Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

SSL Reverse Proxy Overview

 

A reverse proxy is a common type of proxy server, which is accessible from the public network. Reverse proxies are managed by the web service, and they are accessed by clients from the public internet.

You can configure the SSL reverse proxy to protect your SSL-enabled web servers against client-to-server attacks from malicious clients. This functions by loading the SSL private key of the webserver onto the SRX Series device to protect your web servers against threats from clients that you do not control. For example, if an external user on the internet is trying to access a corporate web server, they initiate the HTTPS connection to the web server. The SSL reverse proxy profile has the private key details and it intercepts the traffic and sends the decrypted payload info to other L7 services enabled in the security policy, for example, IDP for attack detection.

Like forward proxy, reverse proxy requires a profile to be configured at the firewall rule level. In addition, you must also configure server certificates with private keys for reverse proxy. During an SSL handshake, the SSL proxy performs a lookup for a matching server private key in its server private key hash table database. If the lookup is successful, the handshake continues. Otherwise, SSL proxy terminates the hand shake. Reverse proxy does not intercept server certificates. It forwards the actual server certificate/chain as is to the client without modifying it. Intercepting the server certificate occurs only with forward proxy.

Figure 1 shows how SSL reverse proxy works on an encrypted payload. When application firewall (AppFW), intrusion prevention system (IPS), or application tracking (AppTrack) is configured, SSL reverse proxy acts as an SSL server terminating the SSL session from the client and a new SSL session is established to the server. The device decrypts and then re-encrypts all SSL reverse proxy traffic. SSL reverse proxy uses the following services:

  • SSL-T-SSL terminator on the client side

  • SSL-I-SSL initiator on the server side

  • Configured AppFW, IPS, or AppTrack services use the decrypted SSL sessions

Figure 1: SSL Reverse Proxy on an Encrypted Payload
SSL Reverse Proxy on an Encrypted Payload

Benefits of Reverse Proxy

  • A Reverse proxy can hide the existence and characteristics of origin servers.

  • A reverse proxy can distribute the load from incoming requests to several servers, with each server supporting its own application area.

Related Documentation