Reverse Proxy
A reverse proxy sits in front of backend servers and acts on their behalf — clients don't know the origin servers exist.
Introduction
A reverse proxy sits in front of backend servers and acts on their behalf — clients don't know the origin servers exist. Nginx, Envoy, HAProxy, and cloud load balancers all function as reverse proxies, handling TLS, compression, caching, routing, and security filtering.
While load balancing is one reverse-proxy feature, the term emphasizes HTTP-level concerns: URL rewriting, static file serving, rate limiting, and hiding internal topology. In HLD, reverse proxies appear at the edge and between tiers (service mesh sidecars).
This lesson distinguishes reverse vs forward proxy and maps common Nginx/Envoy patterns to interview diagrams.
Understanding the topic
Key concepts
- Forward proxy: client knows it (corporate proxy); reverse proxy: client unaware of backends.
- TLS termination, HTTP/2 multiplexing, gzip/brotli compression at edge.
- Caching static responses and cacheable API GETs at proxy layer.
- Request routing: /api → app cluster, /media → object storage gateway.
- Security: hide internal IPs, WAF rules, request size limits.
- Sidecar reverse proxy in service mesh intercepts all pod egress/ingress.
flowchart LRClient --> RP[Reverse Proxy]RP --> App1RP --> App2
Internal architecture
Architecture overview
flowchart LRClient --> RP[Reverse Proxy]RP --> App1RP --> App2
Step-by-step explanation
- Client HTTPS → Nginx reverse proxy (cert, WAF) → upstream app servers HTTP.
- Location blocks map paths to upstream pools with keepalive connections.
- Proxy cache zone for static assets; bypass cache for authenticated API.
- Real IP forwarded via X-Forwarded-For for app logging and rate limits.
- Internal reverse proxy consolidates legacy apps under one public hostname.
- Envoy sidecar per pod for mTLS and retry policies between microservices.
Informative example
Nginx reverse proxy config routing API and static content to different upstreams:
# /etc/nginx/conf.d/shop.confupstream api_backend {least_conn;server 10.0.1.10:8080 max_fails=3 fail_timeout=30s;server 10.0.1.11:8080 max_fails=3 fail_timeout=30s;keepalive 64;}server {listen 443 ssl http2;server_name shop.example.com;ssl_certificate /etc/ssl/shop.crt;ssl_certificate_key /etc/ssl/shop.key;location /api/ {proxy_pass http://api_backend;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;proxy_set_header X-Request-Id $request_id;proxy_connect_timeout 5s;proxy_read_timeout 30s;}location /static/ {alias /var/www/static/;expires 7d;add_header Cache-Control "public, immutable";}}
Interview: reverse proxy at edge terminates TLS, routes paths, forwards headers. Differs from forward proxy (VPN/corporate outbound).
Real-world use
Real-world use cases
- E-commerce: Nginx serves product images from disk/CDN origin path.
- Banking: reverse proxy unifies legacy JVM and .NET apps under one domain.
- Dev environments: single ingress hostname routes to many microservice paths.
- Zero-trust: Envoy sidecar encrypts east-west traffic in Kubernetes.
Best practices
- Set appropriate timeouts (connect, read, send) to prevent hung connections.
- Use keepalive pools to upstreams — reduces TCP handshake overhead.
- Log request_id end-to-end from proxy through app.
- Limit request body size at proxy to protect backends.
- Separate config for TLS certs and routing for easier rotation.
- Test failover when upstream marked down (max_fails).
Common mistakes
- Losing client IP by not forwarding X-Forwarded-For.
- Caching authenticated responses — data leak across users.
- Proxy buffer too small for large uploads — 502 errors.
- Confusing reverse proxy with API gateway responsibilities.
- Single Nginx without HA pair — edge SPOF.
Advanced interview questions
Q1BeginnerWhat is a reverse proxy?
Q2BeginnerReverse vs forward proxy?
Q3IntermediateWhy terminate TLS at reverse proxy?
Q4IntermediateReverse proxy vs load balancer?
Q5AdvancedDesign edge tier for microservices?
Summary
Reverse proxies protect and front backend servers at the edge. TLS termination, routing, compression, and caching happen here. Nginx/Envoy are standard interview examples. Forward proxy serves clients; reverse proxy serves servers. API Gateway adds auth aggregation beyond basic reverse proxy. Next: API Gateway as unified client entry point.