Reverse Proxy icon

When an architecture is built, it is important to choose wisely which technology to use. The tool’s different characteristics can provide real added value to a project, depending on its goals and stakes.

We will focus today on reverse proxy solutions (to understand reverse proxies). Three free and open source technologies for these infrastructure equipments are best known : NGINX, Squid and HAProxy. NBS System uses these three solutions for different reasons, and in different ways.

NGINX, our main reverse proxy

Nginx reverse proxy NBS SystemNGINX is used, in NBS System’s infrastructure, for our main reverse proxies: the solution is installed at the head of our global infrastructure and receives the integrality of our clients’ web traffic. This choice was motivated by several reasons:

  • Performance: NGINX is particularly reknown for the good performances it provides. These performances result from the approach adopted by NGINX’s creator, Igor Sysoev, at its inception in 2002. Rather than trying to create a tool dealing with several needs and being able to “do it all”, Igor Sysoev set some limits at the beginning of the project: the tool will be a reverse proxy and a webserver, and only that (as well as a mail proxy). That is all it will be able to do, but it will do it well. It’s a success! The structuration of the project’s source code enables efficient and framed contributions, by guaranteeing code uniformity and limiting the risks of performance or security deterioration. Developers can thus improve and enrich NGINX in total peace. The tool can be relatively versatile, and very performant.
  • Scalability: NGINX also has a high scalability, which makes it an ideal candidate for an infrastructure, such as NBS System’s, that hosts clients with a strong seasonality in traffic (like e-retailers: sales, holidays…)
  • Industrialization: NGINX is natively good when it comes to automatization. This, and the fact that it can work with several configuration files (one per client, for instance), make the tool particularly easy to industrialize. It is a characteristic that enables it to perfectly meet the construction needs of large infrastructures such as NBS System’s.
  • SSl certificate iconHTTPS support: this feature particularly oriented our choice toward NGINX compared to HAProxy for instance, which only supports HTTP.
  • Developpement: There are NGINX developers in our teams. That is also why it was only natural for NBS System to lean toward this solution (later, these developers notably created NAXSI, a NGINX security module).

HAProxy, our additional reverse proxy when needed

HAProxy logoHAProxy is a solution created in 2001 by Willy Tarreau. It is an excellent reverse proxy that can offer very good performances, but at the time of our choice, it did not support the HTTPS protocol. There was thus no way to offer secure websites with this solution, which made it impossible for us to use. Indeed, cybersecurity has always been a major topic for NBS System. SSL support has, since, been integrated from HAProxy’s 1.5 version (stable in 2014) on.

We still use HAProxy as an addition to our global reverse proxies using NGINX in some cases: if one of our clients requests it, or as a recommendation for websites experiencing strong peak loads. We made this choice for the following reasons:

  • Performance and scalability: like NGINX, HAProxy is highly scalable. It natively provides excellent performances, enabling a quick deployment implying little system requirements and a simplified maintenance.
  • prise de décisionCaching options and conditional decision making: where HAProxy really takes the lead is when caching is concerned. In the case of a large peak load, if the processes treating requests beforehand are overloaded, it will provide relief; HAProxy will send, to some visitors, a holding page to have them wait until the load on the processes is eased, so that the latter have enough resources to deal with all their requests. But that is not what is most interesting: indeed, this reverse proxy analyzes user statistics (number of visits, behaviour, cookies, sessions…) and adapts itself to better serve these users. That is what makes it particularly nice to use. It will, for instance in the case of an e-commerce website, prioritize users which have a full basket, over simple visitors. The latter being less likely to purchase anything, the possible loss would be less important for the company, or will at least have a lesser influence on requests.

HAProxy also offers great load balancing capacities compared to other solutions (they are not used by NBS System).

Squid, our simple proxy

Squid logoSquid has been created at the beginning of the 90’s; it is one of the first reverse proxy solutions. It offered, however, poorer performances than NGINX when the latter came out.

Squid also had operational drawbacks: it worked with only one ordered configuration file. The instructions given in this file have to be at the right place compared to one another, which complexifies its industrialization. This tool improved itself since, but remains far from NGINX’s flexibility…

However, Squid is particularly efficient as a proxy. That is how NBS System uses it, as a HTTP/HTTPS screening layer.

proxy iconIndeed, if about 90% of the traffic of a webserver consists incoming requests, filtrated beforehand by reverse proxies and firewalls, about 10% are outgoing requests. To screen these requests, we also use firewalls: the issue is that they only offer filtering by IP address. Some websites however, are registered with a lot of IP addresses, or regularly change their IP… It thus becomes impossible to filtrate requests sent to these websites.

NBS System uses firewalls to filtrate requests sent to networks that are known to the client (whose IP address or addresses is or are known). For other networks, we use Squid as a proxy: it offers a filtering by domain name! No more IP address issues…

The use of Squid also provides us with control in case of a server compromission: indeed, it prevents the server to send data to a website. A pirate wishing to extract data will thus have to go straight to the machine and extract it.

Squid also leads an interesting initiative: the teams invest a lot in their solution to follow RFCs (Requests For Comments) in relation with its activities.

Cybersecurity and reverse proxies: what to choose?

The competition between open source and free technologies resulting in a raise in the general quality of the offers, the pure differences between products are not necessarily important. Before making a choice thus, an analysis of the project has to be done to choose the product that best meets the project’s need, and to put it to good use.

It can be noted that NBS System also uses NGINX as a web server. Keep an eye out for our upcoming article about it!

Source: Denis Pompilio

Lucie Saunois
Lucie Saunois
IT aficionado, specifically when it comes to cybersecurity, since she joined OT Group in 2015, Lucie specializes in making technical, and often complex, topics understandable by anyone.