πŸŽ‰ 75% of content is free forever β€” Unlock Premium from $10/mo β†’
CW
Search courses…
πŸ’Ό Servicesℹ️ Aboutβœ‰οΈ ContactView Pricing Plansfrom $10

Proxy and Reverse Proxy

InfrastructureNetwork Infrastructure🟒 Free Lesson

Advertisement

Infrastructure

Proxy and Reverse Proxy

Proxies sit between clients and servers, mediating requests to provide security, performance, and operational flexibility. Understanding when to use forward vs reverse proxies is fundamental to building robust systems.

  • Forward Proxy β€” Intercepts client requests to servers
  • Reverse Proxy β€” Intercepts server responses to clients
  • Termination β€” SSL/TLS offloading at the proxy layer

Every request that crosses a network boundary should pass through a proxy.

Forward Proxy

A forward proxy sits in front of clients and forwards their requests to origin servers. The server sees the proxy's IP, not the client's.

DfForward Proxy

A forward proxy is an intermediary that acts on behalf of clients. It receives client requests, optionally modifies them (adding headers, caching), and forwards them to the target server. The server is unaware of the original client. Forward proxies provide anonymity, access control, and content filtering.

Key Functions

  • Anonymity β€” Hides client IP from servers
  • Access Control β€” Filters requests by policy
  • Caching β€” Stores frequently requested content
  • Logging β€” Records all outbound traffic

Use Cases

  • Corporate network filtering
  • Bypassing geographic restrictions
  • Web scraping with IP rotation
  • Client-side load balancing

Reverse Proxy

A reverse proxy sits in front of servers and distributes incoming client requests. Clients interact with the proxy, not the actual server.

DfReverse Proxy

A reverse proxy is an intermediary that acts on behalf of servers. It receives client requests, routes them to appropriate backend servers, and returns responses. The client is unaware of the backend topology. Reverse proxies provide load balancing, SSL termination, caching, and security.

ClientsWeb AppMobileAPI ClientReverse ProxySSL TerminationLoad BalancingRate LimitingCachingBackendsServer 1Server 2Server 3

Reverse Proxy Capabilities

CapabilityDescription
SSL TerminationHandles TLS decryption so backends receive plain HTTP
Load BalancingDistributes requests across multiple servers
CachingStores static content to reduce backend load
CompressionGzip/Brotli compression before sending to clients
SecurityHides backend topology, WAF capabilities
Rate LimitingThrottles excessive requests

Nginx as Reverse Proxy

Nginx is the most widely deployed reverse proxy, known for its event-driven architecture.

Nginx can handle ~10,000 concurrent connections per worker process due to its asynchronous, non-blocking event loop. A single Nginx instance can serve as both a reverse proxy and load balancer for thousands of backend servers.

Nginx reverse proxy configuration:

Architecture Diagram
upstream backend {
    least_conn;
    server 10.0.0.1:8080 weight=3;
    server 10.0.0.2:8080 weight=2;
    server 10.0.0.3:8080 weight=1;
    keepalive 32;
}

server {
    listen 443 ssl;
    ssl_certificate /etc/ssl/cert.pem;
    ssl_certificate_key /etc/ssl/key.pem;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_connect_timeout 5s;
        proxy_read_timeout 60s;
    }

    location /static/ {
        proxy_cache_valid 200 1h;
        proxy_pass http://backend;
    }
}

HAProxy

HAProxy is purpose-built for load balancing and proxying TCP/HTTP traffic.

DfLoad Balancing Algorithms

Common algorithms used by reverse proxies:

Round Robin β€” Cycles through servers sequentially. Fair distribution, no state.

Least Connections β€” Routes to the server with fewest active connections. Better for variable request durations.

IP Hash β€” Uses client IP hash for session affinity. Simple but uneven distribution possible.

Weighted β€” Servers assigned weights proportional to capacity. Allows heterogeneous backends.

Least Connections Score

scorei=weightiactive_connectionsi+1score_i = \frac{weight_i}{active\_connections_i + 1}

Here,

  • scoreiscore_i=Routing score for server i
  • weightiweight_i=Configured weight for server i
  • activeconnectionsiactive_connections_i=Current active connections to server i

SSL/TLS Termination

Offloading SSL at the proxy layer simplifies backend services and enables centralized certificate management.

SSL termination at the proxy means backends communicate over plain HTTP. Ensure the proxy-to-backend network is trusted (private network, VPN, or mutual TLS). In public cloud environments, use a dedicated private subnet for backend communication.

Forward Proxy vs Reverse Proxy

AspectForward ProxyReverse Proxy
PositionBetween client and internetBetween internet and server
Known toClientServer
PurposeClient anonymity, filteringServer protection, load balancing
ConfigurationClient browser/app settingsServer DNS/nginx config
ExamplesSquid, PrivoxyNginx, HAProxy, Envoy

Proxy Chains

In complex architectures, requests may pass through multiple proxies:

Proxy Chain Latency

A request traveling through: Client β†’ Forward Proxy β†’ CDN β†’ Reverse Proxy β†’ Application Server

Each hop adds latency:

  • Forward proxy: ~2ms
  • CDN edge: ~5ms (cache hit), ~50ms (cache miss)
  • Reverse proxy: ~1ms
  • Network to server: ~10ms

Total (cache hit): 2 + 5 + 1 + 10 = 18ms Total (cache miss): 2 + 50 + 1 + 10 = 63ms

Practice Exercises

  1. Conceptual: Explain why SSL termination is typically done at the reverse proxy rather than on each backend server. What are the trade-offs?

  2. Design: Design a reverse proxy layer for an e-commerce platform that handles 50,000 QPS with 99.99% availability. Include caching, rate limiting, and failover strategies.

  3. Comparison: Compare Nginx and HAProxy for a microservices architecture requiring both L7 routing and TCP load balancing. When would you choose one over the other?

  4. Security: A reverse proxy sits in a public subnet while backends are in a private subnet. What security measures should be in place for the proxy-to-backend communication?

Key Takeaways:

  • Forward proxies mediate on behalf of clients; reverse proxies mediate on behalf of servers
  • Reverse proxies provide SSL termination, load balancing, caching, and security
  • Nginx and HAProxy are the most common reverse proxy solutions
  • SSL termination at the proxy simplifies backend services and centralizes certificate management
  • Proxy chain latency must be accounted for in performance budgets

What to Learn Next

-> Load Balancing Distribution algorithms, health checks, and L4 vs L7 load balancing.

-> CDN Edge caching, DNS routing, and content distribution.

-> Rate Limiting Token bucket, sliding window, and distributed rate limiting.

-> Service Mesh Envoy, Istio, and sidecar proxy patterns.

-> Security Patterns Authentication, authorization, encryption, and mTLS.

-> API Design REST, GraphQL, gRPC, and API gateway patterns.

⭐

Premium Content

Proxy and Reverse Proxy

Unlock this lesson and 900+ advanced tutorials with a Premium plan.

🎯End-to-end Projects
πŸ’ΌInterview Prep
πŸ“œCertificates
🀝Community Access

Already a member? Log in

Need Expert System Design Help?

Get personalized tutoring, project support, or professional consulting.

Advertisement