Reverse Proxy Functionality

Sambar Server Documentation

Reverse Proxy Functionality
Pro Server Only

Reverse Proxy Overview
A reverse proxy server is a server that acts as a broker between two entities, validating and processing a transaction in such a way that the actual parties to the transaction do not directly communicate with one another. This means that the proxy acts on behalf of the content web server. Typically, reverse proxy servers reside outside a firewall to represent a secure content server to outside clients, preventing direct, unmonitored access to the internal server's data.

If you have a content server that has sensitive information that must remain secure, such as a database of credit card numbers, you can set up a reverse proxy outside the firewall as a stand-in for your content server. When outside clients try to access the content server, they are sent to the proxy server instead. When a client makes a request to your site, the request goes to the reverse proxy server. The reverse proxy server then sends the client's request through a specific passage in the firewall to the content server. The content server passes the result through the passage back to the proxy. The proxy sends the retrieved information to the client, as if the proxy were the actual content server. In addition, the reverse proxy captures any URLs listed in the headers before sending the message to the client; this prevents external clients from getting redirection URLs to the internal content server.

Secure Reverse Proxying
Secure reverse proxying occurs when one or more of the connections between the proxy server and another machine uses the Secure Sockets Layer (SSL) protocol to encrypt data. Secure reverse proxying can provide an encrypted connection from a proxy server outside a firewall to a secure content server inside the firewall. It can also clients to connect securely to the proxy server, facilitating the secure transmission of information (such as credit card numbers).

Client Authentication
In addition to SSL, the proxy can use client authentication, which requires that a computer making a request to the reverse proxy authenticate with a username and password before their request is permitted.

Configuring a Reverse Proxy
Reverse proxies are configured via the virtual hosts configuration panel. Essentially, a virtual host, i.e. corp.sambar.com, is configured to forward requests to: http://internal.corp.sambar.com (or https://internal.corp.sambar.com for secure reverse proxying). Additionally, you can configure Require Authentication to ensure all requests to the virtual host authenticate; the virtual host can identify the authentication mechanism (LDAP, Radius, passwd).

Finally, the reverse proxy honors all security rules configured in the config/security.ini for: redirect, hostredirect, siteredirect, restrict, iprestrict, httpaccept, httpdeny, proxyaccept and proxydeny.