Infrastructure
Proxy and Reverse Proxy
Proxies sit between clients and servers, mediating requests to provide security, performance, and operational flexibility. Understanding when to use forward vs reverse proxies is fundamental to building robust systems.
- Forward Proxy β Intercepts client requests to servers
- Reverse Proxy β Intercepts server responses to clients
- Termination β SSL/TLS offloading at the proxy layer
Every request that crosses a network boundary should pass through a proxy.
Forward Proxy
A forward proxy sits in front of clients and forwards their requests to origin servers. The server sees the proxy's IP, not the client's.
DfForward Proxy
A forward proxy is an intermediary that acts on behalf of clients. It receives client requests, optionally modifies them (adding headers, caching), and forwards them to the target server. The server is unaware of the original client. Forward proxies provide anonymity, access control, and content filtering.
Key Functions
- Anonymity β Hides client IP from servers
- Access Control β Filters requests by policy
- Caching β Stores frequently requested content
- Logging β Records all outbound traffic
Use Cases
- Corporate network filtering
- Bypassing geographic restrictions
- Web scraping with IP rotation
- Client-side load balancing
Reverse Proxy
A reverse proxy sits in front of servers and distributes incoming client requests. Clients interact with the proxy, not the actual server.
DfReverse Proxy
A reverse proxy is an intermediary that acts on behalf of servers. It receives client requests, routes them to appropriate backend servers, and returns responses. The client is unaware of the backend topology. Reverse proxies provide load balancing, SSL termination, caching, and security.
Reverse Proxy Capabilities
| Capability | Description |
|---|---|
| SSL Termination | Handles TLS decryption so backends receive plain HTTP |
| Load Balancing | Distributes requests across multiple servers |
| Caching | Stores static content to reduce backend load |
| Compression | Gzip/Brotli compression before sending to clients |
| Security | Hides backend topology, WAF capabilities |
| Rate Limiting | Throttles excessive requests |
Nginx as Reverse Proxy
Nginx is the most widely deployed reverse proxy, known for its event-driven architecture.
Nginx can handle ~10,000 concurrent connections per worker process due to its asynchronous, non-blocking event loop. A single Nginx instance can serve as both a reverse proxy and load balancer for thousands of backend servers.
Nginx reverse proxy configuration:
upstream backend {
least_conn;
server 10.0.0.1:8080 weight=3;
server 10.0.0.2:8080 weight=2;
server 10.0.0.3:8080 weight=1;
keepalive 32;
}
server {
listen 443 ssl;
ssl_certificate /etc/ssl/cert.pem;
ssl_certificate_key /etc/ssl/key.pem;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_connect_timeout 5s;
proxy_read_timeout 60s;
}
location /static/ {
proxy_cache_valid 200 1h;
proxy_pass http://backend;
}
}
HAProxy
HAProxy is purpose-built for load balancing and proxying TCP/HTTP traffic.
DfLoad Balancing Algorithms
Common algorithms used by reverse proxies:
Round Robin β Cycles through servers sequentially. Fair distribution, no state.
Least Connections β Routes to the server with fewest active connections. Better for variable request durations.
IP Hash β Uses client IP hash for session affinity. Simple but uneven distribution possible.
Weighted β Servers assigned weights proportional to capacity. Allows heterogeneous backends.
Least Connections Score
Here,
- =Routing score for server i
- =Configured weight for server i
- =Current active connections to server i
SSL/TLS Termination
Offloading SSL at the proxy layer simplifies backend services and enables centralized certificate management.
SSL termination at the proxy means backends communicate over plain HTTP. Ensure the proxy-to-backend network is trusted (private network, VPN, or mutual TLS). In public cloud environments, use a dedicated private subnet for backend communication.
Forward Proxy vs Reverse Proxy
| Aspect | Forward Proxy | Reverse Proxy |
|---|---|---|
| Position | Between client and internet | Between internet and server |
| Known to | Client | Server |
| Purpose | Client anonymity, filtering | Server protection, load balancing |
| Configuration | Client browser/app settings | Server DNS/nginx config |
| Examples | Squid, Privoxy | Nginx, HAProxy, Envoy |
Proxy Chains
In complex architectures, requests may pass through multiple proxies:
Proxy Chain Latency
A request traveling through: Client β Forward Proxy β CDN β Reverse Proxy β Application Server
Each hop adds latency:
- Forward proxy: ~2ms
- CDN edge: ~5ms (cache hit), ~50ms (cache miss)
- Reverse proxy: ~1ms
- Network to server: ~10ms
Total (cache hit): 2 + 5 + 1 + 10 = 18ms Total (cache miss): 2 + 50 + 1 + 10 = 63ms
Practice Exercises
-
Conceptual: Explain why SSL termination is typically done at the reverse proxy rather than on each backend server. What are the trade-offs?
-
Design: Design a reverse proxy layer for an e-commerce platform that handles 50,000 QPS with 99.99% availability. Include caching, rate limiting, and failover strategies.
-
Comparison: Compare Nginx and HAProxy for a microservices architecture requiring both L7 routing and TCP load balancing. When would you choose one over the other?
-
Security: A reverse proxy sits in a public subnet while backends are in a private subnet. What security measures should be in place for the proxy-to-backend communication?
Key Takeaways:
- Forward proxies mediate on behalf of clients; reverse proxies mediate on behalf of servers
- Reverse proxies provide SSL termination, load balancing, caching, and security
- Nginx and HAProxy are the most common reverse proxy solutions
- SSL termination at the proxy simplifies backend services and centralizes certificate management
- Proxy chain latency must be accounted for in performance budgets
What to Learn Next
-> Load Balancing Distribution algorithms, health checks, and L4 vs L7 load balancing.
-> CDN Edge caching, DNS routing, and content distribution.
-> Rate Limiting Token bucket, sliding window, and distributed rate limiting.
-> Service Mesh Envoy, Istio, and sidecar proxy patterns.
-> Security Patterns Authentication, authorization, encryption, and mTLS.
-> API Design REST, GraphQL, gRPC, and API gateway patterns.