Forward and Reverse Proxies Explained

ByChirag

“Proxy” is one of the most confusing words in networking because it refers to TWO completely different things depending on context. A forward proxy protects clients. A reverse proxy protects servers. Knowing the difference matters.

Forward proxy

Sits between clients and the internet. Clients explicitly send requests to the proxy, which forwards them to the destination on the client’s behalf.

Client A ──┐
Client B ──┤── Forward proxy ── Internet ── google.com
Client C ──┘

Use cases

  • Corporate networks — all employee traffic goes through a proxy that logs, caches, and filters (block YouTube, scan for malware)
  • School / library — content filtering
  • Anonymity — services like Tor are essentially layered forward proxies
  • Geo-bypass — make requests appear to come from a different country
  • Ad blocking at network level — Pi-hole, NextDNS

Examples

  • Squid (open source, classic)
  • HAProxy in forward mode
  • Tor
  • Privoxy

Browser config

# Linux: set HTTP_PROXY env var
export HTTP_PROXY=http://proxy.company.com:3128
export HTTPS_PROXY=http://proxy.company.com:3128

# Or system-wide via PAC file (auto-config)

Reverse proxy

Sits in front of one or more web servers. Clients think they’re talking to ONE server (the proxy), but the proxy may route requests to many backend servers.

                       ┌── Backend A
Internet ── Reverse ───┤── Backend B
                proxy   └── Backend C

Use cases

  • Load balancing — distribute requests across many backends
  • TLS termination — handle HTTPS at the proxy, talk plain HTTP to backends
  • Caching — serve repeated requests from memory without bothering backends
  • URL routing — /api/* to one pool, /static/* to another
  • Compression — gzip/brotli responses on the way out
  • Security — backends never directly exposed to internet
  • WAF integration — filter malicious requests before backends see them

Examples

  • nginx (most popular)
  • HAProxy
  • Caddy
  • Traefik (great for containers)
  • Envoy (service mesh data plane)
  • Cloudflare, AWS CloudFront, Fastly (CDN-based reverse proxies at the edge)

Sample nginx reverse proxy config

upstream backend {
    server 10.0.0.10:8080;
    server 10.0.0.11:8080;
    server 10.0.0.12:8080;
}

server {
    listen 443 ssl http2;
    server_name api.example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

Comparison

Forward proxy Reverse proxy
Who knows about it Client (configured to use) Server side (transparent to client)
Protects Clients Servers
Direction Outbound from client Inbound to server
Typical placement Inside corp network Edge of data center

Transparent proxy

A forward proxy that clients DON’T know about. Network gear silently intercepts traffic and routes it through the proxy. Used by ISPs (caching), captive portals (hotel Wi-Fi), schools (filtering).

What to learn next

Wi-Fi standards — the alphabet soup of 802.11. What each generation actually delivers. Up next.

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *