Proxy
Proxies are intermediaries that forward, filter, or transform requests between clients and target systems. They are used for load balancing, security, caching and service integration.
Classification
- ComplexityMedium
- Impact areaTechnical
- Decision typeArchitectural
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Insecure defaults can lead to open forwarding or information leakage.
- Faulty TLS handling undermines trust and security assumptions.
- Proxy overload can trigger cascading failures across the system.
- Manage and version configuration as code.
- Use health checks and circuit breakers.
- Collect metrics, logs and traces centrally.
I/O & resources
- request and routing policy
- TLS / certificate material
- backend service endpoints and health checks
- encapsulated, standardized endpoint
- centralized logs, metrics and traces
- enforced security and access controls
Description
Proxies act as intermediaries between clients and target servers, forwarding, filtering, or transforming requests. They provide load balancing, caching, access control and observability within distributed architectures. Different proxy types (forward, reverse, transparent) address distinct security and integration requirements and are core components of API gateways and edge infrastructure.
✔Benefits
- Centralized routing and aggregation of interfaces.
- Improved security via access control and TLS termination.
- Performance gains through caching and load balancing.
✖Limitations
- Additional network latency due to extra hop(s).
- Operational overhead for availability, scaling and configuration.
- Misconfiguration can create a single point of failure.
Trade-offs
Metrics
- latency (P95)
95th percentile of response times measured through the proxy.
- error rate
Ratio of failed forwards or 5xx responses.
- throughput (requests/s)
Number of requests processed by the proxy per second.
Examples & implementations
Nginx as reverse proxy for web apps
Nginx performs TLS termination and forwards requests to multiple backend services.
Squid as forward proxy in corporate networks
Squid filters and caches HTTP traffic for internal clients and enables access control.
Envoy as sidecar in a service mesh
Envoy provides L7 routing, tracing and mTLS features in Kubernetes environments.
Implementation steps
Define requirements and proxy roles (forward, reverse, sidecar).
Select an appropriate proxy and deploy a prototype in a test environment.
Implement and test routing, security and observability rules.
Plan and automate scaling and failover scenarios.
⚠️ Technical debt & bottlenecks
Technical debt
- Temporary routing workarounds that are undocumented.
- Outdated TLS configurations or weak cipher suites.
- Manual certificate management instead of automated rotation.
Known bottlenecks
Misuse examples
- Using a proxy as a WAF replacement without specialized security rules.
- Introducing static routing to critical services without health checks.
- Performing TLS termination in the wrong place and breaking end-to-end encryption.
Typical traps
- Insufficient monitoring leads to long debugging cycles.
- Incorrect header forwarding causes security vulnerabilities.
- Scaling issues caused by stateful caching in single instances.
Required skills
Architectural drivers
Constraints
- • existing network topology and firewall rules
- • compatibility with protocol versions (HTTP/1.1, HTTP/2, gRPC)
- • organizational policies for TLS handling and certificate management