Tooling

A reverse proxy is a server that sits in front of one or more backend servers and handles every incoming request before they do. The client — a browser or an app — only ever talks to the proxy; the proxy decides which backend should answer, forwards the request, and sends the response back. To the outside world it looks like a single server, even when several are doing the work behind it.

Reverse proxy vs forward proxy

The name makes more sense next to its opposite. A forward proxy sits in front of clients and speaks to the wider internet on their behalf, hiding who is making the request — the model behind corporate web filters and many VPNs. A reverse proxy does the mirror image: it sits in front of servers and faces the clients, hiding the backend. Same go-between idea, opposite side of the conversation.

What a reverse proxy actually does

Its first job is routing. One public domain and IP address can front many different applications: requests for /api go to one service, /blog to another, everything else to a third, all without the visitor ever seeing the ports or machines underneath. That single entry point is what lets you run a dozen small services and still present one clean address to the world.

• One domain in front of several apps or microservices
• Automatic HTTPS / TLS termination (Caddy, Nginx)
• Load balancing across identical backends
• Caching and compression to spare the backend
• Rate limiting, WAF and hiding backend servers

On top of routing, a reverse proxy is where the cross-cutting work gets done once instead of in every app. It terminates TLS, so HTTPS certificates live in one place rather than inside each service. It can load-balance requests across several identical backends, cache common responses so the backend is not hit twice for the same thing, and compress replies to save bandwidth — all transparently to the apps behind it.

A natural security boundary

It is also a natural security boundary. Because backends never face the internet directly, their real addresses and software stay hidden, shrinking what an attacker can see. The proxy becomes the single place to enforce rate limits, block abusive traffic, attach a web application firewall, or cut off a misbehaving client — controls you would otherwise have to bolt onto every service separately.

The tools that run reverse proxies

A handful of tools dominate this space. Nginx and HAProxy are the long-standing, battle-tested choices; Caddy is popular for getting automatic HTTPS working with almost no configuration; and Traefik is built for container and Kubernetes setups where backends come and go. Apache can do the job too with mod_proxy, and managed options — cloud load balancers, or a service like Cloudflare — are essentially reverse proxies someone else runs for you.

Common reverse-proxy setups

In practice you meet a reverse proxy whenever one server has to do more than one thing. Common setups include serving several websites from a single machine, putting HTTPS in front of an app that only speaks plain HTTP, exposing internal microservices under one tidy domain, or spreading traffic across a few copies of an app for resilience. Self-hosters lean on it constantly to run many tools behind one address.

Reverse proxy vs load balancer vs API gateway

It helps to place a reverse proxy against its neighbours. A load balancer is really just one feature a reverse proxy can provide: spreading requests across backends. An API gateway is a specialised reverse proxy for APIs, adding authentication, rate limiting and request shaping on top. The terms overlap because they are all variations on the same idea — a smart front door in front of your services.

Should you run one yourself?

So would you run one yourself? If you self-host more than a single service, want HTTPS handled cleanly, or need one address in front of several apps, a reverse proxy like Nginx or Caddy is the standard answer — and it needs a server you control to run on. It is a small, stable piece of infrastructure that quietly does a lot, which is exactly why almost every production stack has one.