Reverse Proxy
A mediator server that accepts client requests and forwards them to internal backend servers, centralizing routing, security and performance functions.
Classification
- ComplexityMedium
- Impact areaTechnical
- Decision typeArchitectural
- Organizational maturityIntermediate
Technical context
Principles & goals
Use cases & scenarios
Compromises
- Misconfiguration can block traffic or introduce security vulnerabilities.
- Insufficient scaling leads to bottlenecks under load.
- Incorrect TLS handling compromises confidentiality.
- Run proxy instances highly available across multiple availability zones.
- Centralize TLS management and automate certificate renewal.
- Instrument metrics and ship logs for fast troubleshooting.
I/O & resources
- List of backend services/upstreams
- Routing rules and header policies
- TLS certificates and secrets
- Centralized routing and load balancing
- Aggregated metrics and logs
- Improved fault tolerance and performance
Description
A reverse proxy is a server positioned between clients and backend services that accepts requests and forwards them to internal servers. It provides load balancing, TLS termination, caching and security features as a central routing layer. Reverse proxies support health checks, canary rollouts and expose metrics and logs for observability without changing backends.
✔Benefits
- Centralized control over routing and security policies.
- Offloading backends via caching and TLS termination.
- Enables canary deployments and fine-grained traffic control.
✖Limitations
- Additional latency and potential single point of failure without HA.
- Configuration complexity and secret management (TLS).
- Cache invalidation and consistency can be challenging.
Trade-offs
Metrics
- Latency (p95/p99)
Measure of response times through the proxy; important for performance SLAs.
- Cache hit ratio
Share of requests served from cache; impacts backend load.
- Upstream error rate
Proportion of erroneous responses from backends as observed via the proxy.
Examples & implementations
NGINX as reverse proxy in front of a web application
NGINX terminates TLS, distributes load and caches static content for a scaling web application.
HAProxy for high throughput and TCP routing
HAProxy is used for SSL passthrough, TCP load balancing and detailed health checking.
Kubernetes Ingress Controller as reverse proxy
Ingress controllers (e.g., NGINX Ingress) manage routing, TLS and rate limiting for container workloads.
Implementation steps
Analyze architecture and requirements
Choose suitable proxy software (NGINX/HAProxy/Ingress)
Configure upstreams, routing rules and TLS
Enable health checks, rate limiting and caching
Introduce monitoring, alerts and canary tests
⚠️ Technical debt & bottlenecks
Technical debt
- Hardcoded upstream lists instead of service discovery.
- Unversioned proxy configuration hinders rollbacks.
- Missing automation for cert rotation and key management.
Known bottlenecks
Misuse examples
- Storing TLS certificates on a single proxy instance without rotation.
- Performing all authentication checks only in the proxy and not in backends.
- Aggressively caching dynamic API responses causing inconsistent data.
Typical traps
- Omitted header forwarding (X-Forwarded-For, trace headers) breaks authentication.
- Insufficient timeouts lead to hung connections under load.
- Missing upstream health checks leave defective backends in rotation.
Required skills
Architectural drivers
Constraints
- • Required high availability for production use
- • Regulatory requirements for TLS/logging
- • Limited proxy resources (CPU/RAM) affect scaling