Concept · Networking & Delivery

Proxy vs Reverse Proxy

01

Why this matters

Both types of proxy stand between a client and a server. Which one faces which way flips the use case entirely. Candidates mix them up all the time. Interviewers notice.

02

The mirror-image definition

Forward proxy

Represents the client

Clients configure their browser/system to route requests through the proxy. The proxy reaches out to the internet on the client's behalf. Server sees the proxy's IP, not the client's. Used for: egress filtering, caching, anonymity, content filtering in enterprises.

Reverse proxy

Represents the server

Clients think they're talking to your server directly; they actually hit the reverse proxy. The proxy forwards to upstream servers. Clients don't know or care about the topology behind the proxy. Used for: load balancing, TLS termination, caching, compression, WAF, hiding internal structure.

03

What a reverse proxy actually does

Almost every production web stack has one. The reverse proxy:

  • Terminates TLS. Handles the handshake once; backends speak plain HTTP internally. Cheaper than TLS at every app server.
  • Load balances. Picks which upstream instance gets the request (this overlaps with load balancer territory).
  • Caches. Stores responses for common URLs. Next request served from proxy memory, upstream not hit.
  • Compresses. Gzip/Brotli responses before sending to client.
  • Serves static files. Nginx serves /static/* from disk directly; dynamic requests to the app.
  • Adds/strips headers. Injects X-Forwarded-For (so backend knows client IP), strips internal headers.
  • Enforces security. Blocks bad user-agents, applies WAF rules, rate-limits IPs.
  • Hides topology. "example.com" is one IP; behind it are 47 containers, 3 services, 2 regions. Clients see none of it.
04

Forward proxy use cases

  • Corporate filtering. Enterprise makes every employee's browser route through a proxy that blocks Facebook, logs every URL, scans for malware.
  • Caching. ISP-level proxy caches popular content, saves bandwidth. Less common now thanks to CDNs, but still exists.
  • Egress control. Your servers in a private VPC need to reach external APIs. Route all egress through a proxy with allow-listed destinations — security + audit.
  • Circumvention. VPNs are a kind of forward proxy — make your traffic look like it came from elsewhere.
  • Anonymity. Tor is a multi-hop forward proxy.
05

Deep dive — X-Forwarded-For and client IP

Reverse proxies introduce a subtle trap: your app server sees the proxy's IP, not the client's. If you log "client IP" naïvely, every entry says "the proxy." If you rate-limit by IP, one bad user defeats it by hiding behind the proxy.

Solution: the proxy sets X-Forwarded-For: <client-ip> (and X-Real-IP, Forwarded per RFC 7239). Your app reads that header instead of the TCP peer address.

Trap: this header is client-controllable. A curl user can send X-Forwarded-For: 127.0.0.1. Your proxy must strip any inbound X-Forwarded-For and set a fresh one. Otherwise attackers spoof their apparent IP.

With multiple proxies (CDN → LB → app), the header contains a comma-separated chain. Parse it carefully; the leftmost entry is the original client (assuming all proxies in the chain are trusted and set the header correctly).

Security gotcha

Any code that reads X-Forwarded-For must be paired with "strip it from untrusted sources." Rate limiters, audit logs, and geo-IP checks all fail silently if this is wrong.

X-Forwarded-For Chain — Client → CDN → ALB → App SVG
Client 203.0.113.42 CDN edge 198.51.100.5 ALB 10.0.1.50 App 10.0.2.18 no header XFF: 203.0.113.42 XFF: 203.0.113.42, 198.51.100.5 XFF: 203.0.113.42, 198.51.100.5, 10.0.1.50 peer IP = client strip + set append leftmost = real client Trust chain: each proxy must strip inbound XFF then re-add — never trust unfiltered values
06

Real-world reverse proxies

Nginx

The default

Runs more reverse proxies than anything else. Cheap, fast, config-driven. The "put Nginx in front" pattern is nearly universal.

HAProxy

Reverse proxy + L4/L7 LB

Specialized in load balancing with proxy duties. Excellent for high-throughput, low-latency environments.

Envoy / Istio

Service mesh sidecar

Every pod gets an Envoy sidecar acting as reverse proxy for incoming traffic and forward proxy for outgoing. Universal traffic management.

Cloudflare / CloudFront

Reverse proxy at global scale

Edge nodes in 300+ cities act as reverse proxy to your origin. Caching, DDoS protection, TLS all at the edge.

07

Used in problems

URL shortener puts Nginx in front for static redirect caching. News feed uses Envoy as reverse proxy with stream-level load balancing. E-commerce uses CDN as the outermost reverse proxy layer.

📺

References & Videos

Proxy vs Reverse Proxy Explained
Proxy vs Reverse Proxy Explained
Hussein Nasser · 18 min
Proxy & Reverse Proxy
Proxy & Reverse Proxy
ByteByteGo · 8 min
What Is a Reverse Proxy?
Cloudflare Blog
Proxy vs Reverse Proxy
GeeksforGeeks
Next up
CONCEPT

Load Balancer

Read →
CONCEPT

API Gateway

Read →
PROBLEM

URL Shortener

Uses this concept in practice

Read →