Many IT administrators use proxies extensively in their networks, however the concept or reverse proxying is slightly less common. So what is a reverse proxy? Well, it refers to the setup where a proxy server like this is run in such a way that it appears to clients just like a normal web server.
Specifically, the client will connect directly to the proxy considering it to be the final destination i.e. the web server itself, they will not be aware that the requests could be relayed further to another server. It is possible that this will even be an additional proxy server. These ‘reverse proxy servers’ are also often referred to as gateways although this term can have different meanings too. To avoid confusion we’ll avoid that description in this article.
In reality the word ‘reverse’ refers to the backward role of the proxy server. In a standard proxy, the server will act as a proxy for the client initially. Any request by the proxy is made on behalf of the received client request. This is not the case in the ‘reverse’ scenario because because it acts as a proxy for the web server and not the client. This distinction can look quite confusing, as in effect the proxy will forward and receive requests to both the client and server however the distinction is important. You can read RFC 3040 for further information on this branch of internet replication and caching.
A standard proxy is pretty much dedicated to the client’s needs, all configured clients will forward all their requests for web pages to the proxy server. In a standard network architecture they will normally sit fairly close to the clients in order to reduce latency and network traffic. These proxies are also normally run by the organisations themselves although some ISPs will offer the service to larger clients.
In the situation of a reverse proxy, it is representing one or a small number of origin servers. You cannot normally access random servers through a reverse proxy because it has to be configured to specifically access certain web servers. Often these servers will need to be highly available and the caching aspect is important, a large organisation like Netflix would probably have specific IP addresses (read this) pointing at reverse proxies. The list of servers that are accessible should always be available from the reverse proxy server itself. A reverse proxy will normally be used by ‘all clients’ to specifically access certain web resources, indeed access may be completely blocked by any other route.
Obviously in this scenario it is usual for the reverse proxy to be both controlled and administered by the owner of the origin web server. This is because these servers are used for two primary purposes to replicate content across a wide geographic area and two replicate content for load balancing. In some scenarios it’s also used to add an extra layer of security and authentication to accessing a secure web server too.
For many people, travel is becoming much easier and as a species our geographical horizons are perhaps wider than ever. Inexpensive air travel and soft borders like the European Union means that instead of just looking to work in another city or town, another country is just as viable. The internet of course enables this somewhat, many corporations have installed infrastructure to allow remote or home working which means many people can work from wherever they wish. Instead of sitting in cubicles in vast expensive office space, the reality is that people can work together just as easily using high speed internet connections from home.
Unfortunately there are some issues from this digital utopia, of which most are self inflicted. Instead of being a vast unfettered global communications medium, the internet in some senses has begun to shrink somewhat. Not so much in size but rather an increasing number of restrictions, filters and blocks being applied to web servers across the planet. For instance the company I work for has two main bases one in the UK and the other in Poland, which means there is quite a bit of travel between the two countries. Not surprisingly employees who are working away from home for some time, use the internet to keep in touch with their homelife, yet this can be frustrating.
A common issue is the fact that many websites are not really accessible globally, they are locked to specific regions. Take for example the main Polish TV channel – TVN, it has a fantastic website and a media player by which you can watch all their shows. However a Polish citizen who tries to watch the local News from Warsaw from a hotel in the UK will find themselves blocked, the content is only available to those physically located in Poland. It’s no one off either, this behaviour is shared by pretty much every large media company on the web who block access depending on your location.
There is a solution and for our employees it’s actually quite simple, all they need to do is fire up their VPN client and remotely connect back to their home server in Poland. The instant they do this, their connection looks like it’s based in Poland and all the Polish TV channels will work perfectly. There’s a post about something similar here – using a Polish proxy to watch TVN and some other channels although this one is through a commercial service designed to hide your location. It’s a practice that is becoming increasingly necessary, the more we travel the more we find our online access is determined by our physical location.
The use of proxies and more recently VPNs allows you to break out of these artificial intranets which companies are creating by blocking access from other countries. The idea is that if you have the ability to switch to various VPNs across the world you can effectively take back control and access whatever website you need. Your physical location becomes unimportant again, by taking control of your virtual location you have an huge advantage over other internet users by choosing the location you wish to appear from. There are even some other options now take a look at this UK DNS proxy which does something fairly similar and can be used to watch the BBC and Netflix from outside the UK.
Author of – Does BBC Iplayer Work in Ireland
There is one technology normally associated with IP name resolution and that’s DNS (Domain Name System) or Smart DNS, this is probably because it’s the dominant system on the internet. However in the average corporate network you’ll find all sorts of alternative methods to resolving names and IP addresses which have been around for years. Here’s just a few of the common ones that you might come across:
Broadcasting: The use of mass broadcasts to help resolve names is of course very inefficient, basically a plea to the whole network asking for an answer. You’d think that this method isn’t used any more and it’s true most network administrators have tried to remove it from their networks. However for anyone who’s tried to troubleshoot a network of any size you’ll almost certainly find devices who routinely broadcast looking for name resolution. A couple of reasons it doesn’t work well are it generates lots of unnecessary traffic and most routers won’t transmit the broadcasts anyway so calls are frequently just lost. You can configure routers to pass on these message using the IP address helper function but this is not the way to run a fast efficient network.
Netbios over TCP/IP
Netbios was the primary method used by windows computers to resolve names and IP addresses, although again DNS is likely to have replaced it normally. There are 4 methods to Netbios Name resolution and they are usually operated in a distinct order.
- p-Node – Client contacts a WINS or NBNS server using unicast. This needs to be configured on the client server to work properly but then just requires IP connectivity.
- b-Node – Client attempts to contact a WINS or NBNS server using a broadcast. This will only be successful if there is a server on the same subnet or routers are configured to forward the request.
- m- Node – Client uses b-node first then p-node is there is no reply to the initial broadcast.
- h-Node – Client will first use a p-node unicast if configured and then fall back to a b-Node broadcast afterwards.
Windows Internet Names Service is a Microsoft implementation of the NetBios (NBNS) protocol. It’s a dynamic and distributed method of name resolution used mainly in Windows environments. It has all name resolutions saved on central WINs servers, and indeed in some implementations the WINS service was installed automatically on Microsoft Windows server installations. Again it works best when the WINS server is configured correctly on the client, otherwise it will fall back on broadcasts like NBNS.
This is a simple static file similar to a hosts file which is must be created, distributed and kept updated by the network administrator. If a client is configured in h-node then the LMhosts file will be consulted as a fall back method. It can create a lot of work and potential issues in large dynamic environments although it can be used to distribute names of key servers which are unlikley to be moved or modified.