> Home > Knowledge Base > FreeProxy Knowledge Base > I2067: Reverse Proxies
Home
Contact Us
Download
Knowledge Base
Search
User Page
 
Hi Guest
IP: 3.17.150.163

Username
Password
>  Knowledge Base
I2067: Reverse Proxies
Summary
Product: FreeProxy Internet Suite
Versions: all
Note: 2067
Date reported: 30 March 2008

Issue Detail
How to set up a reverse proxy

Solution
What is a reverse proxy ?
A reverse proxy accepts connections from the internet and redirects them to an internal server. By comparison the typical/usual proxy configuration is to accept connections from a local network of clients and route their requests to web servers on the internet.

This is done for a variety of reasons.
  1. To offload incoming connection authentication from the web server.
  2. To allow internet users access to web servers where the location and IP address of the proxy is of consideration. Browsing would then appear to be occurring from this IP address and location.
  3. Address hiding. This is basis of "Free Proxy Serving" (no FreeProxy) where users connect to this proxy server and are able to hide their address. From the web server's point of view, the connecting IP address is that of the proxy and not the user.
  4. To protect an internal server such as the web server from direct access to the internet. For example to enable a web server to be placed on your LAN, you run FreeProxy in your DMZ (Internet Facing Servers) redirecting all port 80 traffic to the internal web server. In this way you can protect your Web server from hacking attacks. Your DMZ server is typically highly secure and the web server can be less security conscious seeing that it only exposes one port to the internet.
Setting up the firewall rules on a router

This router is typically connected to the internet directly as a combind internet modem (Broadband Cable or ADSL) or a separate router connected to a broadband modem.
Allow incoming connections on the proxy port redirecting connections from the internet to a LAN server running FreeProxy. An example is shown below for the D-Link DI624 router. The example shows the connection from the internet (WAN) to the internal network (LAN). The IP address 192.168.100.100 is the LAN server running FreeProxy listening on port 8080.

Setting up the firewall on a Windows XP firewall

Control Panel -> Change Windows Firewall Settings -> Network COnnection Settings, Settings button -> Add Fill in the name of the service, the IP address of the server running FreeProxy, the external and internal ports. External port number depends on how this server is connected. If it is connected to a firewall, then it should be the same as the internal port number in the router firewall rule. If its connected directly to the internet then it should be the port number that internet users will use.

Setting up FreeProxy

FreeProxy setup is simple. You simply define the proxy in the normal way. This will allow incoming connections from whereever they are sourced to access the internet. Alternatively you could force redirection to a particular server by specifying "Use Proxy Server". This will force all incoming connections on that port to connect to the "upstream" proxy you specify. To force all TCP connections, regardless of their type to connect to a particular internal server, you can use the TCP tunnel rather than the HTTP proxy.

Security considerations
Opening up your proxy to external connections is a security risk unless you have taken steps to minimise possible issues. The most obvious risk is the fact that if your proxy is open to the internet, anyone can redirect traffic through your proxy and therefore undertake any manner of nefarious activity. You don't want that.

If the proxy is internet facing, you can use internet address permissions to secure the list of internet addresses that can access the proxy. If you want to offer this to a limited number of people, you can implement proxy authentication. A simple internal FreeProxy user will suffice. In addition, you could limit the times the users access the internet or allowed to connect from the internet and/or limit the sites that can be viewed using resource permissions.

You should seriously consider logging all accesses and check the logs from time to time to ensure only allowed users are using the reverse proxy.
Hand-Crafted Software.
MemHT Portal is a free software released under the GNU/GPL License by Miltenovik Manojlo