Proxy vs Reverse Proxy

Updated June 6, 2026

Magic Magnets Team

8 min read

What's a Proxy?

A proxy is an intermediary: something that sits between two parties and passes messages between them. In networking, a proxy server sits between a client and the internet, forwarding requests and responses.

The word "proxy" alone is actually ambiguous. There are two fundamentally different types: forward proxies (usually just called "proxies") and reverse proxies. They serve opposite purposes and sit on opposite sides of the communication.

Here's the key distinction: a forward proxy acts on behalf of the client. A reverse proxy acts on behalf of the server. That one sentence is worth memorizing.

Quiz Time

Clients are typically aware they are communicating through a reverse proxy.

Forward Proxy: Hiding the Client

A forward proxy sits between your client and the internet. When you send a request, it goes to the proxy first, which then forwards it to the destination server. The server sees the proxy's IP, not yours.

algobase.dev

Forward proxy — sits in front of the client. The client routes all requests through it; the destination server sees the proxy's IP, not the client's. Used in corporate networks to enforce content policies (block certain sites), log all outbound traffic, or cache frequently accessed content. VPNs use a similar concept for anonymization.

1 / 1

Forward proxy acting on behalf of the client

Client → Forward Proxy → Internet → Server

The server has no idea who the real client is. The proxy could be hiding one client or thousands of them behind a single IP.

Why Use a Forward Proxy?

Anonymity and privacy: the server only sees the proxy's IP address. This is the basis of VPNs and tools like Tor. When you connect through a VPN, your traffic exits through the VPN server's IP.

Content filtering: companies and schools use forward proxies to control what employees and students can access. All traffic routes through the proxy, which can block certain domains or categories of content.

Bypassing geo-restrictions: streaming services restrict content by region. A forward proxy in another country lets you appear to be browsing from there.

Caching: corporate proxies often cache frequently accessed content. If 500 employees all visit the same news site, the proxy fetches it once and serves the cached version to everyone.

Audit and compliance: every request through the proxy is logged. Useful for security audits.

Real-World Examples of Forward Proxies

Corporate web proxies — Squid, Zscaler
VPNs — ExpressVPN, NordVPN, Tailscale
Tor — a multi-hop proxy network for strong anonymity
Browser extensions like uBlock Origin use proxy-like mechanisms for ad filtering

Quiz Time

A VPN is a real-world example of which type of proxy?

Quiz Time

Which of the following is primarily a responsibility of a forward proxy rather than a reverse proxy?

Reverse Proxy: Hiding the Servers

A reverse proxy sits in front of your servers and intercepts incoming client requests. Clients talk to the reverse proxy, which then forwards requests to the appropriate backend server.

algobase.dev

Reverse proxy — sits in front of the servers. Clients only ever talk to the proxy; the backend servers are never directly exposed. The proxy terminates TLS (one certificate managed centrally instead of on every server), distributes load across backends, and hides your internal server topology. Nginx, HAProxy, and Cloudflare all operate as reverse proxies.

1 / 1

Reverse proxy acting on behalf of the servers

Client → Internet → Reverse Proxy → Backend Servers

The client has no idea how many servers are behind the proxy, or what technology they run. They just see one address.

Why Use a Reverse Proxy?

The reverse proxy architecture yields a range of operational benefits:

algobase.dev

Reverse proxy as an API gateway — a single entry point that does path-based routing, TLS termination, caching, and auth enforcement. Requests to /api/* go to the API service; /static/* serves from an in-proxy cache; /admin/* enforces authentication before routing. All clients see one hostname — backend complexity is invisible. This is the architecture of virtually every production web service.

1 / 1

Reverse proxy as an API Gateway with routing, caching, and auth

Load balancing: the reverse proxy distributes incoming requests across multiple backend servers. If one server is busy, the next request goes to a less-loaded one. This is how you scale a web application horizontally. No client-side changes needed.

SSL/TLS termination: instead of each backend server handling TLS, the reverse proxy handles the HTTPS connection and forwards plain HTTP to your backends. This centralizes certificate management and offloads encryption overhead from your application servers. One cert to renew, one place to configure.

Caching: the reverse proxy can cache responses and serve them directly without hitting the backend. Static assets, API responses, rendered pages; all cacheable. This dramatically reduces load on your servers.

Security and DDoS protection: the reverse proxy shields your backend servers from direct internet exposure. Clients never know the real IPs of your backend servers, making them harder to attack directly. Cloudflare's entire value proposition is built on this: it's a reverse proxy at global scale.

Request routing: a reverse proxy can route different URL paths to different backend services. /api/* goes to your Node.js service, /images/* goes to your static file server, /shop/* goes to a separate e-commerce service. This is the basis of API gateways.

Compression: the proxy can gzip responses before sending them to clients, reducing bandwidth.

Rate limiting: centralized rate limiting without changing your application code.

Real-World Examples of Reverse Proxies

Nginx: the most widely deployed web server/reverse proxy. Powers a huge percentage of the internet. Excellent at serving static files, SSL termination, and proxying to upstream application servers.

Caddy: a newer alternative with automatic HTTPS via Let's Encrypt built in. Zero configuration for certificates. Growing in popularity.

HAProxy: battle-tested, high-performance TCP and HTTP load balancer. Heavily used for production traffic at companies like GitHub and Stack Overflow.

Cloudflare: a global reverse proxy network with 250+ data centers. Provides DDoS protection, CDN, SSL, caching, and routing. When you point your domain to Cloudflare, all your traffic goes through their reverse proxy before reaching your servers.

AWS ALB/NLB: Amazon's managed load balancers are reverse proxies. ALB (Application Load Balancer) is Layer 7, NLB (Network Load Balancer) is Layer 4.

Traefik: a cloud-native reverse proxy that integrates with Docker and Kubernetes, automatically discovering services and configuring routing.

Side-by-Side Comparison

Feature	Forward Proxy	Reverse Proxy
Acts on behalf of	Client	Server
Hides	Client from internet	Servers from clients
Configured by	Client or network admin	Server/infrastructure owner
Client knows about it?	Usually yes	No
Server knows about it?	No	No (sees proxy IP)
Primary uses	Privacy, filtering, VPN	Load balancing, SSL, caching
Examples	Squid, VPNs, Tor	Nginx, Cloudflare, HAProxy

A Practical Example: Nginx as a Reverse Proxy

Here's a simple Nginx config that:

Accepts HTTPS traffic
Terminates SSL
Routes requests to a Node.js app running on port 3000

server {
    listen 443 ssl;
    server_name api.example.com;

    ssl_certificate /etc/letsencrypt/live/api.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/api.example.com/privkey.pem;

    location / {
        proxy_pass http://localhost:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
}

The Node.js app doesn't handle TLS at all; Nginx does that. The X-Forwarded-For header passes the real client IP through to the app.

Reverse Proxies in System Design

The reverse proxy pattern is one of the most fundamental building blocks of scalable systems. You'll see it everywhere:

Every microservices architecture has an API gateway, which is a reverse proxy
Every CDN is a globally distributed reverse proxy
Every Kubernetes deployment has an ingress controller, which is a reverse proxy
Every load balancer is a reverse proxy

Understanding what a reverse proxy is, and what it can do for you (SSL termination, routing, caching, load balancing), lets you make smarter infrastructure decisions and have meaningful conversations about where these concerns live in your architecture.

Summary

A forward proxy acts on behalf of clients: it intercepts outbound traffic, hides client identities, and is the technology behind VPNs, corporate content filters, and anonymization tools. A reverse proxy acts on behalf of servers: it intercepts inbound traffic, hides backend infrastructure, and enables load balancing, SSL termination, caching, and security. Real-world reverse proxies include Nginx, Caddy, HAProxy, and Cloudflare, which is essentially a planet-scale reverse proxy. In system design, the reverse proxy is a foundational pattern: it's the API gateway, the load balancer, the CDN edge node. Know it well.

What are Load Balancers?

How helpful was this content?

Comments

0/2000

Saved on this device only