What is a proxy?
A proxy is an intermediary server that receives a request, forwards it elsewhere, receives the response, and sends it back.
Forward Proxy (Represents the Client)
Sits in front of client and hides the client from servers. Server cannot see the real client
Client ---> Forward Proxy ---> Server
Imagine your company blocks access to YouTube.
Instead of
Laptop ---> youtube.com
You do
Laptop ---> Corporate Proxy ---> youtube.com
The proxy makes the request on your behalf. The server sees request coming from Proxy IP not from your laptop.
Real Example School/college proxy, Corporate internet proxy, VPNs.
When you connect to a VPN:
Your PC ---> VPN Server ---> Google
Google sees VPN IP instead of of your original IP.
Why use forward proxy?
- Privacy: Hides the Client IP due to which Websites can't directly identify the client.
- Content Filtering: companies block some websites at the office network
- Caching: 100 employees request same file, without proxy 100 requests would go to internet. With proxy first request would go to internet and next 99 would be server from proxy cache.
Reverse Proxy (Represents the Server)
Sits in front of server and hides the server from client. Client Cannot see the real server
Client ---> Reverse Proxy ---> Server
Suppose you have multiple servers i.e. Server 1, Server 2, Server 3 etc and you don't want clients to know about these servers. In this case we need to setup reverse proxy and, proxy decides which server gets the request.
Client
|
v
Reverse Proxy
|
+----> Server1
|
+----> Server2
|
+----> Server3
Example: When you open amazon.com your request doesn't directly hit an application server. It usually go to
Browser
|
Load Balancer / Reverse Proxy
|
Backend Servers
Real Example: Nginx in front of Node.js servers
Why use Reverse Proxy?
- Load Balancing
- SSL/TLS Termination: Without reverse proxy every backend server, decrypts https, with reverse proxy setted up, it handles the encryption while backend focus upon the business logic. Don't worry if SSL/TLS is not clear to you, at end of this article we have detailed explanation of SSL/TLS.
- Hides Internal Servers: Client never knows the servers, which eventually improves the security
- Caching: For expensive endpoints, Reverse proxy stores response for the future requests.
Now Let's Boost your understanding of SSL(Secure Socket Layer) and TLS(Transport layer Security):
SSL and TLS both are same terms, name SSL was used in earlier days and now its new name TLS is being used.
Detailed flow of TLS
Step 1: Browser sends a request
https://api.company.com/users
Step 2: Reverse proxy i.e. Nginx here, receives HTTPS.
Browser
|
HTTPS
|
Nginx
Step 3: Nginx decrypts request.
Encrypted Request
↓
Decrypt
↓
Plain HTTP Request
Step 4: Nginx forwards request.
GET /users
to backend
Browser
|
HTTPS
|
Nginx
|
HTTP
|
Node Server
Step 5: Backend processes business logic.
app.get('/users', () => {
return users;
});
Step 6: Response returns. Nginx encrypts before sending to browser.
Node
|
HTTP
|
Nginx
|
HTTPS
|
Browser
Why Do This?
1. Less CPU Usage: As Encryption/decryption is expensive.
Without termination:
100 servers
100 TLS handshakes
100 certificate configs
With termination: Reverse proxy handles TLS. Backend servers focus on business logic.
2. Easier Certificate Management
Without reverse proxy: Nightmare to maintain certificates.
Certificate on Server 1
Certificate on Server 2
Certificate on Server 3
With reverse proxy: Certificate to be maintained only on Nginx. Renew once.
3. Simpler Backend Code: Backend doesn't care about HTTPS. It Just process requests.
app.get('/users', ...)
Real MAANG Architecture
User
|
HTTPS
|
Load Balancer
|
HTTPS
|
Reverse Proxy
|
HTTP/gRPC
|
Microservices
or
User
|
HTTPS
|
Load Balancer (TLS Termination)
|
HTTP
|
Services
Often the cloud load balancer itself performs TLS termination.
Important note on SSL/TLS termination: SSL/TLS termination means a reverse proxy or load balancer handles HTTPS encryption/decryption on behalf of backend servers. The client communicates securely with the proxy using HTTPS, the proxy decrypts the request and forwards it to backend services, typically over HTTP or an internal secure network. This reduces CPU overhead on application servers and centralizes certificate management.
The benefit of TLS termination is that:
1,000 Clients
|
v
Reverse Proxy
|
v
100 Backend Servers
The 100 backend servers do not perform those 1,000 TLS handshakes.
The reverse proxy performs them and forwards the already-decrypted requests internally.That's where the CPU savings come from. As "TLS connection terminates at the reverse proxy instead of the application server so its termed as TLS termination.
Top comments (0)