In the previous blog post, we already have developed a simple understanding of the network proxies. However in this post, we will develop an understanding of how proxying works within the different layers of the TCP / IP Model.
Throughout the post, we will use layer nomenclature of TCP / IP Model and not of OSI Model
These are the 4 different layers in the TCP / IP Model
- Physical Layer / Network Interface Layer
- Network Layer / Internet Layer
- Transport Layer
- Application Layer
Reverse Proxy can theoretically be done at each and every level apart from Physical Layer.
However let’s understand what does it mean for a reverse proxy to be in a particular level. Before we jump into this , please do understand that each and every layer
- When passes the data from the current layer to the above layer i.e. Layer 3 -> Layer 4 or Layer 2 -> Layer 3, strips down the bytes which are relevant to the current layer
- When passes the data from the current layer to the bottom layer i.e. Layer 3 -> Layer 2 or Layer 2 -> Layer 1 , adds down the bytes which are relevant to the current layer.
- These bytes are decided by each and every layer and in case you want to go into those details , look into these links
Proxy At Network Level
Let’s say we have a proxy sitting on Network Layer. This means the following
- Data sent from the client is first received by the proxy at the Physical Layer.
- All the traffic which will pass through this proxy machine will pass through the following layers i.e. Layer 1 i.e. Physical Layer and finally reach the Network Layer.
- When the data comes to the Network Layer , then the proxy looks into the rules specified. If the rules dictate that the traffic be passed to an external IP destination, then it will pass the traffic to the external IP destination again via passing down the same Layer 1 i.e. Physical Layer. These rules when configured via a Route Table could look sometime like this
- If the traffic is coming from a certain < IP , Interface > route it to a particular IP from a particular interface
- If not, then forward the traffic to our local TCP stack
Proxy At Transport Level
- Data sent from the client is first received by the proxy at the Physical Layer.
- All the traffic which will pass through this proxy machine will pass through the following layers i.e Layer 1 i.e. Physical Layer -> Layer 2: Network Layer → Layer 3: Transport Layer
- When the data comes to the Transport Layer, then the proxy looks into the rules specified. If the rules dictate that the traffic be passed to an external IP destination, then it will pass the traffic to the external IP destination again via passing down the same Layer 2: Network Layer → Layer 1: Physical Layer. These rules when configured via a Route Table could look sometime like this
- If the traffic is coming from a certain IP, Port route it to a particular IP, Port
- If not, then forward the traffic to our local TCP stack
Proxy At Application Level
- Data sent from the client is first received by the proxy at the Physical Layer.
- All the traffic which will pass through this proxy machine will pass through the following layers i.e Layer 1 i.e. Physical Layer -> Layer 2: Network Layer → Layer 3: Transport Layer → Layer 4: Application Layer
- When the data comes to the Application Layer, then the proxy looks into the rules specified. If the rules dictate that the traffic be passed to an external IP destination, then it will pass the traffic to the external IP destination again via passing down the same Layer 3: Transport Layer → Layer 2: Network Layer → Layer 1: Physical Layer. These rules when configured via a Route Table could look sometime like this
- If the traffic is coming for a certain Route / SubDomain route it to a particular IP, Port with a particular Route / SubDomain
- If not, then forward the traffic to this Local Application listening on a particular Port
Network Proxy Examples
Load Balancers also also reverse proxy in sense that they intercept traffic coming to a set of machines and then load balance it across a set of systems.
| Network Layer | Examples |
| Application Layer ( Layer 4 / Layer 7 in OSI) | Nginx, ALB |
| Transport Layer ( Layer 3 / Layer 4 in OSI) | NLB |
| Network Layer ( Layer 2 / Layer 3 in OSI ) | Any System with IPTable Rules Setup |
Limitations
Reverse Proxy at each and every layer has its own set of limitations which are quite obvious. Reverse Proxy at a particular layer can only proxy / route the network packets based on certain attributes which are only available to that particular layer.
- Reverse Proxy at Layer 2 i.e. Network layer would have attributes like Source IP, Destination IP on the basis of which it can route requests.
- Proxy cannot route requests based on other attributes like Port Information, HTTP Routes etc.
- Reverse Proxy at Layer 3 i.e. Transport Layer would have attributes like Client Port, Source Port on the basis of which it can route requests to different systems.
- However it cannot route requests based on other higher level attributes from Layer 4 like HTTP Routes , Hostname.
- Reverse Proxy at Layer 4 i.e. Application Layer would have attributes like HTTP Routes , HostName on the basis of which it can route requests
References
- https://en.wikipedia.org/wiki/Internet_protocol_suite
- https://www.networkworld.com/
- https://www.geeksforgeeks.org/tcp-ip-model/
- https://en.wikipedia.org/wiki/Internet_protocol_suite
- https://docs.oracle.com/cd/E19455-01/806-0916/ipov-10/index.html
- https://www.scaler.com/topics/difference-between-transport-layer-and-network-layer/
- https://s.web.umkc.edu/sbs7vc/IT321/Transport/
- https://www.cloudflare.com/en-gb/learning/ddos/glossary/open-systems-interconnection-model-osi/
- https://www.cloudflare.com/en-gb/learning/cdn/glossary/reverse-proxy/
Systemic Issues and Me 