What is a Reverse Proxy and Why Do So Many Sites Use One
If you run a web application of any real complexity, there is a good chance a reverse proxy already sits in front of it. Nginx, Caddy, HAProxy, and Cloudflare all function as reverse proxies. But what does a reverse proxy actually do, and why is it so common?
The Basic Concept
A reverse proxy is a server that sits between client requests and your backend servers. Clients connect to the proxy, which forwards the request to the appropriate backend and returns the response to the client. From the client perspective, it looks like they are talking directly to the server. The backend servers are hidden behind the proxy and never exposed directly to the internet.
This is different from a forward proxy (like what a company might use to control outbound employee internet access), which sits between clients and the wider internet on the client side. A reverse proxy sits on the server side.
SSL Termination
One of the most common uses of a reverse proxy is SSL termination. The proxy handles the TLS handshake and decrypts incoming HTTPS traffic, then forwards plain HTTP to the backend servers. This means your application servers do not need to deal with TLS at all — the proxy handles certificate management, renewal, and the computational overhead of encryption. Backend communication typically happens over a private network where unencrypted traffic is acceptable, or you re-encrypt for the backend hop if your architecture requires it.
Load Balancing
A reverse proxy can distribute incoming requests across multiple backend servers, preventing any single server from becoming a bottleneck. Round-robin (each server gets the next request in turn), least connections (send to whichever server has fewest active connections), and IP hash (same client always goes to the same server, useful for session persistence) are all common strategies. If one backend server goes down, the proxy can detect this via health checks and stop sending traffic to it automatically.
Caching
A reverse proxy can cache responses from the backend and serve them directly to subsequent requests without hitting the backend at all. For content that does not change often — static pages, API responses with a known freshness window, images — this dramatically reduces backend load. Nginx configured as a caching proxy can serve thousands of requests per second from cache that the backend might only handle hundreds of from cold.
Security and DDoS Protection
By hiding backend servers behind a proxy, you conceal your actual server IPs. Attackers trying to flood your server directly cannot reach it without going through the proxy. The proxy can rate-limit requests, block known bad IP ranges, enforce request size limits, and filter malicious patterns before anything reaches your application. This is a large part of why Cloudflare is so widely used — the proxy layer absorbs enormous volumes of attack traffic at the edge before it touches origin servers.
Header Manipulation and Routing
A reverse proxy can add, modify, or strip HTTP headers. Common uses: adding X-Forwarded-For headers so backend applications know the real client IP (since from their perspective all traffic comes from the proxy), removing headers that reveal server software versions, adding security headers like Strict-Transport-Security or X-Frame-Options centrally so every response gets them regardless of what the backend sends.
Content-based routing is also possible — the proxy can send /api/* requests to one backend, /static/* requests to another (or directly to object storage), and everything else to the main application. This kind of routing is the foundation of microservice architectures.
When You Actually Need One
For a simple site with a single server, a reverse proxy is still worth using just for SSL termination and security headers. For anything with multiple services, significant traffic, or backend servers that should not be exposed publicly, a reverse proxy is essentially mandatory. Nginx running as a reverse proxy in front of a Node.js, Python, or PHP application is one of the most common production web server setups in existence.