Reverse Proxy and Forward Proxy

Chapter 04 · Scaling Systems

A reverse proxy is the front door of your service. It hides what's behind it, terminates SSL, caches responses, and routes traffic. Often the most under-appreciated component in a system.

Reverse vs forward proxy

The word "proxy" gets thrown around. There are two distinct kinds and they sit on opposite sides of the network.

A forward proxy sits between a client and the internet. The client knows about it. Used to filter outbound traffic, hide client IPs, or work around restrictions. Corporate firewalls, school networks, VPNs.

A reverse proxy sits between the internet and your servers. The client does not know about it. The client thinks it is talking to your application. The proxy forwards the request to the real server behind it.

System design discussions are almost always about reverse proxies. The forward kind is a network admin's concern.

What a reverse proxy does for you

Hides backend topology. Clients hit one address; you can have any number of servers behind it.
SSL termination. Same as load balancer. Decrypt once, talk plain to backends.
Caching. Cache popular responses at the proxy. Backend servers see less load.
Compression. Gzip responses on the way out so clients download less.
Rate limiting and abuse protection. First line of defense.
Path-based routing. Send /api to the API tier, /static to the asset server, /admin to a separate cluster.
Header injection. Add tracing headers, hide internal headers from clients.

A reverse proxy fronts multiple internal services. The client sees one host.

Reverse proxy vs load balancer vs API gateway

People use these terms interchangeably. They overlap but are not the same.

Reverse proxy: the general concept. Sits in front of servers, forwards requests.
Load balancer: a reverse proxy specialized in distributing load across many copies of the same service.
API gateway: a reverse proxy specialized for API traffic. Adds auth, rate limits, schema validation, request transformation. We cover this in the microservices chapter.

NGINX, Envoy, HAProxy can all play any of these roles depending on configuration.

Common tools

NGINX. The workhorse. Fast, well-documented, runs anywhere. Default for static + reverse proxy.

HAProxy. Excellent for high-performance L4/L7 load balancing.

Envoy. Modern, used in service meshes. Strong observability, gRPC support, dynamic config.

Traefik. Auto-discovery for containers. Popular in Kubernetes setups.

Caddy. Automatic HTTPS via Let's Encrypt. Simple config.

Run a reverse proxy even for one server A reverse proxy in front of a single backend gives you SSL, gzip, header tweaks, request logging, and rate limits for almost no work. You will be glad you have it the first time you need to swap backends or add caching.

The X-Forwarded-For header

Once you put a proxy in front, your backend sees the proxy's IP, not the client's. The proxy adds an X-Forwarded-For header containing the original client IP. Make sure your application reads it; otherwise all your audit logs say "request came from 127.0.0.1" forever. Bonus: validate this header lest someone spoof their IP.

← Previous

Load Balancing

Content Delivery Networks (CDN)