We frequently get the question, “Why does Distil function as a reverse proxy?” Quite simply, we chose for our solution to function this way because of the benefits it affords.
What is a Reverse Proxy?
A reverse proxy acts as a middleman between users and an origin server. It’s a versatile tool that can perform a variety of functions, such as caching content for faster load times (thereby reducing server loads), distributing requests across servers, adding security checkpoints, and more.
There are always pros and cons to consider in relation to any major decision affecting your traffic flow and the user experience. We believe the pros far outweigh the cons, so let’s look at the benefits Distil offers by serving as a reverse proxy.
Instant and Complete Protection
When placing Distil inline with your traffic, detection and protection occurs automatically and without any additional changes to your website. As long as Distil sits between your users and servers, every page, line of text, image, and other resource is protected.
Because we’re inline with your traffic, Distil identifies the requesting device and examines each request as it arrives. Once we’ve captured a requesting device’s “fingerprint” we immediately take action on any identifiable threats. Being inline with your traffic allows all of these operations to occur and to ensure that an overwhelming majority of threats never reach your servers.
Another benefit of pre-access interception is the ability to issue challenges such as computational puzzles submitted to each questionable browser to prove that it functions as expected. This type of pre-access challenge makes sure only true human users behind genuine browsers are accessing your site, rather than automated browsers and scripts.
First Party Integration
This is important because third party privacy tools like ad blockers or script blockers are designed to prohibit third party scripts in their default settings, rendering tools that rely upon third party script injections effectively useless, even in terms of basic client detection.
Advance Rate Limiting
Being in-line allows Distil to leverage Distil fingerprints to track access and usage over time for each requesting device. This data is then used to build baseline user profiles that reflect normal human access patterns in terms of rate of requests, volume of requests, and length of engagement time--data which is fed back to administrators by way of rate limiting recommendations.
Real Time Threat Response
When a violation occurs, Distil is able to serve an appropriate response to that violation in real time. That response may be simply a quick flash of a blank page triggering a Distil identification test, or depending upon your configured threat responses, a CAPTCHA or Block response page. In either case, being inline allows for this to happen automatically and conditionally, based upon your chosen threat responses. Third party script based solutions just can’t offer this kind of functionality.
Advanced HTTP Injections
Bot-detecting JS injection-reliant solutions are powerful but can introduce drawbacks. For example, you would need to update your site by dropping in a new code snippet, and then make certain it gets replicated to every page and template. Any omission potentially leaves one or more exploitation vulnerabilities.
By itself, JS-based detection cannot block malicious requests before access, since they need to hit your site at least once before being blocked.
Reduced Labor and Maintenance
All aforementioned benefits are automatically inline with your traffic, and it’s all managed from your Distil portal. You no longer need to write proprietary threat detection code or maintain tens of thousands of iRules. You save countless man-hours while eliminating the need to build selective threat responses (“Do I want CAPTCHAs in enforcement?” “Do I want a drop page?” “How do I collect and store log files?”).
JS injections are only one of the many detection methods employed by Distil. We also handle all updates automatically across your entire site(s).
Now that we’ve addressed the pros, let’s quell common cons associated with reverse proxies.
Latency – Won’t adding an extra point to our traffic flow slow things down?
No. We’ve purposefully overpowered our private deployment boxes, so latency is virtually unnoticeable. Technically, the load times can get up to 8–10 milliseconds, but the average call is much shorter than that.
Availability – What happens if Distil fails or goes down?
We deploy high availability. Distil sits behind your load balancer and gets the same level of rigor your backend systems get. We battle test everything and overpower our boxes to ensure no downtime.
Rendering –- Will my website render properly with Distil processing requests and returning content?
Yes. Distil simply functions as a safety check between your users and servers. Legitimate users can browse without any issues; your site functions as normal. Meanwhile, malicious or abusive agents will hit speed bumps and roadblocks the moment they’re detected.