Reverse proxy in computer networks is a type of proxy server, which receives the resources and requests of a client and directs them to one or more servers. The reverse servers perform as the opposite of a forward proxy server, receiving user requests from outside the internal network to smooth the flow of network traffic between clients and servers.
In the other words forward proxy server is an intermediary structure that receives various requests of different clients and forwards them to different servers. Proxy servers receive requests from within the network and send them outside the network or the Internet, but that cannot provide clients with extra levels of abstraction and control.
Why using a reverse proxy is popular?
The question is why would anyone add this extra middleman to their Internet activity? Answering this question leads us to find common uses for Reverse servers. Load balancing, web acceleration, and security are what we achieve in favor of Reverse proxy. Reverse proxy servers classify the identity of users, so the users would stay unrecognizable.
The reverse proxy server protects the identities and acts of those who send requests by the mean of traversing their requests headed for your backend servers. That operates as an additional defense against security attacks.
Spoon feeding optimization is an optimizing method executed by the reverse proxy. Optimizing web servers by the spoon-feeding method is one of the main answers to why using a reverse proxy is popular. Spoon feeding allowing valuable computation resources to quickly complete the network part of their work. What happens to free up valuable computation resources.
Why do we call this method spoon-feeding? The answer is clear. The reverse proxy sends the data (spoon) to the remote clients. Just like spoon-feeding the clients. When a web page is dynamically generated, it can benefit a lot from spoon-feeding optimization. When a forward web server cannot perform TLS encryption, it offloads the task to a reverse proxy. So, the reverse proxy might intermediate your connection, while you are not aware of its effect. You may also benefit from its effect, without being aware of its quiddity.
Reverse server transforms in bond and out bond data, just like how the zip compress them. They also store data that they receive temporarily. It speeds up the flow of traffic between clients and servers. The reverse proxy can also execute extra responsibilities such as SSL encryption.
A reverse proxy can also operate like a person who obliges individuals at a traffic crossing. It sits in front of your backend server and manages the receiving data by distributing client requests across a group of servers. So, we can be sure that no servers are overloaded, and their speed is at the maximum rate. Also, the reverse servers can identify down web servers and redirect clients’ requests to the remaining online servers.
HTTPS request smuggling and reverse proxy
Let us dig deep inside the HTTPS request smuggling issue to figure out how it affects the security of individuals and companies. This article contains what we have discovered, through answering what would happen if we act against Citrix ADC/NetScaler. Therefore, this article does not contain subjects such as showing intensive testing. Besides, we would discuss demonstrating offensive techniques later due to their importance. Hackers try to exploit differences between web servers and their reverse proxy, during HTTPS request smuggling.
Brief description of HTTPS request smuggling issue consequences
This cybersecurity issue occurs when attackers attempt to smuggle malicious HTTP Requests. Therefore, it would be possible to begin HTTP Desync attacks. These attacks take place between a backend Web Server and Reverse servers or Load Balancer. All these incidents eventually lead to redirecting users to controlled phishing sites or injecting requests that hit legit users, enabling account takeovers via XSS and Cookie stealing. The point is that all these incidents occur behind a cooperate firewall.
When does it happen?
When reverse Proxy and backend webservers stop complying with RFC7230 (HTTP 1.1), occurring HTTP Request Smuggling would be possible. As a result, abnormal HTTP 1.1 requests can be passed through proxy servers. That is when the HTTPS request smuggling issue happens. All systems that have faced HTTPS request smuggling up to now had three features in common:
- Not complying with the critical codes such as RFC 7230 HTTP 1.1.
- Lack of multiplexing in its proper place.
- Lack of interpreting HTTP Requests differently.
Now that exploiting from HTTPS request smuggling is getting common and popular, it’s better to be careful about your security. Managing such an attack requires mastering the various topics surrounding HTTP / 1.1.
Where does this vulnerability come from?
Open-source libraries have always been a popular target among attackers. Due to the serious lack of information among those who use open source libraries, it would take a long time to remediate their vulnerabilities. There are several ways to increase open sources’ security to decrease HTTPS request smuggling probability. All these methods have been invented based on researching vulnerabilities.
Remediation of HTTPS request smuggling
Now that we know about the quiddity of HTTPS request smuggling, it is time to learn how to remediate it. As we mentioned, HTTPS request smuggling happens when reverse Proxy and backend webservers stop complying with RFC7230 (HTTP 1.1). Just like planning for this attack, remediating it is tricky too.
What if directing requests to reverse proxy does not go well?
There are various pros and cons of implementing reverse proxy servers. Reports have shown many attacks are related to reverse servers, whether directly or indirectly. Considering this fact makes it clear that reverse proxy servers don’t always bring safety to your network.
Reverse proxy servers have access to clients’ IP, requests, and traffic. As it should re-encrypt and transform the clients’ traffic, it also has access to TLS private keys. Therefore, it can inject malware into the web sites or even log all credit information, and passwords going through it.
Those facts do not prove anything that confirms not implementing reverse proxy is better than implementing them, but it proves that we have to be careful about our security while using modern technologies.
How to choose between CDN and reverse proxy?
CDN is an advanced version of reverse server, but it does not mean that it is better than a reverse proxy. CDN can cache what you publish and serve it to clients. Therefore, you can reduce the bandwidth costs and load on your origin servers. As implementing CDN reduces the load on your server origin, it can maximize your website speed and boosts the SEO of your website.