Episode 1 — Fundamentals / 1.4 — Understanding HTTP and HTTPS

1.4.f — What Are Proxy and Reverse Proxy?

In one sentence: A forward proxy sits near the client and relays outbound requests; a reverse proxy sits in front of the server and accepts inbound client connections on behalf of origin apps.

Navigation: ← 1.4.e — SSL/TLS · 1.4.g — VPN →

1. Why Proxies Exist

Proxies are intermediaries. They terminate a connection from one side and open another toward the next hop — optionally adding:

  • Caching (speed + offload)
  • TLS termination (HTTPS to clients, HTTP inside a private network — “TLS offload”)
  • Load balancing (spread traffic across many backends)
  • Access control (allow/deny lists, auth integration)
  • Anonymization (hide client IP from the destination — common for forward proxies)
  • Inspection (corporate security appliances — controversial privacy-wise)

2. Forward Proxy (a.k.a. “Proxy”)

Who it serves: mostly the client (or the client’s organization).

[ Browser ] ──► [ Forward proxy ] ──► [ Internet / Origin server ]
                 (company proxy)

Typical uses:

  • Corporate networks forcing all web traffic through a controlled exit
  • Content filtering / logging (policy enforcement)
  • Geo or compliance routing

From the origin server’s perspective: it often sees the proxy’s IP, not the end user’s.

3. Reverse Proxy

Who it serves: the server operator (protects and scales origin infrastructure).

[ Many browsers ] ──► [ Reverse proxy ] ──► [ App server(s) / static storage ]
                      (Nginx / CDN edge)

Typical uses:

  • TLS termination at the edge
  • HTTP/2 / HTTP/3 termination and fan-out to HTTP/1.1 upstreams
  • Load balancing across multiple app instances
  • Caching static assets
  • WAF / DDoS protection (often bundled with CDNs)

From the client’s perspective: the reverse proxy often looks like the real server (same public hostname).

4. Side-by-Side Comparison

QuestionForward proxyReverse proxy
Sits close toClient / corporate networkServer / edge datacenter
Configured byClient org (often forced)Site owner / platform
Hides client IP from origin?Often yesOrigin sees proxy IP (by design)
Typical productsCorporate proxies, Zscaler-like stacksNginx, Caddy, HAProxy, Cloudflare, AWS ALB

5. Reverse Proxy vs API Gateway vs Load Balancer (Practical Blurring)

Real systems blur lines:

  • A load balancer might be only L4 (TCP/UDP) or also L7 (HTTP routing).
  • An API gateway often adds auth, rate limits, routing, and transformations at the edge.
  • CDN edge behaves like a massive globally distributed reverse proxy + cache.

Interview tip: describe traffic direction and who benefits (client vs operator) before naming products.

6. Key Takeaways

  1. Forward proxy = client-side intermediary for outbound access.
  2. Reverse proxy = server-side front door for inbound traffic.
  3. Both can terminate TLS, cache, and enforce policy — but the trust model differs.

Explain-It Challenge

  1. Is a CDN edge closer to a forward proxy or reverse proxy? Why?
  2. Why would a company terminate TLS at a reverse proxy instead of at every app instance?
  3. Name two risks of corporate TLS inspection (HTTPS interception).

Navigation: ← 1.4.e — SSL/TLS · 1.4.g — VPN →