Low Level Design: Forward Proxy, Reverse Proxy, and Load Balancer

By /

Forward proxies, reverse proxies, and load balancers are often confused because they all sit between clients and servers in a network path. Understanding their distinct roles, use cases, and implementation differences is fundamental to system design. These components appear in nearly every large-scale architecture: Nginx, HAProxy, Envoy, and Squid each serve specific roles in this space.

Forward Proxy: Client-Side Intermediary

A forward proxy sits between clients and the internet, acting on behalf of clients. The client explicitly configures the proxy (browser proxy settings, system proxy environment variables). The destination server sees the proxy IP, not the client IP. Use cases: Corporate internet filtering: block access to non-work sites, log employee browsing. Anonymization: hide client IP from destination servers (VPNs are a form of forward proxy). Caching: Squid caches web responses, reducing bandwidth for repeated requests from many clients. Access control: allow outbound internet access only through the proxy, enabling audit logging of all external requests.

Reverse Proxy: Server-Side Intermediary

A reverse proxy sits in front of servers, acting on behalf of servers. Clients send requests to the reverse proxy without knowing which backend server will handle them. The backend servers see the proxy IP (unless X-Forwarded-For header is set). Reverse proxies provide: SSL termination: decrypt HTTPS at the proxy, pass plain HTTP to backends. Compression: gzip responses at the proxy, reducing bandwidth. Caching: cache backend responses (Varnish, Nginx proxy_cache). Request routing: route /api/* to API servers and /* to static file servers. DDoS protection: absorb attack traffic before it reaches backends (Cloudflare, AWS WAF).

# Nginx as reverse proxy with SSL termination and caching
upstream api_backend {
    server api-1.internal:8080 weight=3;
    server api-2.internal:8080 weight=3;
    server api-3.internal:8080 weight=1;  # canary
    keepalive 32;  # persistent connections to backends
}

server {
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/cert.pem;
    ssl_certificate_key /etc/ssl/key.pem;

    proxy_cache_path /var/cache/nginx levels=1:2 keys_zone=api_cache:10m;

    location /api/ {
        proxy_pass http://api_backend;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_cache api_cache;
        proxy_cache_valid 200 30s;  # cache 200 responses for 30s
    }
}

Load Balancer: Traffic Distribution

A load balancer distributes requests across multiple backend instances to maximize availability and throughput. L4 load balancer (TCP/UDP): routes based on IP and port, without inspecting application-layer content. Fast (nanoseconds per packet), used for raw throughput. L7 load balancer (HTTP/gRPC): routes based on URL path, headers, cookies, or content. Enables path-based routing (/api vs /static), sticky sessions (route same user to same backend), and health-check-aware routing. Modern load balancers (Envoy, HAProxy) operate at L7. Load balancing algorithms: round-robin, least connections, IP hash (consistent), weighted round-robin, least response time.

Comparison Summary

Forward proxy: client configures it; hides client from server; corporate internet control. Reverse proxy: server configures it; hides server from client; SSL termination, caching, routing. Load balancer: distributes traffic across multiple servers; health checking; high availability. In practice, these roles overlap: Nginx can serve as all three simultaneously. Cloudflare is a reverse proxy + load balancer + DDoS protection + CDN. A service mesh sidecar (Envoy) is a reverse proxy for every service in a microservices architecture. The terms describe function more than distinct products.

Key Interview Discussion Points

  • Health checks: load balancers periodically send probe requests and remove unhealthy backends from rotation — active (send probes) vs. passive (watch for errors in real traffic)
  • Connection draining: when removing a backend, stop sending new connections but allow in-flight requests to complete (typically 30-60 second drain period)
  • Global Server Load Balancing (GSLB): route users to the geographically nearest healthy data center, combining DNS and health checking
  • Proxy protocol: preserves original client IP when passing connections through multiple L4 proxies — important for rate limiting and access logging
  • Transparent proxy: intercepts traffic without client configuration (used by ISPs for transparent caching, also by some WAF implementations)
Scroll to Top