Reverse Proxy
What a reverse proxy does, how it differs from a load balancer, and common use cases: SSL termination, compression, rate limiting.
Forward Proxy vs Reverse Proxy
The term 'proxy' is overloaded. A forward proxy sits between clients and the internet, acting on behalf of clients (e.g., a corporate proxy that filters outbound traffic, or a VPN). A reverse proxy sits in front of servers and acts on behalf of servers — clients talk to the proxy, which forwards requests to backend services and returns their responses.
Reverse Proxy vs Load Balancer
These terms are often confused because many tools (NGINX, HAProxy, AWS ALB) do both. The conceptual difference is:
| Capability | Reverse Proxy | Load Balancer |
|---|---|---|
| Primary role | Intermediary — handles requests on behalf of servers | Distributor — spreads requests across multiple servers |
| SSL/TLS termination | Yes — core feature | Sometimes (L7 LBs) |
| Request routing by content | Yes — path, host, header-based rules | Yes (L7 LBs only) |
| Traffic distribution | May support it | Core feature |
| Caching | Often yes (NGINX proxy cache) | Rarely |
| Rate limiting | Yes | Rarely |
| Request/response transformation | Yes (headers, compression, auth) | Rarely |
| Examples | NGINX, Envoy, Traefik, Caddy | AWS ALB/NLB, HAProxy, F5 |
In practice, they overlap
NGINX is technically a reverse proxy that also does load balancing. AWS ALB is technically a load balancer that also does reverse proxy tasks (SSL termination, path-based routing). The distinction matters conceptually but in interviews, focus on what capabilities you need rather than the label.
Core Reverse Proxy Use Cases
SSL/TLS Termination
Terminating TLS at the reverse proxy means backend servers receive plain HTTP, offloading the CPU cost of encryption/decryption and centralizing certificate management. The proxy handles the HTTPS handshake with clients, then forwards requests to backends over unencrypted HTTP (within a trusted private network) or re-encrypted HTTPS.
Compression
The reverse proxy can compress responses (gzip, Brotli) before sending them to clients, reducing bandwidth. This is especially effective for text-based APIs — compressing JSON can reduce payload size by 60–90%. The proxy checks the client's `Accept-Encoding` header and compresses accordingly.
Rate Limiting
Reverse proxies can enforce rate limits before requests reach backend services, protecting against abuse and ensuring fair resource usage.
# NGINX rate limiting: 10 requests/second per IP
limit_req_zone $binary_remote_addr zone=api:10m rate=10r/s;
server {
location /api/ {
limit_req zone=api burst=20 nodelay;
proxy_pass http://backend;
}
}Request Routing and Path Rewriting
A reverse proxy can route requests to different backend services based on URL path, hostname, or headers. This enables a single public-facing entry point for multiple services:
server {
server_name api.example.com;
# Route /users to the user service
location /users/ {
proxy_pass http://user-service:8080/;
}
# Route /orders to the order service
location /orders/ {
proxy_pass http://order-service:8081/;
}
# Add security headers to all responses
add_header X-Frame-Options DENY;
add_header X-Content-Type-Options nosniff;
}Caching
NGINX and other reverse proxies can cache backend responses locally, acting as a mini-CDN within your datacenter. This is useful for idempotent API responses that change infrequently, reducing backend load without a full CDN setup.
- Authentication/Authorization gateway: Verify JWTs or API keys at the proxy layer before forwarding requests.
- Request buffering: Buffer slow client uploads before forwarding to backend, preventing backends from sitting idle waiting for slow client connections.
- Circuit breaking: Envoy and similar proxies implement circuit breaker patterns natively.
- Observability: Centralized access logging, metrics, and distributed tracing injection (adding trace headers).
Interview Tip
When discussing microservices architecture, mention that an API Gateway is essentially a sophisticated reverse proxy with added features: authentication, authorization, request transformation, API versioning, and developer portal integration. AWS API Gateway, Kong, and Apigee are common examples. In interviews, you can say 'I'd put an API gateway in front of my services to handle cross-cutting concerns like auth and rate limiting, keeping each service focused on business logic.'