Syntax
Via: [ <protocol-name> "/" ] <protocol-version> <host> [ ":" <port> ]
Via: [ <protocol-name> "/" ] <protocol-version> <pseudonym>
Examples
Via: 1.1 vegur
Via: HTTP/1.1 GWA
Via: 1.0 fred, 1.1 p.example.net

Examples

$ curl -iL http://echo.example.com
HTTP/1.1 302 Moved Temporarily
Server: openresty
Date: Fri, 17 Sep 2021 15:45:31 GMT
Content-Type: text/html
Content-Length: 142
Connection: keep-alive
Location: https://echo.example.com/
via: CHN-SH-CT3-CACHE4[2] (1)

HTTP/2 200
date: Fri, 17 Sep 2021 15:31:25 GMT
content-type: text/plain
server: openresty
set-cookie: HWWAFSESID=3300f73e34d9b1b66d; path=/
set-cookie: HWWAFSESTIME=1631892685891; path=/
x-ccdn-origin-time: 26
age: 1
via: CHN-SH-CT3-CACHE4[363],CHN-SH-CT3-CACHE4[297,TCP_MISS,304],CHN-SH-GLOBAL1-CACHE53[293],CHN-SH-GLOBAL1-CACHE153[26,TCP_MISS,233] (1)
x-hcs-proxy-type: 0
x-ccdn-cachettl: 0



Hostname: echoserver-5676b759f8-gjd7p

Pod Information:
	-no pod information available-

Server values:
	server_version=nginx: 1.13.3 - lua: 10008

Request Information:
	client_address=172.25.0.103
	method=GET
	real path=/
	query=
	request_version=1.1
	request_scheme=http
	request_uri=http://echo.example.com:8080/

Request Headers:
	accept=*/*
	cdn-src-ip=119.237.236.174
	host=echo.example.com
	user-agent=curl/7.64.1
	via=CHN-SH-CT3-CACHE4, CHN-SH-GLOBAL1-CACHE153 (1)
	x-cloudwaf-traffic-tag=1
	x-forwarded-for=119.237.236.174, 218.78.185.5, 119.3.112.189, 100.125.24.54 (2)
	x-forwarded-host=echo.example.com (3)
	x-forwarded-port=443 (4)
	x-forwarded-proto=https (5)
	x-hwwaf-client-ip=119.237.236.174
	x-hwwaf-real-ip=119.3.112.189
	x-original-forwarded-for=119.237.236.174, 218.78.185.5, 119.3.112.189
	x-real-ip=119.237.236.174
	x-request-id=f68939fb016d99a209317985ae50010f
	x-scheme=https

Request Body:
	-no body in request-
1 Via: Added by proxies, both forward and reverse proxies, and can appear in the request headers and the response headers.
2 X-Forwarded-For: Identifies the originating IP addresses of a client connecting to a web server through an HTTP proxy or a load balancer.
3 X-Forwarded-Host: Identifies the original host requested that a client used to connect to your proxy or load balancer.
4 X-Forwarded-Port: Identifies the port that a client used to connect to your proxy or load balancer.
5 X-Forwarded-Proto: Identifies the protocol (HTTP or HTTPS) that a client used to connect to your proxy or load balancer.

References