Summary
A reverse proxy is a server placed in front of one or more backend services. It accepts client requests on their behalf, applies cross-cutting concerns like TLS termination, routing, and rate limiting, and forwards the requests to the correct backend.
What is a Reverse Proxy?
In the traditional forward-proxy model, clients send all outbound traffic through a proxy. A reverse proxy does the opposite: it stands in front of the servers and is the entry point for inbound traffic. Clients only see the reverse proxy; the actual application servers stay hidden behind it.
A reverse proxy is the right place to handle responsibilities that should not be duplicated in every backend: HTTPS/TLS termination with certificates, hostname- or path-based routing to different services, load balancing across replicas, request and response header manipulation, gzip/brotli compression, caching, basic authentication, rate limiting, and WAF-style request filtering.
Popular reverse proxies include NGINX, HAProxy, Caddy, and Traefik. In Kubernetes environments, ingress controllers play the same role. Reverse proxies are also commonly placed in front of self-hosted platforms — for example NetBird's management dashboard — so that TLS, authentication, and routing live in one well-understood layer.
Why is Reverse Proxy relevant?
- Single entry point: Hides backend topology behind one address that clients reach
- TLS termination: Centralises certificate management and HTTPS configuration
- Routing flexibility: Sends requests to the right service based on hostname, path, or headers
- Operational hygiene: Concentrates rate limiting, logging, and basic security checks in one place
Related Terms
- HTTP / HTTPS: Protocols the reverse proxy typically operates on
- Firewall: Complementary control that filters network traffic
- Load Balancing: Often combined with or built into a reverse proxy
- VPN: Reverse proxies frequently front self-hosted VPN management planes