Back to Security Pattern Catalog

Protection Reverse Proxy

Classification Key : Perimeter Security, Tampering


A packet filter firewall provides protection at the network layer, but application layer vulnerabilities of a protocol can still be exploited. How can you protect your server infrastructure in the light of its potential vulnerability to attacks using its application layer protocol?


Create a firewall combination with two packet filter firewalls with a reverse proxy in between. The reverse proxy will create a demilitarized zone between the firewall. The outer firewall will only allow HTTP port access to reverse proxy. The reverse proxy will perform application layer checking and forward the valid packets only to the inner firewall. The inner firewall only accepts requests from the reverse proxy. The inner firewall separates the server area from the demilitarized zone.

Known Uses

IBM’s Tivoli Access Manager.

Related Patterns

Single Access Point, Defense in Depth, Demilitarized Zone


Wiley Book


Reverse Proxy, DMZ, Firewall


Last modified: May 05, 2012

Conceived and Maintained by: Munawar Hafiz