Reverse Proxy

A server that sits in front of application servers and forwards client requests, often providing SSL, caching, and routing.

1. Concept Overview

A reverse proxy receives requests from clients and forwards them to backend servers. Unlike a forward proxy (client-side), the client does not know it is talking to a proxy; the proxy represents one or more backends.

Why it exists: Centralize SSL termination, routing, caching, compression, and security so application servers can stay simple and focused.

2. Core Principles

Functions

SSL/TLS termination: Decrypt at proxy; backends see plain HTTP (simplifies cert management and backend code).
Routing: Path-based or host-based routing to different backends (e.g. /api → API servers, / → web).
Caching: Cache responses at the edge; reduce load on origin.
Compression: Gzip/Brotli at proxy.
Load balancing: Distribute across backends (overlaps with L7 load balancer).
Security: Hide backend IPs; add headers (e.g. X-Forwarded-For); WAF integration.

Architecture

  Clients ─────▶ Reverse Proxy (Nginx / Envoy / Caddy)
                        │
                        ├──▶ App Server 1
                        ├──▶ App Server 2
                        └──▶ App Server 3

3. Real-World Usage

Nginx: High-performance reverse proxy and web server; widely used for static files and proxying to app servers.
Envoy: Used in service meshes (Istio) and as API gateway; rich observability and routing.
Caddy: Automatic HTTPS; simple config.
AWS ALB: Managed L7 load balancer that acts as reverse proxy.

4. Trade-offs

Aspect

Pros

Cons

SSL at proxy

Single place for certs; backends simpler

Proxy must be secure and highly available

Caching at proxy

Lower latency and origin load

Staleness; invalidation logic

Single entry

Central place for auth, rate limit, logging

Proxy can become bottleneck and SPOF

When to use: You need one entry point for SSL, routing, or caching in front of multiple backends. When not: Direct client-to-server with no need for proxy features.

5. Failure Scenarios

Scenario

Mitigation

Proxy down

Multiple proxy instances behind DNS or LB; health checks

Backend down

Proxy returns 502/503; circuit breaker; retry/fallback

Cache poisoning

Validate responses; restrict cache keys; avoid caching user input in key

SSL cert expiry

Automate renewal (e.g. Let’s Encrypt); monitor and alert

6. Performance Considerations

Latency: Proxy adds a small hop; keep connection pooling to backends and timeouts tuned.
Throughput: Proxy CPU and connection limits; scale horizontally if needed.
Caching: Hit ratio and TTL affect both performance and freshness.

7. Implementation Patterns

Single proxy: Dev or small setups.
Proxy + LB: LB in front of multiple proxy instances for HA.
Proxy per service: Each service has its own proxy (e.g. sidecar in service mesh).

Quick Revision

Role: One entry point; forwards to backends; can do SSL, routing, caching, compression.
Vs load balancer: Reverse proxy often does L7 routing and caching; LB can be L4-only. In practice many “L7 load balancers” are reverse proxies.
Failure: Multiple proxy instances; health checks; 502/503 and circuit breaking for backend failures.
Interview: “We put a reverse proxy in front of our app servers for SSL termination and path-based routing; we cache static assets there to reduce load on the origin.”

PreviousLoad Balancers NextCDN

Last updated 19 days ago

hashtag1. Concept Overview

hashtag2. Core Principles

hashtagFunctions

hashtagArchitecture

hashtag3. Real-World Usage

hashtag4. Trade-offs

hashtag5. Failure Scenarios

hashtag6. Performance Considerations

hashtag7. Implementation Patterns

hashtagQuick Revision