Reverse Proxy
A reverse proxy stands in front of your app, accepts inbound traffic, and forwards it to upstream services. That lets you centralize TLS termination, compression, caching, header normalization, and request filtering. It is simple in concept but dangerous when forwarded headers, body buffering, and timeout boundaries are left implicit.
Minimal Example
server {
listen 443 ssl http2;
server_name api.example.com;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://app_upstream;
}
}What It Solves
- Presents one stable public surface while internal services move independently.
- Keeps TLS, compression, and connection reuse close to the edge instead of inside every app process.
- Provides a clean place for coarse request filtering, caching, and request-size limits.
Failure Modes
- Trusting spoofed forwarded headers from the public internet.
- Buffering large uploads or streaming responses without understanding memory impact.
- Leaving proxy and upstream timeouts mismatched so clients see random disconnect behavior.
Production Checklist
- Strip and re-create trusted proxy headers at the first controlled hop.
- Set explicit limits for body size, buffering, and idle connection lifetime.
- Document which responses may be cached and which must pass through untouched.
Closing
A reverse proxy should make your edge predictable. If it becomes opaque, every downstream incident turns into guesswork.
