Reverse_proxy
Chapter 68: Reverse Proxies
Section titled “Chapter 68: Reverse Proxies”Overview
Section titled “Overview”A reverse proxy sits between clients and backend servers, forwarding client requests to appropriate backend services. It provides load balancing, SSL termination, caching, security, and simplified architecture. This chapter covers reverse proxy concepts, detailed configuration for Nginx and Apache, advanced features, and production best practices.
68.1 Reverse Proxy Basics
Section titled “68.1 Reverse Proxy Basics”What is a Reverse Proxy
Section titled “What is a Reverse Proxy”┌─────────────────────────────────────────────────────────────────────────┐│ REVERSE PROXY ARCHITECTURE │├─────────────────────────────────────────────────────────────────────────┤│ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ CLIENTS │ ││ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ ││ │ │Browser │ │ App │ │ Mobile │ │ CLI │ │ ││ │ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │ ││ │ │ │ │ │ │ ││ │ └─────────────┴─────────────┴─────────────┘ │ ││ │ │ │ ││ └──────────────────────────────┼──────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ REVERSE PROXY │ ││ │ ┌──────────────────────────────────────────────────────────┐ │ ││ │ │ • SSL Termination │ │ ││ │ │ • Load Balancing │ │ ││ │ │ • Caching │ │ ││ │ │ • Compression │ │ ││ │ │ • Security (DDoS, WAF) │ │ ││ │ │ • Static File Serving │ │ ││ │ └──────────────────────────────────────────────────────────┘ │ ││ └──────────────────────────────┬──────────────────────────────────────┘ ││ │ ││ ▼ ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ BACKEND SERVERS │ ││ │ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │ ││ │ │ App 1 │ │ App 2 │ │ App 3 │ │ API 1 │ │ ││ │ │ :3000 │ │ :3001 │ │ :3002 │ │ :8000 │ │ ││ │ └─────────┘ └─────────┘ └─────────┘ └─────────┘ │ ││ └─────────────────────────────────────────────────────────────────┘ ││ ││ Benefits: ││ ┌─────────────────────────────────────────────────────────────────┐ ││ │ • Single entry point for multiple services │ ││ │ • Load distribution across multiple backends │ ││ │ • SSL/TLS offloading │ ││ │ • Caching reduces backend load │ ││ │ • Protection from direct exposure │ ││ │ • Simplified client configuration │ ││ │ • A/B testing and canary deployments │ ││ └─────────────────────────────────────────────────────────────────┘ ││ │└─────────────────────────────────────────────────────────────────────────┘68.2 Nginx Reverse Proxy
Section titled “68.2 Nginx Reverse Proxy”Basic Configuration
Section titled “Basic Configuration”# ============================================================# NGINX REVERSE PROXY CONFIGURATION# ============================================================
# Basic reverse proxyserver { listen 80; server_name example.com;
# Access logs access_log /var/log/nginx/example.com_access.log; error_log /var/log/nginx/example.com_error.log;
location / { # Backend server proxy_pass http://127.0.0.1:3000;
# Headers proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Port $server_port;
# Timeouts proxy_connect_timeout 60s; proxy_send_timeout 60s; proxy_read_timeout 60s;
# Buffering proxy_buffering on; proxy_buffer_size 4k; proxy_buffers 8 16k; proxy_busy_buffers_size 24k;
# Other proxy_http_version 1.1; proxy_set_header Connection ""; }
# Health check endpoint location /health { proxy_pass http://127.0.0.1:3000/health; access_log off; }}Advanced Configuration
Section titled “Advanced Configuration”# ============================================================# NGINX ADVANCED CONFIGURATION# ============================================================
# Load balancing with multiple backendsupstream backend { least_conn; # or ip_hash, hash $request_uri
server 127.0.0.1:3000 weight=3; server 127.0.0.1:3001 weight=2; server 127.0.0.1:3002 weight=1;
# Health checks server 127.0.0.1:3003 backup;
# Keep-alive keepalive 32;}
server { listen 80; server_name example.com;
# Enable gzip gzip on; gzip_types text/plain application/json application/javascript text/css; gzip_min_length 1000;
# Static files (serve directly) location /static/ { alias /var/www/static/; expires 30d; add_header Cache-Control "public, immutable"; }
# API proxy location /api/ { proxy_pass http://backend;
# Buffer JSON responses proxy_buffering on; proxy_cache_valid 200 60m; proxy_cache_valid 404 1m;
# Add cache headers add_header X-Cache-Status $upstream_cache_status; }
# WebSocket support location /ws/ { proxy_pass http://backend; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; }
# Error pages error_page 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; }}SSL Termination
Section titled “SSL Termination”# ============================================================# NGINX SSL TERMINATION# ============================================================
server { listen 443 ssl http2; server_name example.com;
# SSL certificate ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
# SSL configuration (modern) ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256; ssl_prefer_server_ciphers off; ssl_session_cache shared:SSL:10m; ssl_session_timeout 1d;
# HSTS add_header Strict-Transport-Security "max-age=63072000" always;
# Redirect HTTP to HTTPS location / { proxy_pass http://backend; # ... headers }}
# HTTP to HTTPS redirectserver { listen 80; server_name example.com; return 301 https://$host$request_uri;}68.3 Apache Reverse Proxy
Section titled “68.3 Apache Reverse Proxy”Basic Configuration
Section titled “Basic Configuration”# ============================================================# APACHE REVERSE PROXY CONFIGURATION# ============================================================
# Enable required modules# a2enmod proxy proxy_http ssl headers proxy_wstunnel
<VirtualHost *:80> ServerName example.com
# Logging ErrorLog ${APACHE_LOG_DIR}/example.com_error.log CustomLog ${APACHE_LOG_DIR}/example.com_access.log combined
# Proxy settings ProxyRequests Off ProxyPreserveHost On
# Timeout ProxyTimeout 60
<Proxy *> Require all granted </Proxy>
# Basic proxy ProxyPass / http://127.0.0.1:3000/ ProxyPassReverse / http://127.0.0.1:3000/
# Headers RequestHeader set X-Real-IP "%{REMOTE_ADDR}s" RequestHeader set X-Forwarded-For "%{HTTP:X-Forwarded-For}s" RequestHeader set X-Forwarded-Proto "%{REQUEST_SCHEME}s"</VirtualHost>Advanced Configuration
Section titled “Advanced Configuration”# ============================================================# APACHE ADVANCED CONFIGURATION# ============================================================
<VirtualHost *:80> ServerName example.com
# Enable mod_proxy ProxyRequests Off ProxyPreserveHost On
# Load balancing <Proxy balancer://mycluster> BalancerMember http://127.0.0.1:3000 route=app1 BalancerMember http://127.0.0.1:3001 route=app2 ProxySet lbmethod=byrequests </Proxy>
# Proxy paths ProxyPass /api balancer://mycluster/api ProxyPassReverse /api balancer://mycluster/api
# WebSocket support RewriteEngine On RewriteCond %{HTTP:Upgrade} =websocket [NC] RewriteRule /(.*) ws://127.0.0.1:3001/$1 [P,L] RewriteCond %{HTTP:Upgrade} !=websocket [NC] RewriteRule /(.*) http://127.0.0.1:3000/$1 [P,L]
# Compression <IfModule mod_deflate.c> AddOutputFilterByType DEFLATE application/json text/html text/plain text/css application/javascript </IfModule></VirtualHost>
# SSL Termination<VirtualHost *:443> ServerName example.com
SSLEngine on SSLCertificateFile /etc/ssl/certs/example.com.crt SSLCertificateKeyFile /etc/ssl/private/example.com.key
# ... same proxy configuration</VirtualHost>68.4 Interview Questions
Section titled “68.4 Interview Questions”┌─────────────────────────────────────────────────────────────────────────┐│ REVERSE PROXY INTERVIEW QUESTIONS │├─────────────────────────────────────────────────────────────────────────┤ │Q1: What is the difference between forward and reverse proxy? │ │A1: │- Forward proxy: Client-side, hides clients from internet │- Reverse proxy: Server-side, hides servers from clients │- Forward: Users → Proxy → Internet │- Internet → Proxy → Backend Servers │ │─────────────────────────────────────────────────────────────────────────┤ │Q2: Why use a reverse proxy? │ │A2: │- SSL termination (offload TLS) │- Load balancing │- Caching static content │- Security (hide backend servers) │- Simple URL structure │- A/B testing, canary deployments │- DDoS protection │ │─────────────────────────────────────────────────────────────────────────┤ │Q3: How do you configure Nginx as a reverse proxy? │ │A3: │server { │ location / { │ proxy_pass http://backend; │ proxy_set_header Host $host; │ proxy_set_header X-Real-IP $remote_addr; │ proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; │ proxy_set_header X-Forwarded-Proto $scheme; │ } │} │ │─────────────────────────────────────────────────────────────────────────┤ │Q4: What headers should a reverse proxy set? │ │A4: │- Host: Original host header │- X-Real-IP: Client's actual IP │- X-Forwarded-For: All proxy IPs │- X-Forwarded-Proto: Original protocol (http/https) │- X-Forwarded-Host: Original host │ │─────────────────────────────────────────────────────────────────────────┤ │Q5: How do you handle WebSocket through a reverse proxy? │ │A5: │Nginx: │proxy_http_version 1.1; │proxy_set_header Upgrade $http_upgrade; │proxy_set_header Connection "upgrade"; │ │Apache: │RewriteEngine On │RewriteCond %{HTTP:Upgrade} =websocket [NC] │RewriteRule /(.*) ws://backend/$1 [P,L] │ │─────────────────────────────────────────────────────────────────────────┤ │Q6: What is SSL termination? │ │A6: │- Reverse proxy handles SSL/TLS │- Backend servers receive plain HTTP │- Reduces CPU load on backends │- Simplifies certificate management │- Proxy decrypts requests, encrypts responses │ │─────────────────────────────────────────────────────────────────────────┤ │Q7: How do you configure load balancing in Nginx? │ │A7: │upstream backend { │ server 10.0.0.1:3000; │ server 10.0.0.2:3000; │ server 10.0.0.3:3000 backup; │} │ │Then in location: │proxy_pass http://backend; │ │─────────────────────────────────────────────────────────────────────────┤ │Q8: What is the difference between proxy_pass and alias in Nginx? │ │A8: │- proxy_pass: Reverse proxy, forwards requests │- alias: File system mapping, serves local files │- proxy_pass: http://backend handles /path │- alias: Maps URL to file path │ │└─────────────────────────────────────────────────────────────────────────┘Summary
Section titled “Summary”- Reverse Proxy: Sits between clients and backend servers
- Benefits: Load balancing, SSL termination, caching, security
- Nginx: proxy_pass directive with headers
- Apache: ProxyPass with ProxyPassReverse
- Headers: X-Real-IP, X-Forwarded-For, Host
Next Chapter
Section titled “Next Chapter”Last Updated: February 2026