Forward Proxy

The Apache Traffic Server is a general purpose proxy, configurable as both a reverse and forward proxy.

A forward proxy can be used as a central tool in your infrastructure to access the web and it may be combined with a cache to lower your overall bandwidth usage. Forward proxies act as a gatekeeper between client browsers on your local network and all (or some, at your configuration’s discretion) web sites accessed by those clients. The forward proxy will receive the HTTP requests, perform any filtering or request alteration rules you establish, and when appropriate forward the request on to its destination website. The response will return through your proxy, where it may optionally be cached and/or modified, and then returned to the original client.

There are two modes in which your forward proxy may operate:

Forward Proxy

Each client must be configured explicitly to use the forward proxy. Client browsers will be aware of the fact they are using a proxy and will form their HTTP requests appropriately. This results in the initial HTTP command being issued with fully qualified URIs that contain the destination hostname:

Transparent Proxy

The use of a transparent proxy is typically done in concert with network routing rules which redirect all outbound HTTP traffic through your proxy. Clients will behave, and form their HTTP requests, as if they are contacting the remote site directly, and will not be aware of the existence of a proxy server in between themselves and the remote servers. HTTP requests will be generated per their usual form, with only paths in the command and a separate Host request header:

GET /index?id=123 HTTP/1.1

Apache Traffic Server may be configured to operate as both a forward and a transparent proxy simultaneously.

Proxy Configuration

Configuring basic forward proxy operation in Traffic Server is quite simple and straightforward.

  1. Permit Traffic Server to process requests for hosts not explicitly configured in the remap rules, by modifying proxy.config.url_remap.remap_required in records.yaml:

    CONFIG proxy.config.url_remap.remap_required INT 0
  2. Optional: If Traffic Server will be operating strictly as a forward proxy, you will want to disable reverse proxy support by modifying proxy.config.reverse_proxy.enabled in records.yaml:

    CONFIG proxy.config.reverse_proxy.enabled INT 0

You may also want to consider some of these configuration options:

Client Configuration

If you are operating your proxy in transparent mode, your clients should require no special proxy-related configuration.

If you are operating in explicit forward proxy mode, without automatic routing rules on your network to direct all outbound traffic through the proxy, your client browsers will need to be directed to the proxy. This may be accomplished in two different ways.

Clients may be configured to use the default 8080 port on your Traffic Server host as a proxy. This will result in all requests from that client browser being issued through the single forward proxy as configured.

Security Considerations

It’s important to note that once your Apache Traffic Server is configured as a forward proxy it will indiscriminately accept proxy requests from anyone. If it is reachable from the Internet, then you have configured an Open Proxy.

This is generally not desirable, as it will permit anyone to potentially use your network as the source of traffic to sites of their choosing. To avoid this, you’ll have to make sure your proxy server is either only reachable from within your private network or is secured by firewall rules that permit only those you wish to have access to the proxy.