In Chapter 1, I talked briefly about how a proxy sits in between clients and servers. Without a proxy, clients normally connect directly to origin servers. With a proxy, however, clients connect only to the proxy. If needed, the proxy connects to origin servers for cache misses. This characteristic of proxies has two important implications for cache managers: security (of both web servers and caches) and bandwidth.

Because the server only knows about its TCP connection from the proxy, the client remains hidden. This can cause problems for origin servers that use address-based access controls. When a client’s request goes through a proxy, the server gets the proxy’s address, not the client’s. If the server is configured to allow connections from the client’s address and deny all others, requests forwarded through the proxy are denied.

As a caching proxy administrator, you must pay close attention to access controls on your web servers and on your proxy. Web servers that authorize connections from your proxy are effectively authorizing connections from anyone who can connect to your proxy. A proxy that accepts requests from any client is open to all sorts of mischief. An open-access proxy creates a back door that enables tricks similar to IP source routing and email relaying. An outsider may be able to route traffic through your proxy. Such abuse can be as harmless as consuming some of your bandwidth or as serious as credit card fraud or threatening the President. ...