How to Set Up a Reverse Proxy
A reverse proxy accepts client requests and forwards them to one or several backend servers. Why: SSL termination (TLS on the proxy only), load balancing, caching, compression. nginx is the most popular. Minimal config — 5 lines with proxy_pass. Important: correct headers (X-Real-IP, X-Forwarded-For), WebSocket upgrade when needed.
Below: step-by-step, working examples, common pitfalls, FAQ.
Step-by-Step Setup
- Install nginx:
apt install nginx - Identify upstream backend(s): IP:port or hostname
- Create /etc/nginx/sites-available/myapp.conf with a server block
- location / { proxy_pass http://backend:3000; }
- Add headers: proxy_set_header Host \$host; X-Real-IP \$remote_addr
- For WebSocket:
proxy_http_version 1.1; proxy_set_header Upgrade \$http_upgrade; proxy_set_header Connection "upgrade"; nginx -t && systemctl reload nginx- Verify: Enterno HTTP checker — inspects response headers
Working Examples
| Scenario | Config |
|---|---|
| Minimal reverse proxy | server {
listen 80;
server_name app.example.com;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
} |
| Load balancing (round-robin) | upstream backend {
server 10.0.0.1:3000;
server 10.0.0.2:3000;
server 10.0.0.3:3000;
}
server {
location / { proxy_pass http://backend; }
} |
| Sticky sessions (IP hash) | upstream backend {
ip_hash;
server 10.0.0.1:3000;
server 10.0.0.2:3000;
} |
| WebSocket upgrade | location /ws/ {
proxy_pass http://backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 3600s;
} |
| Caching proxy | proxy_cache_path /var/cache/nginx keys_zone=api_cache:10m;
location /api/ {
proxy_pass http://backend;
proxy_cache api_cache;
proxy_cache_valid 200 5m;
} |
Common Pitfalls
- Without proxy_set_header Host — backend sees "backend" instead of the real domain
- Without X-Real-IP — backend logs 127.0.0.1 instead of client IP
- proxy_buffer too small for large responses — 502 errors
- WebSocket without Upgrade header — connection closes after 60 s
- upstream without health checks — traffic keeps going to a dead backend
Learn more
Frequently Asked Questions
nginx vs HAProxy vs Traefik?
nginx — proven stable, Level 7 LB. HAProxy — faster Level 4. Traefik — auto-discovery for Docker/K8s. nginx fits 90% of cases.
How to zero-downtime restart backends?
Blue-green: upstream with 2 backends, stop/start one at a time. nginx auto-routes to live.
Reverse proxy + SSL termination?
Yes — standard pattern. SSL on nginx (443), backend HTTP (3000). Backend is TLS-unaware.
Performance: does reverse proxy add latency?
Tiny. nginx adds ~0.1-0.5ms. Winning features (caching, compression) save 100-500ms.