httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From solprovi...@apache.org
Subject Re: [users@httpd] different kinds of proxies
Date Fri, 25 Jul 2008 03:35:36 GMT
On 7/24/08, Rich Schumacher <rich.schu@gmail.com> wrote:
> On Wed, Jul 23, 2008 at 8:50 AM, André Warnier <aw@ice-sa.com> wrote:
> > Hi. Me again butting in, because I am confused again.
> > When users workstations within a company's local network have browsers
> configured to use an internal "http proxy" in order to access Internet HTTP
> servers, is this internal proxy system a "forward" or a "reverse" proxy ?
> > I am not talking here about a generic IP Internet router doing NAT, I am
> talking specifically about a "web proxy".  This HTTP proxy may also do NAT
> of course, but its main function I believe is to cache pages from external
> servers for the benefit of internal workstations, no ?
> > If this is a forward proxy, then I do not understand the comment of
> Solprovider that seems to indicate that such things are obsolete and/or
> dangerous.  At any rate, they are in use in most corporate networks I am
> aware of.
> > André
>
> What you are talking about is a forward proxy and most of the time they are
> transparent to the users behind them.  Things do get a little blurry,
> though, as sometimes they handle routing and NATing as well. SafeSquid
> (http://en.wikipedia.org/wiki/SafeSquid) of this in terms
> of software.  They are also hardware based solutions, such as Barracuda
> networks web filter, but I do not believe this does caching.

Forward proxies are considered dangerous because the client is hidden
from Internet servers -- the Internet servers see the proxy server's
IP Address instead of the client's IP address creating a shield for
the client.  A malicious attacker can daisy-chain several open forward
proxies making tracking the client very difficult for administrators
and law enforcement.

I stated forward proxies were obsolete because they require
configuring the client to integrate with the forward proxy while most
of the beneficial legitimate functions can be gained without requiring
client configuration.  A gateway server can handle
- NAT between internal corporate clients and the Internet,
- Firewalling blacklisted IP Addresses and websites,
- Logging all traffic, and
- Saving and serving static pages from cache
Without the definitive feature of a forward proxy -- requiring every
client be configured to use the gateway server as a forward proxy.  A
gateway is protected by the NAT functionality -- only internal clients
can use the proxy function.  A forward proxy requires additional
security to prevent external clients from using the proxy function.

Any NAT protects the IP Addresses of internal clients, but integration
is handled at the network routing level rather than the application
level.  A NAT can be called a "proxy" because it hides the internal IP
Addresses or a "gateway" because it connects networks.  "Proxy"
requires disambiguation: "forward", "reverse", or "network."  I prefer
"gateway" rather than "network proxy" and "front-end Web server"
rather than the technically accurate "reverse proxy" because
non-technical people understand better.

SafeSquid is described as a "proxy" in Wikipedia and as a "gateway" in
Novell's marketing material:
   http://www.novell.com/partnerguide/product/206554.html
This page also states SafeSquid can "deliver user-benefits with
zero-software deployment at user-level systems" so SafeSquid does not
meet the definition of a forward proxy while providing the benefits of
cache, firewalling, blacklisting, logging, etc..

Definitions:
- Proxy: Something or someone hiding the clients' information.   A
lawyer may be a "proxy" bidding on property without identifying the
client.
- Gateway (or "Network Proxy"): Server connecting networks.  Called a
"router" if dedicated hardware.  Called a "gateway server" when
handling functions beyond network routing.
- Forward Proxy: A proxy requiring clients be configured to use the
forward proxy.  Clients' information is hidden even on same network.
- Reverse Proxy: A front-end server able to parse requests to
distribute to multiple applications.
- NAT (Network Address Translation): A function of a gateway when
different networks use different address schemes.  The address is
translated to the gateway's address on the new network; the gateway
translates responses to return to the requesting client.  The function
was once important to integrate different network types (IP, NetBIOS,
AppleTalk, etc.).  With the demise of most network protocols, this
term is currently almost-exclusively associated with "IP masquerading"
for connecting local networks to the Internet.

As SafeSquid proves, the many functions required to implement
"Corporate Internet Access Policies" can be handled by a gateway
server without requiring a forward proxy.  The only function specific
to a forward proxy is hiding client information from other computers
on the same network; I am still wondering if this function has a
legitimate use.

[As Rich's other posts indicate, his use of forward proxies was
laziness/productivity (using a forward proxy to avoid extra work
remotely accessing different computers during testing) or illegitimate
(bypassing corporate security.)  I find his stories interesting and
informative.]

To answer André's last concern:
Yes, many companies use forward proxies because that was once the
recommended method to implement Corporate Internet Access Policies.
No, they do not need to use forward proxies to gain the same benefits
today.  Yes, most companies change very slowly.

solprovider
Mime
View raw message