9. Proxies
A proxy is an intermediary server that sits between a client and a backend server, forwarding requests and responses. Proxies are used for security, performance, load balancing, and content control.
Forward Proxy
A forward proxy sits between clients and the internet, acting on behalf of the client.
[Client A] ──→ ──→ [Server X]
[Client B] ──→ [Forward Proxy] ──→ ──→ [Server Y]
[Client C] ──→ ──→ [Server Z]
The server sees requests coming from the proxy's IP, not the client's.
Use Cases
| Use Case | Description |
|---|---|
| Anonymity | Hide client IP from servers (like a VPN) |
| Content filtering | Block access to certain websites (corporate/school networks) |
| Caching | Cache responses to reduce bandwidth and latency |
| Access control | Restrict which sites users can visit |
| Bypass geo-restrictions | Access region-locked content via a proxy in another region |
| Logging/Monitoring | Track all outgoing requests |
Examples
- Squid Proxy: Open-source caching/filtering proxy.
- Corporate proxies: Filter employee internet access.
- VPNs: Route traffic through a different location.
Reverse Proxy
A reverse proxy sits between the internet and backend servers, acting on behalf of the server.
┌──→ [Backend Server 1]
[Client] ──→ [Reverse Proxy] ──→ ├──→ [Backend Server 2]
└──→ [Backend Server 3]
The client doesn't know which backend server it's talking to — it only sees the proxy.
Use Cases
| Use Case | Description |
|---|---|
| Load balancing | Distribute requests across backend servers |
| SSL termination | Handle HTTPS encryption/decryption at the proxy |
| Caching | Cache responses from backend servers |
| Compression | Compress responses before sending to clients |
| Security | Hide backend server topology; WAF (Web Application Firewall) |
| DDoS protection | Absorb malicious traffic before it reaches backends |
| Static content | Serve static files directly without hitting backend |
| URL rewriting | Modify request URLs before forwarding |
| A/B testing | Route traffic to different backend versions |
Examples
- Nginx: Widely used reverse proxy and web server.
- HAProxy: High-performance TCP/HTTP load balancer.
- Envoy: Modern proxy for service mesh architectures.
- Cloudflare: CDN + reverse proxy + DDoS protection.
- AWS ALB/NLB: Cloud-native reverse proxy/load balancer.
Forward vs Reverse Proxy
| Aspect | Forward Proxy | Reverse Proxy |
|---|---|---|
| Acts on behalf of | Client | Server |
| Client awareness | Client configures it | Client unaware of it |
| Server awareness | Server unaware | Server configured behind it |
| Hides | Client identity | Server identity |
| Position | Near clients | Near servers |
| Primary use | Access control, anonymity | Load balancing, security |
Forward Proxy:
[Clients] ──→ [Proxy] ──→ [Internet] ──→ [Servers]
^^^^
Client's proxy
Reverse Proxy:
[Clients] ──→ [Internet] ──→ [Proxy] ──→ [Servers]
^^^^
Server's proxy
SSL/TLS Termination
The reverse proxy handles the encryption/decryption of HTTPS traffic:
Client ──[HTTPS]──→ Reverse Proxy ──[HTTP]──→ Backend Servers
↑
SSL certificate lives here
Decrypts HTTPS → forwards HTTP
Benefits:
- Backend servers don't need to handle SSL overhead.
- Centralized certificate management.
- Can inspect encrypted traffic for security.
Options:
| Pattern | Description |
|---------|-------------|
| SSL Termination | Proxy decrypts; forwards unencrypted HTTP to backend |
| SSL Passthrough | Proxy forwards encrypted traffic as-is (no inspection) |
| SSL Bridging | Proxy decrypts, inspects, re-encrypts, forwards HTTPS to backend |
Service Mesh Proxy (Sidecar Pattern)
In microservice architectures, each service gets its own proxy (sidecar) that handles networking concerns.
┌──────────────────────┐ ┌──────────────────────┐
│ Pod A │ │ Pod B │
│ ┌────────┐ ┌───────┐│ │┌───────┐ ┌────────┐ │
│ │Service │↔│Envoy ││←───→││Envoy │↔│Service │ │
│ │ A │ │Sidecar││ ││Sidecar│ │ B │ │
│ └────────┘ └───────┘│ │└───────┘ └────────┘ │
└──────────────────────┘ └──────────────────────┘
The sidecar proxy handles:
- Service discovery
- Load balancing
- Circuit breaking
- Retries and timeouts
- mTLS (mutual TLS) encryption
- Metrics and tracing
- Rate limiting
Technologies: Istio (Envoy), Linkerd, Consul Connect.
API Gateway as a Proxy
An API Gateway is a specialized reverse proxy for APIs:
Mobile App ──→ ──→ User Service
Web App ──→ [API Gateway] ──→ ──→ Order Service
Partner API ──→ ──→ Payment Service
Additional capabilities beyond a reverse proxy:
- Authentication/authorization
- Request/response transformation
- API versioning
- Rate limiting per client/API key
- Request aggregation (Backend for Frontend pattern)
Common Proxy Headers
# Forwarded headers (set by proxies)
X-Forwarded-For: 203.0.113.1, 70.41.3.18 # Client IP chain
X-Forwarded-Host: example.com # Original Host header
X-Forwarded-Proto: https # Original protocol
X-Real-IP: 203.0.113.1 # True client IP
# Standard (RFC 7239)
Forwarded: for=203.0.113.1; proto=https; host=example.com
# Proxy caching
Via: 1.1 proxy.example.com
Age: 3600 # Time since cached
Proxy Caching
Client → Proxy → Cache HIT? → Yes → Return cached response
→ No → Forward to backend → Cache response → Return
Cache key: Typically the URL + relevant headers (Accept, Authorization, etc.).
Cache invalidation: Via Cache-Control, ETag, Vary, or manual purge APIs.
Summary
| Concept | Key Point |
|---|---|
| Forward proxy | Client-side; hides clients, filters content |
| Reverse proxy | Server-side; load balancing, SSL, security |
| SSL termination | Proxy handles encryption; backends get plain HTTP |
| Sidecar proxy | Per-service proxy in service mesh architectures |
| API Gateway | Specialized reverse proxy for API management |
Rule of thumb: Almost every production system uses a reverse proxy (Nginx, Cloudflare, AWS ALB). Use forward proxies for client-side access control. Use sidecar proxies in microservice architectures.