Infrastructure

Reverse Proxy: How It Works and Why You Need One

Published: 16.03.2026 · 6 min read · 20 views

A reverse proxy is a server that sits between client devices and backend servers, forwarding client requests to the appropriate backend and returning the server's response to the client. Unlike a forward proxy (which acts on behalf of clients), a reverse proxy acts on behalf of servers, providing a single point of entry for distributed backend infrastructure.

How a Reverse Proxy Works

When a client sends an HTTP request, it reaches the reverse proxy first. The proxy evaluates the request and forwards it to one or more backend servers. The response travels back through the proxy to the client. The client never communicates directly with the backend.

Client → Reverse Proxy → Backend Server(s)
Client ← Reverse Proxy ← Backend Server(s)

The reverse proxy can make routing decisions based on multiple factors: the URL path, HTTP headers, client IP, server health, current load, geographic location, and more.

Key Benefits of Reverse Proxies

1. Load Balancing

A reverse proxy distributes incoming traffic across multiple backend servers, preventing any single server from becoming a bottleneck. This enables horizontal scaling — you add more servers behind the proxy rather than upgrading a single machine.

2. SSL/TLS Termination

The reverse proxy handles all TLS encryption and decryption, offloading this CPU-intensive work from backend servers. This simplifies certificate management — you only need to install and renew certificates on the proxy, not on every backend server.

# Nginx SSL termination example
server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://backend_pool;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

3. Caching

Reverse proxies can cache responses from backend servers. When a cached response is available, the proxy serves it directly without contacting the backend, dramatically reducing response times and server load.

# Nginx caching configuration
proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=app_cache:10m max_size=1g inactive=60m;

server {
    location / {
        proxy_cache app_cache;
        proxy_cache_valid 200 10m;
        proxy_cache_valid 404 1m;
        proxy_cache_use_stale error timeout updating;
        add_header X-Cache-Status $upstream_cache_status;
        proxy_pass http://backend;
    }
}

4. Security and Anonymity

The reverse proxy hides the identity and characteristics of backend servers. External clients see only the proxy's IP address and headers. This provides several security advantages:

Backend server IPs are never exposed to the internet
The proxy can filter malicious requests before they reach the backend
Rate limiting and DDoS protection can be applied at the proxy level
Web Application Firewall (WAF) rules can be enforced centrally

5. Compression

The reverse proxy can compress responses (gzip, Brotli) before sending them to clients, reducing bandwidth usage and improving page load times without burdening backend servers.

Reverse Proxy vs Forward Proxy

Aspect	Reverse Proxy	Forward Proxy
Acts on behalf of	Servers	Clients
Client awareness	Client usually does not know it exists	Client explicitly configures it
Primary use	Load balancing, SSL, caching, security	Privacy, access control, caching
Placement	In front of web servers	In front of client networks
Who controls it	Server administrator	Client or network administrator

Popular Reverse Proxy Software

Software	Best For	Key Features
Nginx	High-performance web serving	Event-driven, low memory, widely adopted
HAProxy	Pure load balancing	TCP/HTTP, health checks, advanced algorithms
Apache (mod_proxy)	Existing Apache environments	Flexible, mature, many modules
Traefik	Container orchestration	Auto-discovery, Let's Encrypt, Docker/K8s native
Caddy	Simplicity and auto-SSL/TLS проверку	Automatic TLS, simple config, HTTP/3
Envoy	Service mesh / microservices	gRPC support, observability, dynamic config

Nginx as a Reverse Proxy: Complete Example

Here is a production-ready Nginx configuration that demonstrates the most common reverse proxy patterns:

upstream backend_pool {
    least_conn;
    server 10.0.1.10:8080 weight=5;
    server 10.0.1.11:8080 weight=3;
    server 10.0.1.12:8080 backup;
    keepalive 32;
}

server {
    listen 80;
    server_name example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256;

    # Security headers
    add_header X-Frame-Options DENY;
    add_header X-Content-Type-Options nosniff;
    add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

    # Gzip compression
    gzip on;
    gzip_types text/plain text/css application/json application/javascript;
    gzip_min_length 1000;

    location / {
        proxy_pass http://backend_pool;
        proxy_http_version 1.1;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_set_header Connection "";

        proxy_connect_timeout 5s;
        proxy_send_timeout 30s;
        proxy_read_timeout 30s;

        proxy_next_upstream error timeout http_502 http_503;
        proxy_next_upstream_tries 2;
    }

    location /static/ {
        alias /var/www/static/;
        expires 30d;
        add_header Cache-Control "public, immutable";
    }
}

Common Pitfalls

Losing the real client IP — always pass X-Real-IP and X-Forwarded-For headers; configure your backend to read them
WebSocket support — requires proxy_set_header Upgrade and Connection "upgrade" directives
Large request bodies — increase client_max_body_size for file upload endpoints
Timeout mismatches — ensure proxy timeouts are longer than backend processing times for slow endpoints
Health check gaps — use active health checks (Nginx Plus or HAProxy) rather than relying solely on passive failure detection

Monitoring Your Reverse Proxy

Key metrics to watch on a reverse proxy:

Request rate — total requests per second across all backends
Error rate — percentage of 4xx and 5xx responses
Upstream response time — how long backends take to respond
Active connections — current client and upstream connections
Cache hit ratio — percentage of requests served from cache
SSL handshake time — TLS negotiation latency

Summary

A reverse proxy is a critical component of modern web infrastructure. It provides load balancing, SSL termination, caching, security, and compression — all from a single point of control. Whether you are running a small application or a large-scale distributed system, deploying a reverse proxy improves performance, security, and operational flexibility. Nginx, HAProxy, and Traefik are the most popular choices, each optimized for different deployment scenarios.

Check your website right now

Check now →