Firewall Wizards mailing list archives

RE: Reverse proxy ??

From: "Anton J Aylward" <anton () the-wire com>
Date: Wed, 3 Nov 1999 10:30:49 -0500

I feel no one has clearly said what a Reverse Proxy is.


Good description.  While its undoubtedly common, I don't think 
its a universal one.  I've seen internal reverse proxies in 
e-commerce applications that ensure if the firewall is subverted
it can't be used as a springboard to the internal database.

The database issues a reverse request ("do you want something?")
to the RP.  The RP asks the proxy/firewall/server if it has any 
requests.  There is no route from the proxy/firewall/server to
the database except by the RP.  If the p/f/s/is subverted it can't
go anywhere because the RP port on that side will not accept incoming.
AT ALL.   Kind of like back-to-back diodes ;-) 

(This model is obviously based on the old style corner store.  You
 walked up to the counter and the sales clerk asked you what you wanted.
 There was no display and no catalogue.  You had to know what you wanted
 and know how to ask for it.  No displays and no good out on show means
 no shoplifting.  Good model for e-commerce, eh?
)

Why call this a reverse proxy?  Because it is a proxy but its pointing
in the other direction.  (Its acting on behalf of the database.)

Which begs the question, why call the example Eric gave a "reverse proxy"?
I can see that its acting "in proxy", although this is different from
the kind of proxy we have on a firewall for incoming connections, and
is indeed pointing in the other direction, but its primary purpose is 
caching.   Why isn't it called a mumblemumble[1] cache?   Or is this more
of the attempt of the English language to create a technical priesthood
by ofsucating the obvious?

--------------------------------------------------------------------
Anton J Aylward, CISSP          | Maybe somebody should try to teach 
System Integrity                        | journalists to say "scriptkiddies". 
InfoSec Auditing & Consulting   | It would reduce the ego-boost would-be 
Voice: (416) 421-8182           | "elite hackers" get from descriptions 
aja () si on ca                         | of their squalid little pranks.

[1] Insert your own "this isn't rocket science" keyword in place of 
    "mumblemumble".

Current thread:

RE: Reverse proxy ?? Joe Ippolito (Nov 01)
- <Possible follow-ups>
- Re: Reverse proxy ?? Steve Anich (Nov 01)
  - Re: Reverse proxy ?? Steven Osman (Nov 01)
- RE: Reverse proxy ?? Robyn Bailey (Nov 01)
- RE: Reverse proxy ?? Eric Toll (Nov 02)
  - RE: Reverse proxy ?? Rafi Sadowsky (Nov 04)
  - Re: Reverse proxy ?? Rui Pereira (Nov 04)
  - RE: Reverse proxy ?? Anton J Aylward (Nov 04)
  - RE: Reverse proxy ?? Don Tuer (Nov 05)
    - RE: Reverse proxy ?? dreamwvr (Nov 06)
- Re: Reverse proxy ?? Brad Van Orden (Nov 04)
- RE: Reverse proxy ?? Eric Toll (Nov 05)
- RE: Reverse proxy ?? fernando_montenegro (Nov 05)
- RE: Reverse proxy ?? Eric Toll (Nov 05)
- RE: Reverse proxy ?? Scott, Richard (Nov 05)
- RE: Reverse proxy ?? Marcus J. Ranum (Nov 05)
- RE: Reverse proxy ?? Eric Toll (Nov 08)