What is a Proxy?
A proxy server is an intermediary that sits between clients and servers, handling requests on behalf of one side or the other. The key distinction is whose side it's on: the client's side (forward proxy) or the server's side (reverse proxy).
Think of it like a translator or representative: they speak for you, but which "you"βthe client or the server?
Forward Proxy (Client-Side Proxy)
A forward proxy sits between clients and the internet, acting on behalf of clients.
graph LR
Client[π€ Client] -->|request| FP[Forward Proxy]
FP -->|request| Internet[π Server]
Internet -->|response| FP
FP -->|response| Client
Note1[Server sees proxy IP,<br/>not client IP]
How It Works
- Client configures browser to use proxy
- Client sends request to proxy
- Proxy forwards request to destination server
- Server sees proxy's IP address, not client's
- Proxy returns response to client
Use Cases
1. Anonymity & Privacy
Client IP: 192.168.1.100 (hidden)
β
Forward Proxy IP: 203.0.113.50
β
Website sees: 203.0.113.50 (not your real IP)
Examples:
- VPNs (NordVPN, ExpressVPN)
- Tor network (onion routing through multiple proxies)
- Privacy-focused browsers
2. Access Control & Bypass Restrictions
# Corporate firewall blocks social media
if request.url.contains("facebook.com"):
return "403 Forbidden"
# But employees can use forward proxy outside network
employee β home proxy β facebook.com β
Examples:
- Bypass geographic restrictions (Netflix region locks)
- Access blocked websites in restrictive countries
- Circumvent corporate firewalls
3. Content Filtering (Corporate/School Networks)
# Squid proxy configuration acl blocked_sites dstdomain .facebook.com .youtube.com http_access deny blocked_sites
Examples:
- Schools blocking gaming sites
- Companies blocking streaming services
- Parental controls
4. Caching (Save Bandwidth)
100 employees request same software update Without proxy: 100 downloads Γ 500MB = 50GB bandwidth With proxy cache: 1 download Γ 500MB = 500MB bandwidth
Popular forward proxy software:
- Squid
- Apache HTTP Server (mod_proxy)
- SOCKS5 proxies
Reverse Proxy (Server-Side Proxy)
A reverse proxy sits in front of backend servers, acting on behalf of servers.
graph LR
Client[π€ Client] -->|request| RP[Reverse Proxy<br/>Nginx/Cloudflare]
RP -->|distribute| S1[Backend Server 1]
RP -->|distribute| S2[Backend Server 2]
RP -->|distribute| S3[Backend Server 3]
Note2[Clients don't know<br/>about backend servers]
How It Works
- Client sends request to public-facing reverse proxy
- Proxy decides which backend server should handle it
- Proxy forwards request to chosen backend
- Backend processes request
- Proxy returns response to client
- Client never knows which backend server was used
Use Cases
1. Load Balancing
Distribute traffic across multiple servers:
# Nginx reverse proxy config
upstream backend {
server backend1.example.com weight=3;
server backend2.example.com;
server backend3.example.com;
}
server {
location / {
proxy_pass http://backend;
}
}
Algorithms:
- Round Robin: Server1 β Server2 β Server3 β Server1...
- Least Connections: Send to server with fewest active connections
- IP Hash: Same client IP always goes to same server (session affinity)
2. SSL/TLS Termination
Client ----HTTPS----> Reverse Proxy ----HTTP----> Backend Servers
(encrypted) (plain)
Benefits:
- Backend servers don't need SSL certificates
- Centralized certificate management
- Reduced CPU load on backend (no encryption overhead)
- Easier to implement HTTP/2 or HTTP/3
Example (Nginx):
server {
listen 443 ssl;
ssl_certificate /path/to/cert.pem;
ssl_certificate_key /path/to/key.pem;
location / {
proxy_pass http://backend:8080; # Plain HTTP to backend
}
}
3. Security & Hiding Backend
Attacker scans: reverse-proxy.com Finds: Nginx server Cannot see: Database at 10.0.0.5, App servers at 10.0.0.10-20
Security benefits:
- Hide backend server IPs and topology
- DDoS protection (Cloudflare, AWS Shield)
- WAF (Web Application Firewall) integration
- Rate limiting at proxy level
4. Caching Static Content
# Cache images, CSS, JS for 1 day
location ~* \.(jpg|jpeg|png|gif|css|js)$ {
proxy_pass http://backend;
proxy_cache my_cache;
proxy_cache_valid 200 1d;
add_header X-Cache-Status $upstream_cache_status;
}
Result:
- First request: Proxy fetches from backend, caches result
- Next 1,000,000 requests: Served from proxy cache
- Backend load reduced 99.9%
5. Compression
gzip on; gzip_types text/plain text/css application/json; proxy_pass http://backend;
Proxy compresses responses before sending to clients, saving bandwidth.
6. Routing & API Gateway
# Route based on URL path
location /api/users {
proxy_pass http://user-service:3000;
}
location /api/orders {
proxy_pass http://order-service:4000;
}
location /api/payments {
proxy_pass http://payment-service:5000;
}
Forward vs Reverse Proxy Comparison
| Aspect | Forward Proxy | Reverse Proxy |
|---|---|---|
| Acts on behalf of | Client | Server |
| Clients know about it? | Yes (must configure) | No (transparent) |
| Main purpose | Client privacy, filtering | Load balancing, security |
| Deployment | Client network/VPN | Server infrastructure |
| Anonymizes | Client identity | Server identity |
| Examples | VPN, Squid, Tor | Nginx, HAProxy, Cloudflare |
Visual Comparison
Forward Proxy Flow:
[Client] ---config---> [Forward Proxy] ---------> [Internet/Server]
(hides client)
Reverse Proxy Flow:
[Client] ---------> [Reverse Proxy] ---hidden---> [Backend Servers]
(public) (public-facing) (hidden)
Real-World Examples
Netflix Geo-Restriction Bypass (Forward Proxy)
User in Country A (Netflix library = 1,000 titles)
β
Forward Proxy in USA
β
Netflix sees USA IP
β
User gets USA library (5,000 titles)
Cloudflare (Reverse Proxy)
yourwebsite.com points to Cloudflare IP (public) Cloudflare proxies requests to your origin server (hidden IP: 203.0.113.100) Benefits: - DDoS protection (Cloudflare absorbs attack) - Global CDN caching - SSL termination - Rate limiting - WAF rules
Nginx Reverse Proxy for Microservices
# docker-compose.yml
services:
nginx:
image: nginx
ports:
- "80:80"
volumes:
- ./nginx.conf:/etc/nginx/nginx.conf
user-service:
image: user-api
ports:
- "3000:3000"
order-service:
image: order-api
ports:
- "4000:4000"
# nginx.conf
server {
location /users/ {
proxy_pass http://user-service:3000/;
}
location /orders/ {
proxy_pass http://order-service:4000/;
}
}
Proxy Technologies
Popular Reverse Proxies
| Technology | Strengths | Use Case |
|---|---|---|
| Nginx | High performance, low memory | Web servers, API gateway |
| HAProxy | Advanced load balancing | High-traffic sites |
| Traefik | Docker/Kubernetes native | Microservices |
| Cloudflare | Global CDN, DDoS protection | Public-facing sites |
| Envoy | Modern observability | Service mesh (Istio) |
Popular Forward Proxies
| Technology | Strengths | Use Case |
|---|---|---|
| Squid | Mature, full-featured | Corporate networks |
| Privoxy | Privacy-focused | Personal use |
| SOCKS5 | Protocol-agnostic | General proxying |
| Tor | Maximum anonymity | Privacy-critical users |
Interview Tips π‘
When discussing proxies in system design interviews:
- Clarify which type: "Are we using a forward proxy for client privacy or reverse proxy for load balancing?"
- Explain the benefit: "A reverse proxy lets us hide backend servers and terminate SSL in one place..."
- Mention specific tools: "We'd use Nginx as a reverse proxy for load balancing and SSL termination..."
- Discuss caching: "The reverse proxy can cache static assets, reducing backend load by 90%..."
- Security considerations: "Reverse proxy acts as WAF, blocking malicious requests before they reach our application..."
- Scale implications: "With Cloudflare as reverse proxy, we can handle DDoS attacks and cache globally..."
Related Concepts
- Load Balancing β Reverse proxies distribute load
- CDN β CDNs are specialized reverse proxies
- API Gateway β API gateways are reverse proxies with routing
- Caching β Proxies implement caching strategies
- Microservices β Reverse proxies route to services
About ScaleWiki
ScaleWiki is an interactive educational platform dedicated to demystifying distributed systems, software architecture, and system design. Our mission is to provide high-quality, technically accurate resources for software engineers preparing for interviews or solving complex scaling challenges in production.
Read more about our Editorial Guidelines & Authorship.
Educational Disclaimer: The architectural patterns and system designs discussed in this article are based on common industry practices, technical whitepapers, and public engineering blogs. Actual implementations in enterprise environments may vary significantly based on specific product requirements, legacy constraints, and evolving technologies.
Related Articles
DNS Architecture
The phonebook of the internet. How Domain Name System works, the hierarchy of Route 53, and recursive vs iterative resolution strategies.
Service Discovery
Complete guide to microservice discovery in dynamic cloud environments, covering client-side vs server-side patterns, health checks, DNS-based discovery, and production implementations using Consul, etcd, Eureka, and Kubernetes services.
BitTorrent Protocol (P2P File Sharing)
Complete guide to peer-to-peer file sharing using BitTorrent protocol, covering torrent structure, piece exchange, tit-for-tat algorithm, DHT for decentralization, and real-world implementations powering massive file distribution networks.