What is a reverse proxy?
A reverse proxy sits in front of one or more web servers and intercepts requests from clients to said server(s). This differs from a forward proxy, which sits in front of the clients and inspects all of their traffic. With a reverse proxy, when a client (an endpoint device) sends a request to a particular website, the request is intercepted by the reverse proxy and subsequently inspected. The reverse proxy will then send the request to and receive the response from the website’s server, as well as send said response to the client (again, following inspection).
While a forward proxy sits in front of an endpoint and ensures that no servers communicate directly with that endpoint, a reverse proxy, by sitting in front of a server, ensures that no client ever communicates directly with that server. Forward proxy typically entails the use of software installed on user endpoints for traffic forwarding to the proxy, whereas reverse proxy, which sits server-side, does not require such installations.
A reverse proxy serves a number of purposes for high-traffic websites, cloud services, and content management systems. It may sit in front of a pool of servers and distribute incoming requests, a process known as load balancing, to prevent any of the servers from becoming overloaded by incoming traffic. A reverse proxy may also be used to protect websites from threats, such as distributed-denial-of-service (DDoS) attacks, because the actual servers and their IP addresses are hidden behind the proxy.
Reverse proxy in the modern enterprise
In organizations today, reverse proxy most commonly refers to a cloud access security broker (CASB) deployment mode that provides inline, real-time security for cloud-based resources. The reverse proxy sits in the cloud, on the server side, and in front of SaaS apps and IaaS platforms. Specifically, it monitors traffic destined for sanctioned resources only (rather than monitoring all traffic) and, as a result, does not secure unsanctioned resources (which would require the use of a CASB’s forward proxy deployment mode).
With a CASB in reverse proxy mode, there is no need to install software on user devices for traffic forwarding or endpoint security; the endpoint is never in direct contact with servers, and the proxy—without the use of an agent—applies security policies on the fly, which has the added benefit of allowing secure access to corporate cloud resources for devices where the enterprise lacks control (more on that below).
As the adoption of cloud services and remote work increases, the use of CASBs’ cloud-based reverse proxies (as opposed to firewalls or proxy appliances either on premises or deployed virtually) has become increasingly important for both security and enterprise productivity. One of the reasons is that, unlike a passthrough firewall, such a reverse proxy fully analyzes content and applies security policies as needed before sending traffic along to its destination—without backhauling remote user traffic to the enterprise data center. It also provides inspection of SSL/TLS traffic, which represents the vast majority of traffic and is difficult, if not impossible, for appliances to handle at scale.
How does a reverse proxy work?
A reverse proxy gets in the flow of traffic and secures access to sanctioned cloud resources by integrating with said resources as well as an organization’s identity provider (IdP) via SAML (which stands for Security Assertion Markup Language and is used for exchanging authorization and authentication data between users and cloud services). Through this integration, which entails configuring cloud apps’ single sign-on (SSO) settings to point to the reverse proxy, the CASB is able to operate inline without the need for agents.
In the user experience, when someone signs into an SSO service to access managed cloud apps, that user’s traffic is automatically redirected to the reverse proxy, which operates in the data path and serves as a middleman. It plays the role of the user for the cloud app, and the cloud app for the user, passing information back and forth while applying real-time security policies.
Use cases for reverse proxy
Unmanaged devices: Most enterprise employees use multiple devices for work, including some that are unmanaged, such as personal smartphones and tablets. Bring your own device (BYOD), which refers to personal device access, has increased extensively due to the rise of remote work and the fact that employees have done what they’ve needed to in order to remain productive while working from home. However, in addition to BYOD, there are unmanaged devices belonging to supplier, customer, and partner organizations that regularly need access to an enterprise’s internal applications, which also represents a risk to the enterprise.
While organizations can control managed devices by requiring that agents be installed on them, control over unmanaged devices is typically lacking; employees often resist security software installations on their personal devices, and the enterprise cannot seize control over another organization’s endpoints. Fortunately, the use of a reverse proxy provides a key layer of agentless protection against data leakage and malware on any unmanaged devices accessing an enterprise’s cloud applications.
Data protection: A reverse proxy can prevent the accidental or intentional upload of sensitive information to sanctioned cloud applications. Because it operates inline and has the scale to inspect even encrypted traffic, the reverse proxy ensures that the data a user may be uploading is appropriate based on policy. Additionally, inspecting files upon download prevents sensitive information from finding its way onto unauthorized or unmanaged endpoints where it can be exfiltrated. In other words, whether at upload or download, CASBs in reverse proxy mode can enforce agentless inline DLP policies.
Threat prevention: If an infected file is uploaded into a cloud service, it can wreak havoc by proliferating within the service as well as by spreading to other connected apps and user devices upon download. This threat is all the more likely in environments where users access corporate cloud apps through unmanaged devices, which are more likely to contain malware and are highly difficult to secure through conventional, agent-based tools. By agentlessly preventing the upload of infected files to cloud resources (as well as the download of infected files to user devices), a CASB in reverse proxy mode provides ATP functionality that is critical for defending against malware and ransomware.
Challenges with reverse proxies
While a reverse proxy offers various protections for the enterprise and serves as a method of securing unmanaged devices, it is not without its shortcomings. In particular, reverse proxies are subject to frequent breakages, which can make services unavailable, frustrate users, and kill productivity. Such breakages are common because these proxies are typically hardcoded to work with specific versions of applications. When an application is updated and new code is sent to the proxy, that’s when the breakage occurs, requiring manual recoding so that the reverse proxy can once again intermediate traffic properly.
A better alternative: Cloud Browser Isolation
Increasingly, organizations are turning to agentless Cloud Browser Isolation (CBI) technology in place of reverse proxy deployment modes. This is because CBI allows them to avoid reverse proxy issues and breakages while still securely enabling the use of unmanaged devices—without the need for software installations on endpoints.
When a user accesses a managed cloud application, CBI virtualizes the session and renders content in an isolated environment in the cloud, sending only pixels of said session to the end user device. As a result, the CBI user experience is unchanged from that of the native cloud app experience, but it allows the viewing of content without permitting downloading, copying and pasting, or printing. Consequently, it’s the ideal solution for enabling productivity while preventing accidental data leakage, malicious data exfiltration, and malware proliferation via unmanaged devices—all without agents.
When considering CBI, it’s important to choose a vendor that has a proven inline platform and is a trusted leader in security. Zscaler is built on a cloud-native proxy architecture to deliver maximum security and performance. The company runs the world’s largest inline security cloud with 150 data centers on six continents that serve customers in 185 countries; it processes 160 billion transactions each day.