Reverse Proxy Definition
A reverse proxy is a server, app, or cloud service that sits in front of one or more web servers to intercept and inspect incoming client requests before forwarding them to the web server and subsequently returning the server’s response to the client. This supports security, scalability, and performance for websites, cloud services, and content delivery networks (CDNs). A reverse proxy offered as a cloud service is one of the deployment modes of a cloud access security broker (CASB).
What’s the Difference Between a Reverse Proxy and a Forward Proxy?
It’s easy to get these two types of proxy servers confused, so let’s break them down.
By sitting in front of a web server, a reverse proxy ensures no clients communicate directly with the server. A forward proxy (another CASB mode) sits in front of client endpoints to intercept incoming requests and ensure no servers communicate directly with a client. These may sound functionally similar, but forward proxies usually depend on a software agent installed on endpoints to forward traffic, while reverse proxies do not.
What Is a Reverse Proxy Server?
“Reverse proxy server” is essentially a more formal term for a reverse proxy. (The same is true of “forward proxy server” for a forward proxy.) Today, we tend to drop “server” because it calls to mind hardware—like a physical box—whereas the technology often takes the form of an application or cloud service.
How Does a Reverse Proxy Work?
Sitting in the flow of traffic, a reverse proxy integrates with an organization’s authentication service (e.g., single sign-on). Once services and apps are configured to transact with the reverse proxy, it can operate inline without an agent. This offers a straightforward user experience, with incoming traffic to managed cloud apps and the like redirected to the reverse proxy automatically.
Let’s look at this process a bit more closely.
A reverse proxy can protect sensitive data (e.g., PCI data, PII) by acting as a middleman or stand-in for the server on which that data resides. Client requests are routed first to the reverse proxy, then through a specified port in any applicable firewall, and then to the content server—and finally, back again. The client and the server never communicate directly, but the client interprets responses as if they had. Here are the basic steps:
- Client sends a request, which the reverse proxy intercepts
- Reverse proxy forwards the incoming request to the firewall
a. The reverse proxy can be configured to respond directly to requests for files in its cache without communicating with the server—see more detail on this in the use cases
- Firewall either blocks the request or forwards it to the server
- Server sends response through the firewall to the proxy
- Reverse proxy sends the response to the client
The reverse proxy can also scrub server responses for information that could allow a hacker to redirect to protected internal resources or take advantage of other vulnerabilities.
Reverse Proxy Use Cases
Reverse proxying, as a CASB deployment mode, is core to the security service edge (SSE) model alongside secure web gateway (SWG), zero trust network access (ZTNA), and other cloud-delivered security services.
Beyond SSE, common specific use cases for reverse proxies include:
Securing Unmanaged Devices
Many of your employees may use multiple devices for work, including personal ones. Beyond that, plenty of suppliers, partners, and customers may need access to your internal applications on their own unmanaged devices, presenting a risk to your security.
You can install agents to manage devices your organization owns, but unmanaged endpoints are a different story. Third parties won’t let you install agents on their endpoints, and many employees don’t want agents on their personal devices, either. Instead, a reverse proxy offers agentless protection against data leakage and malware from any unmanaged device accessing your cloud applications and resources.
A reverse proxy can enforce data loss prevention policies to prevent accidental or intentional uploads or downloads of sensitive information to or from sanctioned cloud apps. Because it operates inline and inspects encrypted traffic (especially a cloud-based reverse proxy), it can ensure uploaded or downloaded data falls in line with your policies.
An infected file in a cloud service can spread to connected apps and devices—especially unmanaged devices. By agentlessly preventing uploads or downloads of infected files to or from cloud resources, a reverse proxy provides advanced threat protection against malware and ransomware.
By nature, reverse proxies also hide servers and their IP addresses from clients, which protects web resources from threats such as distributed denial of service (DDoS attacks).
Reverse proxies can be used to handle client requests that could otherwise overwhelm a single server with high demand, promoting high availability and better load times by taking pressure off the backend server. They mainly do this in two different ways:
- A reverse proxy can cache content from an origin server in temporary storage, and then send the content to clients that request it without further transacting with the server (this is called web acceleration). DNS can be used to route requests evenly among multiple reverse proxies.
- If a large website or other web service uses multiple origin servers, a reverse proxy can distribute requests among them to ensure even server loads.
Benefits of Using a Reverse Proxy
With those use cases in mind, the advantages of using a reverse proxy fall into three main areas:
- Data security and threat prevention: Reverse proxies provide web application firewall (WAF) functionality by monitoring and filtering traffic (including encrypted traffic) between managed and unmanaged endpoints and the web server, protecting it from SQL injection, cross-site scripting, and more.
- Scalability and resource management: This is a two-part benefit. Reverse proxies support operational scale by eliminating the need to install agents on every user endpoint before you can offer secure access to managed resources. They also support infrastructure scale through load balancing capabilities for resources in high demand.
- Performance and productivity: Cloud-based reverse proxies can analyze and apply security policies to traffic, including remote user traffic, without backhauling it through your data center. They also have effectively unlimited scale for inspecting TLS/SSL traffic (the majority of today’s traffic), whereas appliance-based firewalls and proxies can rarely inspect TLS/SSL encryption without major performance drops.
Challenges with Reverse Proxies
Reverse proxies offer notable security benefits when it comes to securing unmanaged devices and enterprise applications, but they bring notable shortcomings, too, such as:
- No security for unmanaged resources: If a user needs secure access to an app or resource that’s not integrated with your SSO, it’s outside a reverse proxy’s purview. Reverse proxies only monitor traffic destined for sanctioned resources, not all traffic—to secure unsanctioned resources in the same way, you’ll need a forward proxy.
- Risk of frequent breakage: Reverse proxies are typically hardcoded to work with specific versions of applications, so when an application is updated and new code is sent to the proxy, it can break. This can make the updated application unavailable until the proxy can be recoded, which leads to frustrated users and lost productivity.
A Better Way: Cloud Browser Isolation
Today, more organizations are turning to Cloud Browser Isolation to avoid the limitations and breakage risks of reverse proxies while still enabling secure use of unmanaged devices without endpoint agents.
When a user accesses a managed cloud application, Zscaler Cloud Browser Isolation virtualizes the session and renders content in an isolated environment in the cloud, sending the session to the user as a stream of pixels. The user experience is identical to the native experience of that cloud app, except that CBI prevents unmanaged devices from downloading, copying, pasting, or printing the sensitive data found in the app.
This makes CBI the ideal way to support flexibility and productivity for your extended user base while preventing accidental leakage, malicious exfiltration, and malware proliferation via unmanaged devices.
Zscaler Cloud Browser Isolation
Zscaler Cloud Browser Isolation provides unmatched defense against web-based data leakage and threats, powered by the industry's most advanced zero trust web isolation.
An Unmatched User Experience
Get lightning-speed connections to apps and websites with our unique pixel-streaming technology and direct-to-cloud proxy architecture. Users receive a high-performance stream of pixels in their browser, offering security without cutting into productivity.
Consistent Protection for Users Anywhere
Protect any user, on any device, in any location with a zero trust isolation policy that spans headquarters, mobile or remote sites, and highly targeted functions and departments.
Less Management Hassle
Deploy and manage in seconds, leveraging Zscaler Client Connector or an agentless option to route traffic through the Zscaler Zero Trust Exchange™ with native Cloud Browser Isolation integration.
Enjoy coverage for all major web browsers to suit user preferences. Cookie persistence for isolated sessions keeps users’ key settings, preferences, and sign-on information intact.
See for Yourself
To learn more, read the Zscaler Cloud Browser Isolation data sheet.
If you’re ready to get a closer look, you can sign up for a 30-day trial.