⚡ Quick Answer
A forward proxy sits between clients and the internet — clients connect to it and it fetches content on their behalf. Destination servers only see the proxy's IP. Used for: web filtering, caching, and anonymisation. A reverse proxy sits in front of servers — internet clients connect to it and it forwards requests to backend servers. Clients only see the proxy's IP. Used for: load balancing, SSL termination, caching, and WAF. Memory trick: forward proxy = protects clients, reverse proxy = protects servers.
Forward Proxy vs Reverse Proxy
The most tested proxy concept is the distinction between forward and reverse proxies. Both intercept traffic and act as an intermediary, but they sit at opposite ends of the connection flow and serve fundamentally different purposes.
Who uses it: Internal clients (employees, students)
Initiated by: The client — clients are configured to use the proxy (explicit) or traffic is redirected to it (transparent)
What servers see: The proxy's IP address, not the real client IP
Primary uses: Web content filtering, bandwidth caching, URL blocking, anonymisation, bypassing geo-restrictions
Example products: Squid, Blue Coat, Cisco WSA, Zscaler
Common deployment: Corporate networks, schools, ISPs
Who uses it: Web application owners protecting and scaling backend servers
Initiated by: External clients — clients connect thinking they're hitting the server directly
What clients see: The proxy's IP address, not the backend server IPs
Primary uses: Load balancing, SSL termination, caching, WAF, DDoS protection, URL rewriting
Example products: NGINX, HAProxy, AWS CloudFront, Cloudflare, F5
Common deployment: Public-facing web applications, APIs, CDNs
🎯 Exam Tip — The Easy Way to Remember
Forward proxy = client-side proxy. Clients know about it (or traffic is redirected to it). Protects and controls outbound traffic from your users. The outside world sees the proxy's IP.
Reverse proxy = server-side proxy. Clients don't know about it — they think they're hitting your server directly. Protects and scales your server infrastructure. Your users see the proxy's IP.
Transparent vs Non-Transparent Proxy
This is a secondary distinction that applies primarily to forward proxies, describing whether or not the client knows the proxy exists.
👁️
Transparent Proxy
Traffic is silently redirected to the proxy by a firewall or router rule — clients need no configuration changes. Also called an intercepting proxy or inline proxy. The proxy intercepts connections without client awareness. Used in corporate environments to enforce web policies without configuring every device. Cannot intercept HTTPS without SSL inspection because the client's TLS handshake goes to the destination server, not the proxy.
No client configInterceptingPolicy enforcement
⚙️
Non-Transparent Proxy
Also called an explicit proxy. Clients must be configured with the proxy's IP address and port number (manually or via PAC file / WPAD). The client explicitly sends its HTTP CONNECT or GET requests to the proxy address. Easier to deploy with HTTPS because the client knowingly tunnels through the proxy. If misconfigured, the client has no internet access — unlike a transparent proxy, it fails visibly.
PAC file / WPADExplicit configHTTP CONNECT
Key Uses of a Forward Proxy
🚫
Content Filtering
Block categories of websites (social media, gambling, adult content) or specific URLs. Enforces acceptable use policies in corporate and school environments.
💾
Caching
Stores copies of frequently requested web content locally. Subsequent requests for the same content are served from cache, reducing bandwidth usage and improving speed.
🕵️
Anonymisation
Hides the client's real IP from destination servers. The server only sees the proxy's IP. Used for privacy and to bypass IP-based geo-restrictions.
🔍
SSL Inspection
Decrypts HTTPS traffic, scans for malware and data exfiltration, then re-encrypts. Requires deploying a corporate CA certificate on client devices.
📋
Logging & Auditing
Records all web requests made by users — URLs, timestamps, bytes transferred. Provides audit trails for compliance and security investigations.
🛡️
Malware Prevention
Blocks known malicious domains and IP addresses. Can scan downloaded files against signature databases before delivering them to clients.
Key Uses of a Reverse Proxy
⚖️
Load Balancing
Distributes incoming requests across multiple backend servers. Acts as the single entry point for client traffic while spreading load. NGINX and HAProxy are commonly used as both reverse proxies and load balancers.
🔐
SSL Termination
Handles TLS decryption so backend servers don't need to. Centralises certificate management and reduces backend CPU usage. Backend communication can be plain HTTP on a trusted internal network.
🚀
Caching & Compression
Caches static content (images, CSS, JS) so backend servers aren't hit for every request. Compresses responses before sending to clients, reducing bandwidth.
🛡️
WAF (Web Application Firewall)
Inspects HTTP requests for attacks — SQL injection, XSS, CSRF, path traversal. Blocks malicious requests before they reach backend application servers. ModSecurity is a common open-source WAF module.
🌐
IP Hiding
Backend server IPs are never exposed to the internet. Attackers can only see the reverse proxy's IP, making targeted attacks against specific servers harder.
✏️
URL Rewriting
Modifies request URLs before forwarding. Enables clean public URLs that map to internal service paths, and allows routing multiple services through a single public endpoint.
SSL Inspection (HTTPS Interception)
SSL inspection allows a proxy to decrypt and inspect HTTPS traffic. Without it, a forward proxy is blind to the contents of encrypted connections — it can block by domain, but cannot see URLs, scan files, or detect data exfiltration within HTTPS streams.
🔍 How SSL Inspection Works
1. Client connects to proxy via HTTPS. The proxy presents a certificate signed by a corporate CA (Certificate Authority) that has been pre-installed as trusted on all client devices via Group Policy or MDM.
2. Proxy establishes a separate TLS session to the destination server using the server's real certificate. The proxy sits in the middle — a "man in the middle" that the organisation controls.
3. Proxy decrypts, inspects, re-encrypts. The traffic is scanned for malware, DLP violations, and policy violations. Compliant traffic is re-encrypted and forwarded; malicious traffic is blocked.
Note: Some sites use certificate pinning (banks, Google apps) which will break under SSL inspection — these must be excluded from inspection in the proxy policy.
Proxy vs Firewall vs NAT
| Technology |
OSI Layer |
What It Does |
Key Difference |
| Forward Proxy |
Layer 7 |
Fetches web content on behalf of clients; can filter and cache |
Full content inspection; application-aware |
| Reverse Proxy |
Layer 7 |
Receives client requests and routes to backend servers; SSL termination, WAF |
Protects servers; clients see proxy IP |
| Firewall (stateful) |
Layer 3/4 |
Allows or blocks traffic based on IP, port, protocol, and connection state |
No application content inspection (unless NGFW) |
| NAT (Network Address Translation) |
Layer 3 |
Translates private IPs to a public IP; hides internal network addressing |
IP translation only; no content inspection or filtering |
| NGFW (Next-Gen Firewall) |
Layer 7 |
Deep packet inspection, application identification, IPS, plus traditional firewall rules |
Combines firewall + proxy-like inspection in one device |
🎯 Exam Tip — Proxy Scenario Keywords
If the scenario says employees are accessing inappropriate websites → forward proxy with content filtering.
If the scenario says the company wants to hide their web server IPs from the internet → reverse proxy.
If the scenario mentions intercepting HTTPS traffic without client configuration changes → transparent proxy with SSL inspection.
If the scenario mentions a proxy that protects web applications from SQL injection → reverse proxy with WAF (Web Application Firewall).
Exam Scenarios
Scenario 1: A company wants to prevent employees from accessing social media during work hours. All internet traffic should be logged. Answer: Deploy a forward proxy (web content filter). Configure URL category blocking for social media. Transparent deployment (via firewall redirect) requires no client configuration changes. All HTTP/HTTPS requests pass through the proxy and are logged.
Scenario 2: A company's public web application needs protection from SQL injection and XSS attacks without modifying the application code. Answer: Place a reverse proxy with a WAF (Web Application Firewall) in front of the web servers. The WAF inspects HTTP requests for attack patterns and blocks malicious traffic before it reaches the application.
Scenario 3: A security team wants to inspect encrypted HTTPS traffic leaving the network for signs of data exfiltration. Answer: Deploy a forward proxy with SSL inspection. Deploy the proxy's CA certificate to all company devices via Group Policy so clients trust the proxy's re-signed certificates. The proxy decrypts, inspects, and re-encrypts all HTTPS traffic.
Scenario 4: A company's proxy is configured but some users can bypass it by changing their browser settings. How is this prevented? Answer: Replace the explicit proxy with a transparent (intercepting) proxy. Configure the perimeter firewall to redirect all port 80/443 traffic to the proxy regardless of client settings. Users cannot bypass what they don't know exists.
Scenario 5: An organisation needs to serve multiple web applications from a single public IP address, each on a different domain. Answer: A reverse proxy with virtual host routing (host-header-based routing). The reverse proxy receives all traffic on the single public IP and routes requests to different backend server pools based on the HTTP Host header (domain name in the request).
Master Network+ in less time
Free cheat sheets, study guides, and exam scenarios.
View Cheat Sheet →
Related Topics