Reverse proxy, or IP-forwarding topologies use a reverse proxy server, such as the Caching Proxy in WebSphere Application Server Edge Components, to receive incoming HTTP requests and forward them to a Web server. The Web server forwards the requests to the Application Servers for actual processing. The reverse proxy returns completed requests to the client, hiding the originating Web server.
The following figure shows a simple reverse proxy topology.
In this example, a reverse proxy resides in a demilitarized zone (DMZ) between the outer and inner firewalls. It listens on an HTTP port, typically port 80, for HTTP requests. The reverse proxy then forwards such requests to an HTTP server that resides on the same machine as WebSphere Application Server. After the requests are fulfilled, they are returned through the reverse proxy to the client, hiding the originating Web server.
Typical use
Reverse proxy servers are typically used in DMZ configurations to provide additional security between the public Internet and the Web servers (and application servers) servicing requests. A reverse proxy product used with WebSphere Application Server must support Network Address Translation (NAT) and WebSphere Application Server security.
Reverse proxy configurations support high performance DMZ solutions that require as few open ports in the firewall as possible. The reverse proxy capabilities of the Web server inside the DMZ require as few as one open port in the second firewall, potentially two if using Secure Sockets Layer (SSL) - port 443.
Advantages of using a reverse proxy server in a DMZ configuration include:
The reverse proxy configuration is also a disadvantage in some environments where security policies prohibit using the same port or protocol for inbound and outbound traffic across a firewall.
Disadvantages of using a reverse proxy server in a DMZ configuration include the following:
Instructions
Implementation specifics are determined by the reverse proxy server. Refer to the documentation for the product you are using. No additional WebSphere Application Server administration is required for the reverse proxy server, although you might need it for other elements of the reverse proxy topology.