Listen to this Post
Introduction:
Forward proxies and reverse proxies are often conflated, yet they serve opposite security functions in modern network architectures. A forward proxy acts on behalf of internal users to control outbound traffic, enforce web filtering, and anonymize requests, while a reverse proxy protects backend applications by intercepting inbound traffic, load balancing, and shielding servers from direct client exposure. Misconfiguring one as the other can lead to data leaks, unauthorized access, or complete service disruption.
Learning Objectives:
– Differentiate between forward proxy and reverse proxy use cases in zero-trust and SASE frameworks.
– Implement basic forward proxy configurations using Squid on Linux and client-side settings on Windows.
– Deploy a reverse proxy with Nginx or IIS to protect an internal web application and enforce TLS termination.
– Analyze proxy logs to detect anomalous outbound or inbound traffic patterns.
You Should Know:
1. Forward Proxy Setup: Controlling Outbound Traffic on Linux and Windows
A forward proxy sits between users and the internet. It can filter malicious websites, cache content, and hide internal IP addresses.
Step‑by‑step guide – Squid forward proxy on Ubuntu 22.04:
Update system and install Squid sudo apt update && sudo apt install squid -y Backup original config sudo cp /etc/squid/squid.conf /etc/squid/squid.conf.bak Edit configuration to allow only internal subnet (e.g., 192.168.1.0/24) sudo nano /etc/squid/squid.conf
Add or modify:
“`acl localnet src 192.168.1.0/24
http_access allow localnet
http_access deny all
http_port 3128
[bash] Restart Squid and enable on boot sudo systemctl restart squid sudo systemctl enable squid Verify proxy is listening sudo netstat -tulpn | grep 3128
Windows client configuration (manual or via GPO):
– Open Settings → Network & Internet → Proxy.
– Enable “Use a proxy server” and enter the Linux proxy IP and port 3128.
– Alternatively, command line (admin):
netsh winhttp set proxy proxy-server="http=192.168.1.100:3128;https=192.168.1.100:3128" bypass-list="localhost;.local"
What this does: All outbound HTTP/HTTPS traffic from Windows clients routes through the Squid proxy. You can then add ACLs to block categories (e.g., social media) or log all requests for compliance.
2. Reverse Proxy Setup: Securing Inbound Application Traffic with Nginx
A reverse proxy accepts client requests from the internet and forwards them to internal application servers, hiding the origin servers and adding security layers like TLS termination, rate limiting, and WAF integration.
Step‑by‑step guide – Nginx reverse proxy for a web app running on localhost:5000:
Install Nginx sudo apt update && sudo apt install nginx -y Create site configuration sudo nano /etc/nginx/sites-available/reverse-proxy.conf
Paste:
server {
listen 80;
server_name your-domain.com;
location / {
proxy_pass http://127.0.0.1:5000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Enable site and test sudo ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ sudo nginx -t sudo systemctl restart nginx
Hardening with TLS (Let’s Encrypt):
sudo apt install certbot python3-certbot-1ginx -y sudo certbot --1ginx -d your-domain.com
Windows equivalent using IIS (Application Request Routing):
– Install IIS and ARR module via Web Platform Installer.
– Open IIS Manager → Default Web Site → URL Rewrite → Add Rule → Reverse Proxy.
– Enter backend server URL (e.g., `http://localhost:5000`).
– Enable “SSL Offloading” to decrypt inbound HTTPS and forward plain HTTP internally.
What this does: External clients only see the reverse proxy IP. The proxy can cache responses, compress data, and block malicious payloads before they reach the application.
3. Forward Proxy for Zero Trust: Enforcing Device Compliance Before Internet Access
In a SASE or Zero Trust model, forward proxies can evaluate device posture before allowing outbound connections.
Step‑by‑step – Integrating Squid with an external ACL script:
Create script to check client’s AV status (dummy example) sudo nano /etc/squid/check_device.sh
!/bin/bash Assume argument is client IP; return OK if compliant if [ "$1" == "192.168.1.105" ]; then echo "OK" else echo "ERR" fi
sudo chmod +x /etc/squid/check_device.sh In squid.conf, add: external_acl_type device_check ttl=60 %SRC /etc/squid/check_device.sh acl device_compliant external device_check http_access allow localnet device_compliant
Windows client-side:
– Use PowerShell to report compliance (e.g., Windows Defender status) to a central server, which then updates an allowlist consumed by the proxy.
4. Reverse Proxy as an API Gateway: Rate Limiting and Authentication
API security often uses a reverse proxy to enforce rate limits, JWT validation, and IP whitelisting before requests hit microservices.
Nginx rate limiting configuration:
In http block
limit_req_zone $binary_remote_addr zone=mylimit:10m rate=10r/s;
server {
location /api/ {
limit_req zone=mylimit burst=20 nodelay;
proxy_pass http://backend_api_servers;
}
}
Adding Basic Authentication:
sudo apt install apache2-utils -y
sudo htpasswd -c /etc/nginx/.htpasswd apiuser
In Nginx server block
location /api/ {
auth_basic "Restricted API";
auth_basic_user_file /etc/nginx/.htpasswd;
proxy_pass http://backend_api_servers;
}
Windows with IIS ARR:
– Install “IP and Domain Restrictions” module.
– Set “Dynamic IP Restrictions” to deny requests exceeding threshold (e.g., 20 requests/sec).
5. Cloud Hardening: Using Managed Reverse Proxies (AWS ALB / Azure Application Gateway)
Cloud-1ative reverse proxies provide advanced security like AWS WAF, bot control, and TLS termination at scale.
Step‑by‑step – Deploy AWS Application Load Balancer as reverse proxy:
– Create an EC2 target group with your application instances (port 80).
– Create an ALB listening on HTTPS (port 443) with a certificate from ACM.
– Define listener rules: path-based routing (`/api/` → target group A, `/web/` → target group B).
– Attach AWS WAF to block SQLi, XSS, and rate-limit requests.
Linux command to test ALB endpoint:
curl -v https://your-alb-dns-1ame/api/health -H "Host: your-domain.com"
6. Detecting Proxy Misconfigurations: Log Analysis Commands
Both forward and reverse proxies generate logs that reveal security issues (e.g., forward proxy being open to the internet, reverse proxy leaking internal IPs).
Linux – Check Squid access log for unauthorized sources:
sudo tail -f /var/log/squid/access.log | grep -v "192.168.1."
Windows – IIS reverse proxy failed request tracing:
Enable Failed Request Tracing for status code 500 appcmd.exe set config /section:system.webServer/tracing /enabled:true
Testing for reverse proxy IP leakage using curl:
curl -H "X-Forwarded-For: 8.8.8.8" http://your-reverse-proxy/ -v
7. Combining Both in a DMZ Architecture
A hardened perimeter often includes a forward proxy for outbound user traffic and a reverse proxy for inbound public traffic, isolated in separate DMZ subnets.
Conceptual iptables rules on a Linux gateway:
Allow internal users to reach forward proxy iptables -A FORWARD -i eth0 -o eth1 -p tcp --dport 3128 -s 192.168.1.0/24 -j ACCEPT Allow internet to reach reverse proxy (port 443) iptables -A FORWARD -i eth2 -o eth0 -p tcp --dport 443 -d 10.0.0.5 -j ACCEPT
Windows firewall rule for forward proxy client:
New-1etFirewallRule -DisplayName "Allow Outbound to Forward Proxy" -Direction Outbound -RemoteAddress 192.168.1.100 -RemotePort 3128 -Protocol TCP -Action Allow
What Undercode Say:
– Forward proxies protect users by controlling outbound traffic; reverse proxies protect applications by controlling inbound traffic. Both are essential for layered defense.
– Simple conceptual mix‑ups lead to severe misconfigurations – e.g., exposing an internal forward proxy to the internet becomes an open relay, while failing to harden a reverse proxy leaves backend servers vulnerable to direct attack.
Analysis: The post’s analogy (“User → Proxy → Internet” vs. “Internet → Proxy → Application”) is the clearest differentiator. However, modern SASE implementations blur the line by embedding forward proxy capabilities into cloud edge nodes (e.g., Zscaler, Netskope) and reverse proxy into API gateways and load balancers. Security architects must also consider that reverse proxies can perform outbound functions (e.g., egress filtering for cloud workloads) and forward proxies can handle inbound inspection in a “reverse” orientation when protecting servers in a colocation facility. The critical takeaway is understanding the direction of initiation and which party the proxy impersonates – the client (forward) or the server (reverse).
Expected Output:
Introduction: [Already provided above]
What Undercode Say:
– Forward proxies hide clients, control outbound, and enforce user policies.
– Reverse proxies hide servers, control inbound, and provide TLS termination, load balancing, and WAF.
Expected Output: A fully configured forward proxy (Squid) and reverse proxy (Nginx) as shown in sections 1 and 2 will achieve a segmented security posture. The sample commands produce a working proxy environment ready for integration with SIEM and zero‑trust access policies.
Prediction:
+1 Increased adoption of reverse proxies as API security gateways in microservices architectures, driven by zero-trust network access (ZTNA) requirements.
+1 Forward proxies evolving into cloud-based Secure Web Gateways (SWG) as part of SASE, reducing on‑premise hardware.
-1 Misconfigured forward proxies (open relays) will remain a top attack vector for anonymized spam and C2 traffic due to admin oversight.
-1 Legacy reverse proxy configurations that lack WAF integration will continue to expose internal APIs to injection attacks.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Dhari Alobaidi](https://www.linkedin.com/posts/dhari-alobaidi_cybersecurity-networking-proxy-ugcPost-7468912699465383937-FWYp/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
