Many companies operate their web servers in their own data center. Firewalls have long been standard, as well as DMZ networks that contain only servers that are to be accessible via the Internet.
In addition to the firewall, however, there are many other protections that should not be ignored. These include virus scanners and operating system updates (especially security updates) on the web servers. In this article, I introduce you to another protection mechanism.
The reverse proxy, Proxy server
Proxy systems were originally used as caches to avoid having to download data multiple times from the Internet. This proxy server has stored web pages, images and downloads downloaded by users of a local area network and made them accessible to other users at high speed. In the foreground was not only the download speed, but also the required bandwidth of the external connection of company networks. With increasing bandwidth, proxy servers have become more and more in the background.
Another advantage of a proxy server is that users do not need direct access to the Internet, which provides increased protection against Trojans or malicious software that takes contact from the internal corporate network to the Internet.
Reverse proxy server
A reverse proxy does the same thing as the proxy server, just the reverse. Users from the Internet access the in-house Internet server via the proxy server. Thus, a hardened operating system without additional functionality (database systems, file servers, etc.) can be made available as an access point for Internet users. This avoids the constant security updates on the production systems (which in part also affect their functionality), as Internet users only get access to a reverse proxy server. This then forwards the requests from the Internet to the appropriate internal web server.
Network overview DMZ with reverse proxy
The Reverse Proxy accepts all requests and forwards them to the production systems. Thus, the client never communicates directly with the server.
It certainly makes sense to use different operating systems for reverse proxy and production server.
Extended access control
With the proxy site, further access controls can be made. CMS systems usually have an area for data maintenance that is protected by a password. However, these systems are only ever as secure as the passwords given. To increase access protection, certain paths can only be accessed internally via the proxy server.
For example, if Typo3 is used, the administration path is in most cases www.your-domain.com/typo3. With a reverse proxy, access can be controlled so that this administration path can only be reached from the internal network, and not from the Internet.
With a reverse proxy site several internal systems can be made available via the same external IP address. The proxy server then takes over the routing to the corresponding systems. In a next blog article, we will provide you with an example configuration for using a Squid Proxies.