The IP addresses on which proxy servers should be configured to listen

You've come to this page because you've asked a question similar to the following:

What IP address should my proxy server be configured to listen on?

This is the Frequently Given Answer to that question.

The security considerations

The considerations, relating to the IP address on which a proxy server should listen, apply equally to proxy DNS servers, proxy HTTP servers, and SMTP Submission servers. They are all request/response services, and the security considerations for them are much the same across all of the protocols. The security considerations for providing such servers apply equally to proxy DNS servers responding to queries, to proxy HTTP servers responding to request messages, and to SMTP Submissoin servers accepting mail submissions. This is because they are fundamental to the nature of a server for a request/response protocol providing service on an IP address.

Proxy servers do not need to be, and shouldn't be, accessible from the outside world. This is because they do work on behalf of their clients. Because one pays (in traffic charges and storage costs, amongst other things) for that work to be done, one should not provide proxy service free of charge to the rest of Internet.

Access controls within the softwares themselves don't work.

Some people mistakenly think that access controls, implemented within the server softwares themselves, are sufficient for protecting proxy servers. This is not true. Access controls do not prevent proxy servers from doing work on receipt of queries/requests/submissions. They merely reduce the amount of work that is done. Even discarding a query/request/submission involves doing work. Moreover, access controls cannot prevent several forms of attack:

The IP addresses to use

The way to prevent the server from doing work, and to prevent denial of service and poison insertion by impersonation attacks, is to stop all unauthorized query/request message traffic from reaching the proxy server in the first place. The proxy server must be configured to listen on an IP address that is, quite simply, not reachable from the rest of Internet, and not reachable from outside of the machine, site, or organization where the clients that it is intended to serve reside.

The address to use depends from what clients the server is intended to provide service to:


© Copyright 2000–2004,2007 Jonathan de Boyne Pollard. "Moral" rights asserted.
Permission is hereby granted to copy and to distribute this web page in its original, unmodified form as long as its last modification datestamp is preserved.