Both forward and reverse proxies sit between two parties and forward traffic. The difference is who they’re working for — and who they’re hiding.
In simple language: a forward proxy works for the client (hides clients from servers). A reverse proxy works for the server (hides servers from clients).
Forward Proxy
The client deliberately routes its traffic through the proxy. The destination server has no idea who the original client is — it just sees the proxy’s IP.
Who configures it? The client.
Who knows about it? The client. The destination server might not even realize a proxy exists.
Examples:
- A corporate proxy that all employees go through (so IT can filter sites and log activity).
- A VPN exit node — Netflix sees a US IP instead of our actual location.
- Tor — many proxies in series for anonymity.
- Squid, a classic forward proxy server.
# Use a forward proxy with curl
curl -x http://proxy.company.com:8080 https://example.comReverse Proxy
The client thinks it’s talking to the server directly. The proxy is invisible. Behind the scenes, it forwards to one of many real backend servers.
Who configures it? The server / sysadmin.
Who knows about it? Only the server side. The client just sees the proxy’s IP and thinks it’s the real server.
Examples:
- NGINX in front of a Node.js app.
- Cloudflare in front of our entire site.
- AWS ALB / ELB.
- Caddy, Traefik.
- API gateways (Kong, Tyk).
# Reverse proxy in nginx
server {
listen 443 ssl;
server_name example.com;
location / {
proxy_pass http://backend:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
}
}Direction Diagram — Who Hides Who
Why Use a Forward Proxy?
- Bypass censorship / geo-restrictions — VPNs are a forward proxy underneath.
- Privacy / anonymity — Tor.
- Corporate filtering / logging — block social media, log every request.
- Caching — older corporate proxies cached web content to save bandwidth.
- Authentication enforcement — single sign-on at the network layer.
Why Use a Reverse Proxy?
- Load balancing — split traffic across many backend servers.
- TLS termination — cert management in one place.
- Caching — return cached responses without hitting backend.
- Security — backend never directly exposed to the internet.
- Rate limiting / WAF — block abuse at the edge.
- Compression / response rewriting — gzip once at the proxy.
- Hide internal architecture — many microservices behind one URL.
A CDN Is a Reverse Proxy
Cloudflare, CloudFront, Fastly are all distributed reverse proxies. Users hit the CDN. The CDN forwards (on miss) to our origin. The user never directly contacts our origin.
Common Confusion
People say “proxy” and mean forward, but they describe a reverse proxy setup. The trick:
- “I’m using a proxy to access blocked sites” → forward proxy.
- “Nginx in front of my app” → reverse proxy.
- “Cloudflare protects my site” → reverse proxy.
- “Company VPN” → forward proxy.
Interview Tip
The cleanest definition: forward proxy serves the client, reverse proxy serves the server. From there, every example follows. Bonus: mention that a CDN is just a globally-distributed reverse proxy with caching — it ties this concept to a topic interviewers love.