High-Level Design Tutorial 0/42 lessons ~6 min read Lesson 12

    Reverse Proxy

    A reverse proxy sits in front of backend servers and acts on their behalf — clients don't know the origin servers exist.

    Course progress0%
    Focus
    10 guided sections
    Practice signal
    Examples included
    Career prep
    Interview Q&A included

    Introduction

    A reverse proxy sits in front of backend servers and acts on their behalf — clients don't know the origin servers exist. Nginx, Envoy, HAProxy, and cloud load balancers all function as reverse proxies, handling TLS, compression, caching, routing, and security filtering.

    While load balancing is one reverse-proxy feature, the term emphasizes HTTP-level concerns: URL rewriting, static file serving, rate limiting, and hiding internal topology. In HLD, reverse proxies appear at the edge and between tiers (service mesh sidecars).

    This lesson distinguishes reverse vs forward proxy and maps common Nginx/Envoy patterns to interview diagrams.

    Understanding the topic

    Key concepts

    • Forward proxy: client knows it (corporate proxy); reverse proxy: client unaware of backends.
    • TLS termination, HTTP/2 multiplexing, gzip/brotli compression at edge.
    • Caching static responses and cacheable API GETs at proxy layer.
    • Request routing: /api → app cluster, /media → object storage gateway.
    • Security: hide internal IPs, WAF rules, request size limits.
    • Sidecar reverse proxy in service mesh intercepts all pod egress/ingress.
    text
    flowchart LR
    Client --> RP[Reverse Proxy]
    RP --> App1
    RP --> App2

    Internal architecture

    Architecture overview

    text
    flowchart LR
    Client --> RP[Reverse Proxy]
    RP --> App1
    RP --> App2

    Step-by-step explanation

    1. Client HTTPS → Nginx reverse proxy (cert, WAF) → upstream app servers HTTP.
    2. Location blocks map paths to upstream pools with keepalive connections.
    3. Proxy cache zone for static assets; bypass cache for authenticated API.
    4. Real IP forwarded via X-Forwarded-For for app logging and rate limits.
    5. Internal reverse proxy consolidates legacy apps under one public hostname.
    6. Envoy sidecar per pod for mTLS and retry policies between microservices.

    Informative example

    Nginx reverse proxy config routing API and static content to different upstreams:

    yaml
    # /etc/nginx/conf.d/shop.conf
    upstream api_backend {
    least_conn;
    server 10.0.1.10:8080 max_fails=3 fail_timeout=30s;
    server 10.0.1.11:8080 max_fails=3 fail_timeout=30s;
    keepalive 64;
    }
    server {
    listen 443 ssl http2;
    server_name shop.example.com;
    ssl_certificate /etc/ssl/shop.crt;
    ssl_certificate_key /etc/ssl/shop.key;
    location /api/ {
    proxy_pass http://api_backend;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Request-Id $request_id;
    proxy_connect_timeout 5s;
    proxy_read_timeout 30s;
    }
    location /static/ {
    alias /var/www/static/;
    expires 7d;
    add_header Cache-Control "public, immutable";
    }
    }

    Interview: reverse proxy at edge terminates TLS, routes paths, forwards headers. Differs from forward proxy (VPN/corporate outbound).

    Real-world use

    Real-world use cases

    • E-commerce: Nginx serves product images from disk/CDN origin path.
    • Banking: reverse proxy unifies legacy JVM and .NET apps under one domain.
    • Dev environments: single ingress hostname routes to many microservice paths.
    • Zero-trust: Envoy sidecar encrypts east-west traffic in Kubernetes.

    Best practices

    • Set appropriate timeouts (connect, read, send) to prevent hung connections.
    • Use keepalive pools to upstreams — reduces TCP handshake overhead.
    • Log request_id end-to-end from proxy through app.
    • Limit request body size at proxy to protect backends.
    • Separate config for TLS certs and routing for easier rotation.
    • Test failover when upstream marked down (max_fails).

    Common mistakes

    • Losing client IP by not forwarding X-Forwarded-For.
    • Caching authenticated responses — data leak across users.
    • Proxy buffer too small for large uploads — 502 errors.
    • Confusing reverse proxy with API gateway responsibilities.
    • Single Nginx without HA pair — edge SPOF.

    Advanced interview questions

    Q1BeginnerWhat is a reverse proxy?
    Server-facing proxy that receives client requests and forwards them to backend servers, hidden from clients.
    Q2BeginnerReverse vs forward proxy?
    Forward proxy acts for clients (outbound control); reverse proxy acts for servers (inbound protection and routing).
    Q3IntermediateWhy terminate TLS at reverse proxy?
    Centralizes cert management, offloads crypto CPU from app servers, enables L7 routing.
    Q4IntermediateReverse proxy vs load balancer?
    Overlap exists — L7 LB is a reverse proxy with health checks and multi-node distribution; proxy emphasizes HTTP features.
    Q5AdvancedDesign edge tier for microservices?
    Envoy/Nginx ingress: TLS, path routing to services, rate limit, WAF, mTLS internal mesh, request ID injection, 30s timeout, autoscale ingress pods.

    Summary

    Reverse proxies protect and front backend servers at the edge. TLS termination, routing, compression, and caching happen here. Nginx/Envoy are standard interview examples. Forward proxy serves clients; reverse proxy serves servers. API Gateway adds auth aggregation beyond basic reverse proxy. Next: API Gateway as unified client entry point.

    Ready to mark this lesson complete?Track your journey across the entire course.