How the Proxy Server Functions

“Proxy” is a general term that means “to act on behalf of a user in an authorized capacity.” A web proxy server intercepts client connections and obtains the requested content from an origin server, the owner of the content on behalf of the client.

A typical web proxy accepts connections from clients, makes decisions as to whether the clients are permitted to use the proxy or access the requested resources, and then completes connections on behalf of the clients to the various origin servers. In this manner, the web proxy acts as both a server as well as a client of the requested resource.

The two basic types of web proxy server are: a forward proxy and a reverse proxy. While they share much of the same functionality, some definite differences exist between the two types.

Forward Proxy Scenario

A Forward proxy provides internal clients access through a firewall to resources on the Internet. This service is often provided as part of a larger intranet security strategy. Forward proxying allows clients to access resources outside of the firewall without compromising the integrity of the private network.

A forward proxy can be configured to keep copies of content within their local cache. Subsequent requests for that content can then be serviced from the local cache rather than obtaining the content from the origin server. Caching increases performance by decreasing the time involved in traversing the network.

Most proxy servers have the capability to filter requests from users. Administrators can choose to limit access to certain resources that might not be appropriate for the workplace and therefore deny such access.

In a forward proxy scenario, the client is aware of the proxy server and is configured to use it for various requests. The firewall can then be configured to allow only certain traffic from the proxy server rather than permitting such access to all internal clients.

Reverse Proxy Scenario

A proxy server can also provide external clients with access to internal resources the reside behind the corporate firewall. When a proxy server is used to handle connections into a private network, the process is called reverse proxying. The term “reverse” refers to the fact that traffic flows in the opposite direction from normal proxy traffic flow.

A forward proxy is best used to filter content, increase performance, and log user accesses. A reverse proxy provides these benefits and more. You can use a reverse proxy to load balance across multiple servers, provide failover capabilities, and provide access to corporate resources in a safe and secure manner.

In a reverse proxy scenario, the client is not even aware that it is using a proxy server. This transparency is one of the key differences between a forward and reverse proxy server scenario.

URL Mapping

The URL Mapping feature enables the Proxy Server to function as a reverse proxy or a junction by acting as a front-end server. Based on the client's URI, access is provided to the back-end application servers.

The features included in URL Mapping are:

• URL Mapping

• URL rewriting in HTTP headers, HTML content, JavaScript, and Style Sheets

• Per-application cookie management

• Pass-through cookies, including cookie renaming

• Junction selection based on a last-seen cookie

For information on the Server Application Functions (SAFs) used in URL Mapping, see Server Application Functions (SAFs).

NSAPI Filters

The NSAPI API enables multiple Server Application Functions (SAFs) to interact in request processing. For example, one SAF can be used to authenticate the client after which a second SAF would generate the content.

Request-Handling Process

At startup, the server performs some initialization and then waits for a request from a client, such as a browser.

The obj.conf file for the server specifies how the request is handled.

1. Init - Loads and initializes server modules and plugins, and initializes log files.

2. AuthTrans (authorization translation) - Verifies any authorization information (such as name and password) sent in the request.

3. NameTrans (name translation) - Translates the logical URI into a local file system path.

4. PathCheck (path checking) - Checks the local file system path for validity and checks that the requestor has access privileges to the requested resource on the file system.

5. ObjectType (object typing) - Determines the MIME-type (Multi-purpose Internet Mail Encoding) of the requested resource (for example, text/html, image/gif, and so on).

6. Input (prepare to read input) - Selects filters that will process incoming request data read by the Service step.

7. Output (prepare to send output) - Selects filters that will process outgoing response data generated by the Service step.

8. Service (generate the response) - Generates and returns the response to the client.

9. AddLog (adding log entries) - Adds entries to log file(s).

10. Error (service) - Executes only if an error occurs in the previous steps. If an error occurs, the server logs an error message and aborts the process.

11. Connect - Calls the connect function you specify.

12. DNS - Calls either the dns-config built-in function or a DNS function that you specify.

13. Filter - Runs an external command and then sends the data through the external command before processing that data in the proxy.

14. Route - Specifies information about where the proxy server should route requests.

Directives for Handling Requests

The obj.conf file contains a series of instructions, known as directives, that tell Proxy Server what to do at each stage in the request-handling process. Each directive invokes a Server Application Function (SAF) with one or more arguments. Each directive applies to a specific stage in the request-handling process. The stages are Init, AuthTrans, NameTrans, PathCheck, ObjectType, Input, Output, Service, AddLog, Connect, DNS, Filter, and Route.