Sign in Subscribe
linux 🐧

How Reverse Proxies Hide Backend Servers.

Behind the scenes, reverse proxies act as gatekeepers, concealing the true location of backend servers. By intercepting traffic and masking sensitive infrastructure details, they keep the internal network hidden from prying eyes, while still delivering services efficiently and securely.

yannick Coffi, Gabriella Bennett, Kenzo Kylo

3 min read
How Reverse Proxies Hide Backend Servers.
Image credit: Unknown. Please contact us if you are the owner.

When a reverse proxy hides backend servers, it means the backend server's private IP address and infrastructure details are hidden from the public. The reverse proxy becomes the only point of contact for external users, effectively protecting the internal network.

Let's break this down with a detailed examples:

Configuration:

• You have a public website (e.g., mywebsite.com) that users around the world access.
• The backend server running the website is hosted in a private network, say a private IP like 192.168.1.60.
• The reverse proxy server has a public IP (e.g., 203.0.113.1) and is exposed to the internet.

Without a Reverse Proxy


Public IP Exposure:

Without a reverse proxy, your backend server has to be directly connected to the internet with a public IP address.
For instance, if the backend server has a public IP like 203.0.113.2, users will connect directly to it. This can expose your server to risks like:

DDoS attacks: If attackers flood the server with requests, they can easily overwhelm it since the public IP is exposed.
Direct hacking attempts: Attackers can scan the public IP and attempt various attacks like brute-force login attempts or trying to exploit known vulnerabilities.

With a Reverse Proxy


1. Hiding the Backend:

A reverse proxy (e.g., Nginx or Apache) sits between the internet and your backend server. The proxy server has a public IP address (e.g., 203.0.113.1), but the backend server remains on a private IP (e.g., 192.168.1.60).

External users (including attackers) never see the private IP of your backend server.

2. Traffic Pathway:

User request: When a user visits mywebsite.com, DNS resolves it to the reverse proxy's public IP (203.0.113.1), not the backend server.

• The user's browser connects to the reverse proxy at 203.0.113.1, and the reverse proxy then forwards the request to the backend server at its private IP (192.168.1.60).
• The backend server responds to the proxy, and the proxy sends the response back to the user.

3. Security Enhancement:

Public-facing IP: The only public IP exposed to the internet is that of the reverse proxy (203.0.113.1), which acts as a barrier.

Private backend: The backend server's private IP (192.168.1.60) is hidden and only accessible to the reverse proxy.
This means:

• Attackers can't directly attack your backend server since its private IP is not routable on the internet.
• Even if attackers try to scan your reverse proxy IP (203.0.113.1), they are only interacting with the proxy, not the backend. This means you can configure firewall rules, rate-limiting, and DDoS protection on the proxy to block malicious traffic before it reaches your backend server.
• If an attacker tries to access services on the backend server (like HTTP/ HTTPS traffic or web-based services and applications), they won't succeed because they can't reach the private network where your backend server resides.

4. Internal Communication:

Inside the private network, the backend server communicates with the reverse proxy using private IPs (Example: 10.0.1.1, 172.20.0.1, 192.168.1.60). This traffic can be further secured by network firewalls, and attackers won't have access to this internal communication.

Below is a Reverse Proxy Traffic Flow Diagram:

                        +-------------------+
                        |    Reverse Proxy   |
                        |  Public IP: 203.0.113.1  |
    +-------------------+-------------------+
    |           Requests from internet       |
    +-------------------+-------------------+
                        | Internal Requests  |
                        v (Private Network)  |
                        +-------------------+
                        |   Backend Server   |
                        | Private IP: 192.168.1.60 |
                        +-------------------+



Public IP vs. Private IP

Public IP: An IP address that can be reached from anywhere on the internet. If your server has a public IP, anyone in the world can send traffic to it.
Example: 203.0.113.1, 8.8.8.8 (Google DNS), etc.

Private IP: An IP address used within a local network (e.g., home, office, or cloud environments.) and cannot be accessed directly from the internet.
Example: 192.168.1.50, 10.0.0.2.
These addresses are reserved for private use and must be used behind a router or a proxy to communicate with the outside world.

Benefits of Hiding the Backend

Less exposed attack surface: The backend servers are not directly accessible, making it harder for attackers to target them.
Layered security: Attackers must first get past the reverse proxy's security measures before even attempting to interact with the backend.
Reduced attack vectors: Since backend servers don't have public IP addresses, they aren't as exposed to various internet-based attacks, reducing the chances of a successful compromise.


As a result, reverse proxies are essential for organizations seeking to maintain a secure and efficient online presence while protecting sensitive data and resources.

We hope you found this information beneficial!

Sign up for more like this.

Enter your email
Subscribe
Keep Us Caffeinated  ⦿ ⦿