Reqflow
← All concepts
Networking·3 min read

Proxies (Forward & Reverse)

Servers that sit between two parties and intercept their traffic for some purpose.

Try it

Switch the proxy type and see which side it sits on.

Internet
Reverse Proxy
Your Servers

Hides your servers from the world (TLS, caching, load balancing, one front door).

Both are middlemen, the difference is which side they protect. A forward proxy fronts the clients (privacy, filtering). A reverse proxy fronts your servers and is where TLS termination, caching, and load balancing usually live, which is why it shows up in almost every architecture.

First time reading this? Start here

Plain English: a middleman server. A forward proxy speaks on behalf of the client (your VPN, your work proxy). A reverse proxy speaks on behalf of the server (Nginx in front of your app). Same idea, opposite sides.

What it is

A proxy mediates between a client and a server. A forward proxy acts on behalf of the client (think: corporate web proxy, VPN). A reverse proxy acts on behalf of the server (think: Nginx in front of your app servers, where load balancer, API gateway, CDN edge are all reverse proxies).

The problem it solves

Different problems for each direction. Forward proxies provide content filtering, caching, anonymization, or access control for clients in a network. Reverse proxies provide load balancing, TLS termination, caching, auth, and abstraction in front of backend services.

How it works

Forward proxy: client is configured to send requests through the proxy, which forwards them to the destination. Reverse proxy: clients hit a single address; the reverse proxy routes the request to one of many backend servers based on URL, headers, or load.

Why use it

  • Reverse proxy: hides backend topology, terminates TLS once, centralizes routing
  • Forward proxy: enforces policy uniformly for a population of clients
  • Both can cache, both can rewrite, both can authenticate

What it costs you

  • Extra hop adds latency
  • Reverse proxy is a SPOF unless run in a fleet
  • Misconfigured proxies leak client IPs, break TLS, or open security holes

Where it shows up in our architectures

  • URL Shortener

    API Gateway is a reverse proxy with auth + rate-limiting

  • API Rate Limiter

    Edge proxy IS a reverse proxy that runs rate-limit checks

  • Netflix

    Zuul is a reverse proxy for control-plane traffic; CDN edges are reverse proxies for video bytes

Gotchas

  • Reverse proxies are everywhere: load balancers, API gateways, CDN edges, sidecars (Envoy). Same pattern, different roles.
  • TLS termination at the proxy means downstream traffic is plaintext (in the trusted network). Use mTLS if you need encryption all the way through.
  • Forward proxies leak less than you think; many sites detect proxy headers and treat them differently.
Interview angle

Proxies come up as infrastructure in almost every system design, but they're rarely the main topic. The signal is to use the right vocabulary: when you say 'Nginx sits in front of my app servers,' that's a reverse proxy, say that word. Know that a service mesh like Envoy is a sidecar reverse proxy that handles mTLS, retry, and circuit breaking between services. Candidates who just say 'load balancer' and skip the proxy layer miss the chance to show architectural depth.

Your notes

Private to you