Proxies — Forward vs Reverse Proxy
A proxy is anything that sits between two parties and acts on their behalf. That one sentence covers an enormous amount of internet infrastructure — from corporate firewalls to Cloudflare to Nginx. The key distinction is which direction the proxy faces: toward the client, or toward the server.
Forward Proxy vs Reverse Proxy
Forward Proxy
Client
Proxy
Server
sees proxy IP
Reverse Proxy
Client
Proxy
Server 1
Server 2
Server 3
Forward Proxy
A forward proxy sits in front of clients. When a client makes a request, it goes to the proxy first. The proxy then forwards it to the destination server — using the proxy's IP address, not the client's.
The server sees the proxy, not the real client. The client's identity is hidden.
Common uses:
- Anonymity — the destination server never learns the client's real IP
- Content filtering — corporate networks use forward proxies to block certain websites and log what employees access
- Bypassing geo-restrictions — route traffic through a proxy in another region to appear local to that region
- Caching — forward proxies can cache responses so repeat requests from multiple clients are served locally
VPNs are essentially forward proxies. When you connect to a VPN, your traffic is routed through the VPN server before reaching its destination. The destination sees the VPN server's IP, not yours.
Reverse Proxy
A reverse proxy sits in front of servers. When a client makes a request, the reverse proxy receives it and routes it to one of the backend servers. The response comes back through the proxy.
The client sees only the proxy. It has no idea how many servers exist behind it, which one handled the request, or what technology they run.
Common uses:
- Load balancing — distribute requests across multiple backend servers
- SSL termination — the proxy handles TLS encryption/decryption so backend servers only deal with plain HTTP
- Caching — serve cached responses without hitting the backend at all
- DDoS protection — absorb and filter malicious traffic before it reaches your servers
- Compression — compress responses at the proxy layer, reducing bandwidth
Side-by-Side Comparison
| Forward Proxy | Reverse Proxy | |
|---|---|---|
| Sits in front of | Clients | Servers |
| Protects | Client identity | Server identity |
| Server sees | Proxy IP | Proxy IP |
| Client knows | It's using a proxy | Nothing (transparent) |
| Configured by | Client (or network admin) | Server operator |
| Common tools | Squid, corporate firewalls, VPNs | Nginx, HAProxy, Cloudflare, AWS ALB |
SSL Termination
One of the most common reverse proxy jobs. Handling TLS for every backend server is operationally painful — certificates, private keys, renewal, cipher configuration. SSL termination moves all of that to the proxy:
- Client connects to proxy over HTTPS (encrypted)
- Proxy decrypts the request
- Proxy forwards plain HTTP to backend servers on the internal network
- Response travels back encrypted to the client
The internal network is trusted, so plain HTTP between proxy and backends is acceptable (and fast). This lets you update certificates in one place and keep backends simple.
Real-World Tools
| Tool | Type | Notes |
|---|---|---|
| Nginx | Reverse proxy | Most widely used. Also serves static files, does SSL termination, rate limiting. |
| HAProxy | Reverse proxy | High-performance TCP/HTTP load balancer. Used at massive scale (GitHub, Reddit). |
| Cloudflare | Reverse proxy (CDN) | Sits in front of your origin globally. DDoS protection, WAF, caching built in. |
| AWS ALB | Reverse proxy | Application Load Balancer. Managed, integrates with EC2, ECS, Lambda. |
| Squid | Forward proxy | Open-source caching forward proxy. Common in enterprise networks. |
CDNs and Load Balancers Are Reverse Proxies
This is worth making explicit. When you put Cloudflare in front of your site, it's acting as a reverse proxy — your origin server's IP is hidden, all traffic flows through Cloudflare's edge. When AWS ALB routes requests to your EC2 instances, it's a reverse proxy. The term "reverse proxy" is the general category; CDNs and load balancers are specialised versions of it.
Tradeoffs
Single point of failure. If your reverse proxy goes down and you haven't set up redundancy, everything goes down with it. Run multiple proxy instances with failover.
Added latency. Every request makes an extra hop. In practice, proxies are fast enough that this is negligible — and benefits like caching and SSL termination more than compensate. But it's not zero.
Complexity. Configuration errors at the proxy layer can silently break things. Header forwarding (especially X-Forwarded-For for real client IPs), timeout settings, and connection pooling all require care.
Visibility. Backend servers lose the client's real IP unless the proxy explicitly forwards it via headers like X-Forwarded-For or X-Real-IP. Logging and rate limiting need to account for this.
Key Takeaways
- A forward proxy sits in front of clients — the server sees the proxy's IP, not the client's
- A reverse proxy sits in front of servers — the client sees only the proxy, never the backend
- SSL termination, load balancing, caching, and DDoS protection are all standard reverse proxy jobs
- CDNs and load balancers are specialised reverse proxies
- Nginx and HAProxy are the dominant open-source reverse proxies; Cloudflare and AWS ALB are the managed equivalents
- Always run proxies redundantly — a single proxy is a single point of failure
Next: Consistency and Availability Tradeoffs — the CAP theorem, what you actually have to give up, and how real databases make this choice.
Enjoyed this breakdown?
Get new lessons in your inbox.