Forward Proxy vs Reverse Proxy

In network routing, traffic rarely flows directly from a user's machine to a raw database or application server process. Instead, intermediate systems manage, inspect, and route packets along the path. These intermediaries are known as proxies.

While both forward and reverse proxies sit between clients and servers, they serve opposite masters and reside on different sides of the network boundary:

• A Forward Proxy represents the client. It intercepts outgoing requests from private client machines to the public internet, masking client identity and filtering outbound content.
• A Reverse Proxy represents the server. It intercepts incoming public traffic, shielding internal server topologies, distributing loads, and handling transport encryption.

---

The difference between proxies can be mapped to corporate communication and incoming mail handling:

• A Forward Proxy is like a corporate legal representative. When employees want to communicate with external organizations, they do not write to them directly. They send their requests to the legal rep. The representative strips out the employee's personal contact details, puts the message on company letterhead, sends it on their behalf, receives the response, and hands it back. The outside world only knows they spoke to the company legal representative, not the specific employee.
• A Reverse Proxy is like a company mailroom desk at the front office. When customers write to the company, they address their envelopes to the main corporate headquarters address. They do not know which internal clerk, office cubicle, or department will process the letter. The mailroom desk receives the packet, unboxes it, routes it to the specific accounting or shipping clerk internally, receives their reply, and sends it back to the customer under the corporate return address.

---

A Forward Proxy (often called just a "proxy") sits in front of one or more client machines on a private local network. When a client makes a request to a public destination server (e.g. google.com), the request is routed through the proxy.

Primary Functions

• Obscuring Client Identity: The target web server sees the request originating from the forward proxy's IP address rather than the client's private IP, masking client details.
• Content Filtering: Organizations use forward proxies to restrict employees from accessing unauthorized websites.
• Caching: The proxy can cache frequently downloaded files locally, allowing subsequent users to fetch them without utilizing external WAN bandwidth.

---

A Reverse Proxy sits in front of one or more backend servers (e.g. databases, microservices, file systems). It acts as the gateway for all external internet requests directed at the application.

When a client queries the application, they target the reverse proxy's public IP address. The proxy evaluates the path, terminates TLS encryption, and routes the request to the appropriate internal server.

Primary Functions

• Load Balancing: The proxy distributes incoming request loads across a pool of duplicate backend servers (such as Nginx balancing traffic across multiple Go app instances).
• TLS/SSL Termination: The proxy performs the computationally expensive cryptographic decryption, allowing backend services to communicate in plain HTTP or RPC inside the secure subnet.
• Security Shielding: The reverse proxy hides the physical IP addresses, operating systems, and network details of the actual app servers, preventing attackers from targeting them directly.

---

A proxy is not a router that merely forwards network packets at the IP layer. Instead, it operates by connection splicing:

1. Termination: When a client initiates a request, the proxy accepts and terminates the incoming TCP handshake. It establishes a complete TCP connection socket with the client.
2. Evaluation: The proxy reads the payload (e.g., parsing HTTP headers or application data).
3. Upstream Creation: The proxy initiates a secondary, completely independent TCP connection to the destination upstream server.
4. Data Piping: The proxy reads bytes from the client socket buffer and writes them to the target upstream socket buffer, copying returns bi-directionally.

This connection isolation provides robust stability. If a client has a slow, flaky mobile connection, the proxy handles the slow packet transmission buffers, while maintaining a lightning-fast, persistent TCP connection pool to the internal backend servers.

---

Because a reverse proxy terminates the client's connection and initiates a new one, the backend application server sees the request as coming from the proxy's internal IP address, not the client's public IP. To prevent losing client context, proxies inject metadata headers into the upstream request:

• X-Forwarded-For: A comma-separated chain tracking the path of IP addresses the request passed through (e.g. client-ip, proxy1-ip, proxy2-ip).
• X-Real-IP: Represents the immediate physical IP of the client that established the socket connection with the ingress proxy.
• X-Forwarded-Proto: Indicates the protocol the client used to connect (e.g. https), allowing backends to redirect unsafe http calls.

---

In modern cloud infrastructures, backend servers are placed in a Private Subnet (a network partition with no public IP routing table). These database and application servers are physically unreachable from the public internet.

The reverse proxy is placed on the network edge inside a Public Subnet (acting as the Bastion or Ingress point) and is assigned a public IP. By restricting ingress access to the reverse proxy, developers ensure that all incoming requests are authenticated, rate-limited, and logged before they can touch internal business systems.

---

• RFC 2616: Hypertext Transfer Protocol -- HTTP/1.1 — The seminal IETF specification defining proxies, gateways, and connection behaviors.
• Nginx Reverse Proxy Documentation — Detailed setup guide on building, forwarding, and optimizing Nginx reverse proxy routing.
• Envoy Proxy Architecture Guide — Foundations of high-performance modern L4 and L7 network proxies used in microservice platforms.