Does KMS Support Reverse Proxy?

The question has come up (once, ever) of whether or not KMS would work with a reverse proxy. A reverse proxy is sort of like a content filter placed in front of the firewall to proxy incoming requests from the internet. It is considered to be another layer of security, and can improve performance by caching incoming HTTP requests.

We are not aware of any problem that could be related to reverse-proxy. It is basically same as using a normal HTTP proxy by several clients in same network.

What could go wrong?

1. The most obvious risk of failure is that perhaps the reverse proxy will cache incoming HTTP requests to the Kerio Webmail. This would make webmail virtually useless as virtuall all of the content is dynamic and should not be cached.

   A network trace shows that we have handled this correctly. All webmail replies contain a Cache-control directive. The following comes from a network trace used to watch this in action:

   HTTP/1.1 200 OK Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

2. If the reverse proxy device is not transparent, then all requests will appear to come from the IP address of the reverse proxy. If it is similar to IP masquerading with NAT, then everything should work fine. We have tested extensively with NAT and there are no known problems with it. Unique PHP sessions in webmail should work fine.

3. If the reverse proxy is implemented in a cluster, requests from same client may come from different IPs. This would confuse the PHP session in webmail and Kerio could not possibly support this.

4. A reverse proxy might alter the incoming requests. Part of the job of a reverse proxy is to sterilize the incoming requests to make sure everything is secure. This is all okay, and is essentially just a content filter. As long as the requests are not mangled due to some bug in the reverse nat device, it should work. If it does not work, it is a bug on the reverse proxy most likely.

So, does KMS support reverse proxy?

The answer is, we would treat it exactly like any other content filter. In a support situation, we would ask to bypass the reverse proxy and work without it. If the problem no longer persisted, it would be considered a problem with the reverse proxy device and not a Kerio problem.

Links

Thanks to one of our customers for these links.

• http://en.wikipedia.org/wiki/Reverse_proxy
• http://www.sans.org/rr/whitepapers/webservers/302.php
• http://www.apacheweek.com/features/reverseproxies
• http://httpd.apache.org/docs/2.0/mod/mod_proxy.html