Using ZXTM as a Forward Proxy

ZXTM 4.2 contains a new feature, called 'Forward Proxy Mode'. But what is a Proxy? A reverse proxy? A forward proxy? And what can you do with such a feature?

Let's try and clarify what all these proxies are. In computing, a Proxy is a service that accepts network connections from clients and then forwards them on to a server. So in essence, any Load Balancer or Traffic Manager is a kind of proxy. Web caches are another example of proxy servers. These keep a copy of frequently requested web pages and will deliver these pages themselves, rather than having to forward the request on to the 'real' server.

Forward and Reverse Proxies

The difference between a 'forward' and 'reverse' proxy is determined by where the proxy is running. For example, your ISP probably uses a web cache to reduce its bandwidth costs. In this case, the proxy is sitting between your computer and the whole Internet. This is a 'forward proxy'. The proxy has a limited set of users (the ISP's customers), and can forward requests on to any machine on the Internet (i.e. the web sites that the customers are browsing).

Alternatively, a company can put a web cache in the same data center as their web servers, and use it to reduce the load on their systems. This is a 'reverse proxy'. The proxy has an unlimited set of users (anyone who wants to view the web site), but proxies requests on to a specific set of machines (the web servers running the company's web site). This is a typical role for Traffic Managers - they are traditionally used as a reverse proxy.

Using ZXTM as a Forward Proxy

This simply means using ZXTM to forward requests on to any other computer, not just to a pre-configured set of machines in a pool. TrafficScript™ is used to select the exact address to forward the request on to:

pool.use( "Pool name", "IP address", port );

The pool.use() function is used, in the same way as you would normally pick a pool of servers to let ZXTM load balance to. The extra parameters specify the exact machine to use. This machine does not have to belong to the pool that is mentioned; the pool name is there just so ZXTM can use its settings for the connection (e.g. timeout settings, SSL encryption, and so on).

What use is a Forward Proxy?

Combined with TrafficScript, the Forward Proxy feature gives you complete control over the load balancing of requests. For example, you could use ZXTM to load balance RDP (Remote Desktop Protocol), using TrafficScript to pick out the user name of a new connection, look the name up in a database and find the hostname of a desktop to allocate for that user.

Forward Proxying also allows ZXTM to be used nearer the clients on a network. With some TrafficScript, ZXTM can operate as a caching web proxy, speeding up local Internet usage. You can then tie in other ZXTM features like bandwidth shaping, service level monitoring and so on. TrafficScript response rules could then filter the incoming data if needed.

Example: A web caching proxy using ZXTM and TrafficScript™

You will need to set up ZXTM with a virtual server listening for HTTP proxy traffic. Set HTTP as the protocol, and enable web caching. Also, be sure to disable ZXTM's "Location Header rewriting", on the connection management page. Then you will need to add a TrafficScript rule to examine the incoming connections and pick a suitable machine. Here's how you would build such a rule:

First of all, we will put a sanity check in the rule, to ensure that only proxy traffic is being received:

$host = http.getHeader( "Host" );
if( http.headerExists( "X-Forwarded-For" ) || $host == "" ) {
   http.sendResponse( "400 Bad request", "text/plain",
                      "This is a proxy service, you must send proxy requests", "" );
}

Next, the HTTP request needs to be examined to figure out which server it is going to. The hostname and port of the server are found in the Host: header, e.g. www.zeus.com or www.zeus.com:80

# Extract the port out of the Host: header, if it is there
$pos = string.find( $host, ":" );
if( $pos >= 0 ) {
   $port = string.skip( $host, $pos + 1 );
   $host = string.substring( $host, 0, $pos - 1 );
} else {
   $port = 80;
}

Only a few steps left. We need to alter the HTTP request to supply the true IP address of the client requesting the page, and we need to tweak the request to remove any proxy-specific headers.

http.setHeader( "X-Forwarded-For", request.getRemoteIP() );
http.removeHeader( "Range" );
# Removing this header will make the request more cacheable
http.removeHeader( "Proxy-Connection" );

The user might have requested a page that is unresolvable, e.g. http://fakehostname.nowhere/. To be polite, let's make the TrafficScript check for this:

$ip = net.dns.resolveHost( $host );
if( $ip == "" ) {
   http.sendResponse( "404 Unknown host", "text/plain",
                      "Failed to resolve " . $host . " to an IP address", "" );
}

And, we're almost there! The last task is to send the request on. You will need to adjust the pool name to the one you have configured.

pool.use( "Forward Proxy Pool", $ip, $port );

Done! Now try using the proxy: Go to your web browser's settings page (Advanced->Network->Settings in Firefox) and fill in the hostname of your ZXTM and the port number of the virtual server running this TrafficScript rule. Now try browsing to a few different web sites. You will be able to see the URLs on the Current Activity page in the UI, and the Web Cache page will show you details of the content that has been cached by ZXTM.

This is just one use of the forward proxy. You could easily use the feature for other uses, e.g. email delivery, SSL-encrypted proxies, and so on. Try it and see!

Ben [Zeus Dev Team] 17 October 2007   1 comment