What is a Reverse Proxy? (Explained Simply for DevOps)

If you've worked with Nginx, Traefik, HAProxy, or AWS ALB, you've used a reverse proxy. But what actually is it — and why is it everywhere in DevOps?

The Simple Explanation

A reverse proxy sits in front of your servers and handles requests on their behalf.

User → Internet → Reverse Proxy → Your Server(s)

The user thinks they're talking to one server. The reverse proxy decides which actual server handles the request, then returns the response to the user.

Forward Proxy vs Reverse Proxy

These two sound similar but work in opposite directions.

Forward proxy: sits in front of clients (users).

User → Forward Proxy → Internet → Server

Used for: corporate internet filtering, VPNs, bypassing geo-restrictions (VPNs, Tor). The server doesn't know who the real user is.

Reverse proxy: sits in front of servers.

User → Internet → Reverse Proxy → Server

Used for: load balancing, SSL termination, caching, security. The user doesn't know which server handled their request.

What a Reverse Proxy Actually Does

1. Load Balancing

You have 3 app servers. The reverse proxy distributes requests across all three so no single server gets overwhelmed.

          ┌→ Server 1 (handles request 1, 4, 7...)
User → LB ┼→ Server 2 (handles request 2, 5, 8...)
          └→ Server 3 (handles request 3, 6, 9...)

If Server 2 crashes, the proxy stops sending requests to it automatically.

2. SSL Termination

Instead of every backend server handling HTTPS encryption, the reverse proxy does it. Backend servers speak plain HTTP internally.

User --HTTPS--> Reverse Proxy --HTTP--> Backend Server

Simpler certificates, less CPU overhead on backends.

3. Single Entry Point

Your app has a frontend, an API, and a WebSocket server. All on different ports or servers. A reverse proxy makes it all look like one URL:

devopsboys.com/         → frontend server (port 3000)
devopsboys.com/api/     → backend API (port 8080)
devopsboys.com/ws/      → WebSocket server (port 9000)

4. Caching

The proxy caches static files (images, CSS, JS) so repeated requests don't hit your server at all.

5. DDoS Protection / Rate Limiting

The proxy can reject malicious traffic before it reaches your application. Block IPs, rate limit requests, filter bad headers.

6. Authentication Gateway

Add auth at the proxy layer — every request gets validated before reaching your app.

Reverse Proxies You'll Use in DevOps

Nginx

The classic. Nginx is both a web server and a reverse proxy. Used everywhere.

server {
    listen 80;
    server_name myapp.com;
 
    location / {
        proxy_pass http://backend:3000;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
    }
}

Traefik

The Kubernetes-native reverse proxy. Reads Kubernetes Ingress/IngressRoute resources and automatically configures itself. Handles SSL via Let's Encrypt automatically.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-app
  annotations:
    traefik.io/router.entrypoints: websecure
spec:
  rules:
  - host: myapp.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: my-service
            port:
              number: 80

AWS Application Load Balancer (ALB)

AWS's managed reverse proxy. You don't manage any servers — just configure rules.

ALB Listener (443) → Target Group A (EKS pods on /api)
                   → Target Group B (EKS pods on /)

Handles SSL, health checks, path-based routing, blue/green deployments. Most Kubernetes on AWS setups use the ALB Ingress Controller.

HAProxy

High-performance, battle-tested. Used at GitHub, Reddit, Stack Overflow. Excellent for TCP-level load balancing (databases, game servers).

Nginx Ingress Controller (Kubernetes)

Nginx packaged as a Kubernetes Ingress Controller — reads Ingress resources and configures Nginx automatically.

Reverse Proxy in Kubernetes

In Kubernetes, the Ingress resource is essentially "configure the reverse proxy." You write what you want, the Ingress Controller (Nginx, Traefik, HAProxy, etc.) makes it happen.

Internet → Load Balancer → Ingress Controller (reverse proxy) → Services → Pods

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: my-ingress
spec:
  rules:
  - host: api.devopsboys.com
    http:
      paths:
      - path: /v1
        pathType: Prefix
        backend:
          service:
            name: api-v1
            port:
              number: 80
      - path: /v2
        pathType: Prefix
        backend:
          service:
            name: api-v2
            port:
              number: 80

Common Interview Questions

Q: What's the difference between a load balancer and a reverse proxy? A: A load balancer is a type of reverse proxy. All load balancers are reverse proxies, but not all reverse proxies are load balancers. A reverse proxy can do SSL termination, caching, auth, and routing even with a single backend server.

Q: How does HTTPS work with a reverse proxy? A: The certificate is installed on the proxy. The proxy terminates SSL (decrypts the HTTPS request) and forwards plain HTTP to the backend. Internal traffic is unencrypted (acceptable inside a private VPC or Kubernetes cluster).

Q: What is X-Forwarded-For? A: When a reverse proxy forwards a request, the backend sees the proxy's IP, not the user's real IP. The proxy adds X-Forwarded-For: <real-user-ip> header so your app knows who the real client is.

Summary

Learn More

• Nginx vs Traefik Ingress Comparison — which one to use on Kubernetes
• Kubernetes Ingress Explained — Ingress in depth
• AWS ALB 504 Fix — troubleshoot ALB issues
• Nginx Documentation — the official reference
• The Complete Nginx Course on Udemy — hands-on Nginx from basics to advanced

Once you understand reverse proxies, concepts like Ingress, API Gateways, CDNs, and service meshes all become much clearer — they're all building on the same idea.