Uses of Reverse Proxy Servers

There are actually quite a lot of reverse proxy servers in use through large corporate networks performing a variety of purposes.     However there are two distinct roles for which they are commonly used –

  • replicating Content to geographically dispersed areas
  • replicating content for load balancing

It’s a function that is not always considered for proxies, however content distribution is a logical function for any proxy server.  In fact a reverse proxy server can even be used to establish multiple replica servers of a single master to diverse locations.  Take for example if you have a multinational company with offices in countries all over the world.

It would be difficult for a single server with company wide data like templates, policies and procedures to server the entire company yet it is imperative that the integrity of any ‘copy’ is maintained.  The reverse proxies could be set up in each branch server with a slightly different address, perhaps including location in name.   These reverse proxies would pull their data from the master ensuring they were all identical.

This is quite an efficient use of the proxy in reducing bandwidth requirements across the network.  However the reverse proxies must be configured to pull changes from the master very frequently in order to ensure any changes are replicated quickly.  In fact it would be usually safer for the master server to push changes to the reverse proxies in order to ensure this.

The configuration can be complete by updating specific DNS entries in each zone.  This would mean that you could resolve – www.master.com from all of the physical locations.   That is to resolve london.master.com to point at the master server instead.

As mentioned the main issue is ensuring that changes are replicated efficiently and accurately.  In fact replication is perhaps a little too advanced a term as really the proxies are merely caching information and updating them.  So the master server has some modification to it’s content then it would push out the changes to any of the proxies online.  So messages would be sent to the uk online proxy here, then to the asian proxy and so on.

THe other main use is of course load balancing for something like a heavily loaded web server.  Any request received from a client will be distributed back to the multiple reverse proxies by using methods like DNS round robin.  This ensure that the requests are spread out evenly and one of the reverse proxies doesn’t become overloaded with requests too.  This often happened if static lists were used in rotation as the same proxy servers would be receiving the requests too frequently.

John Severn often sneaks off work to travel somewhere hot.  After all he just needs to change ip address to United Kingdom and no-one will notice his emails are coming from the Costa del Sol next to a pool.

VPN Blocking on the Rise

For years people have used VPNs for all sorts of reasons, but it’s origin lay quite simply in the security they provided.  International companies will normally insist that their employees use VPN services when remotely connecting back to their servers using the internet.  It makes sense, otherwise important information and credentials would be trusted to the owners of coffee shop wifi or the administrator of your local Premier Lodge or hotel chain.

The concept is simple, create an encrypted tunnel which ensures that all the data which normally is passed in clear text instead is encrypted and unreadable.  Of course, this security means that as well as being safe from computer criminals and identity thieves – it’s also secure from intelligence services and state controlled snoopers too.  It should come as no surprise that anyone who opposes free speech generally hates VPNs and the protection that they give.

So when we hear stories about different organisations and companies from the Netflix to the Chinese Government trying to block VPNs what are they doing.  Well it depends, obviously the situation that leads to thousands of BBC iPlayer VPN not working is going to be slightly different to the Chinese throwing billions at the great firewall of China.   However the general techniques are basically the same as a small company want to achieve the same thing.

One of the most common options is to block the ports used by these services.  Most VPN tunnelling protocols operate on standard ports, e.g using PPTP or LTP.  They need to establish these connections to transfer and receive data, without them the service won’t function.  Other methods include identifying and blocking specific IP addresses or ranges which are being used by VPN services.   It is these two methods that are mostly used by the big media companies like Hulu and the BBC.

These methods can be time consuming though and it’s possible to switch address and some services allow you to configure alternative ports too. The Chinese Government as you would expect have gone one step forward and use more sophisticated techniques like deep packet inspection.   These involved looking at the data itself to identify if a VPN is being used to transport it.  For example if you are unable to read any data because none of it’s in clear text then there is the likelihood that it is being encrypted.   Of course, there are other methods which encrypt data like SSL so you need to be careful that you don’t block other traffic, it’s a risk that the Chinese would probably be happy to take however.

Even these methods are not foolproof and VPN companies can scramble things like the meta data to make identifying the use of a VPN even harder.  It is worthwhile noting that many people in China still use VPNs routinely and so if the huge resources available to the Chinese State can’t block their use – we should be ok to have a BBC VPN like this for the foreseeable future.