Hosting & VPS Guides

Using a Reverse Proxy to Improve Performance and Security

Practical guide to reverse proxies: how they work, when to use them, performance benefits, security benefits, SSL handling, caching and common configuration mistakes.

By CheckDomainHealth Editorial Team Reviewed by Dionis Ceban Updated Jun 28, 2026 10 min read Intermediate

Introduction

A reverse proxy sits in front of a website, application or origin server. Instead of visitors connecting directly to the backend application, they connect to the reverse proxy first. The reverse proxy then forwards requests to the correct internal service.

Reverse proxies are commonly used with Nginx, Apache, HAProxy, Cloudflare, CDN services, load balancers and application gateways. They can improve performance, protect backend services, terminate SSL, cache content, route traffic and reduce direct exposure of the origin server.

Quick answer

Quick answer

A reverse proxy improves performance and security by receiving public requests before they reach the backend server. It can handle SSL, caching, compression, rate limiting, redirects, routing and security filtering. Use it carefully: wrong proxy headers, SSL mode, DNS or redirects can cause loops, 502 errors, wrong visitor IPs or broken applications.

What is a reverse proxy?

A reverse proxy is a server or service that accepts requests from visitors and forwards them to one or more backend servers.

Simple reverse proxy flow
Visitor:
https://example.com

Reverse proxy:
Nginx, Cloudflare, HAProxy, load balancer or CDN

Backend:
Application server, WordPress server, API, container or VPS service

The visitor usually does not connect directly to the backend application. This allows the proxy to control traffic, apply security rules, cache responses and hide internal services.

Reverse proxy vs forward proxy

A forward proxy represents the client. A reverse proxy represents the server.

Forward proxy

  • Used by users or organizations to access the internet through another server
  • Example: VPN or corporate proxy

Reverse proxy

  • Used by websites and applications to receive traffic before it reaches backend servers
  • Example: Nginx in front of a Node.js app

For website hosting, performance and security, reverse proxies are the relevant concept.

Common reverse proxy types

Reverse proxies can be implemented in different ways.

Common examples:

  • Nginx reverse proxy on a VPS
  • Apache reverse proxy
  • HAProxy load balancer
  • Cloudflare proxy/CDN
  • CDN edge proxy
  • managed load balancer
  • Kubernetes ingress controller
  • application gateway
  • Docker reverse proxy

The concept is the same: public traffic reaches the proxy first, and the proxy forwards traffic to the backend.

Performance benefits

A reverse proxy can improve performance when configured correctly.

Performance features:

  • static file caching
  • CDN edge caching
  • compression
  • HTTP/2 or HTTP/3 support
  • connection reuse
  • TLS termination
  • load balancing
  • request buffering
  • image optimization through CDN
  • routing to faster backend services
  • reducing repeated origin requests

A reverse proxy does not automatically make a slow application fast. It helps most when caching, routing and backend configuration are planned properly.

Security benefits

A reverse proxy can reduce direct exposure of the origin server.

Security benefits:

  • hide backend application ports
  • terminate SSL at a controlled layer
  • block unwanted traffic
  • rate limit abusive requests
  • filter common attacks
  • protect origin IP where possible
  • enforce HTTPS
  • add security headers
  • restrict admin paths
  • separate public traffic from internal services
  • centralize logging

A reverse proxy is not a full security solution by itself. The backend server still needs updates, firewall rules, secure application code and proper access control.

SSL termination

SSL termination means the reverse proxy handles HTTPS certificates and decrypts traffic before forwarding it to the backend.

Common setups:

  • HTTPS visitor → reverse proxy → HTTP backend
  • HTTPS visitor → reverse proxy → HTTPS backend
  • CDN SSL at edge → HTTPS to origin
  • Nginx SSL → local app on 127.0.0.1

If the backend receives HTTP but the visitor used HTTPS, the proxy must pass headers such as X-Forwarded-Proto so the application knows the original request was secure.

Caching and CDN

Reverse proxies can cache static or full-page content to reduce origin load.

Can cache:

  • images
  • CSS
  • JavaScript
  • fonts
  • public HTML pages
  • API responses where safe
  • downloads

Be careful with:

  • logged-in pages
  • carts and checkout
  • admin pages
  • personalized content
  • user dashboards
  • forms
  • search results
  • API responses with private data

Wrong caching rules can show stale content or private user data. Cache only what is safe to cache.

Real client IP and proxy headers

When traffic passes through a reverse proxy, the backend may see the proxy IP instead of the real visitor IP.

Important headers:

  • X-Forwarded-For
  • X-Real-IP
  • X-Forwarded-Proto
  • X-Forwarded-Host
  • CF-Connecting-IP for Cloudflare setups

The backend application or web server must trust the proxy correctly. Otherwise logs, rate limits, analytics and security rules may use the wrong IP address.

Load balancing

A reverse proxy can distribute traffic across multiple backend servers.

Common methods:

  • round robin
  • least connections
  • IP hash
  • weighted upstreams
  • health-check-based routing

Useful for:

  • high traffic websites
  • APIs
  • multiple app servers
  • failover setups
  • horizontal scaling
  • separating frontend and backend services

Load balancing only works well when sessions, uploads, cache and database architecture are planned correctly.

Why this matters

Why this matters

Reverse proxies matter because they are often the public front door of modern websites and applications. They can improve speed, protect backend services, simplify SSL, control redirects and reduce load on origin servers.

A misconfigured reverse proxy can also break a site. Common issues include 502 Bad Gateway, redirect loops, wrong visitor IPs, SSL mismatch, stale cache, blocked validation paths and exposed backend ports.

How to check reverse proxy setup

Use Domain Health Checker, Website Status Checker, HTTP Header Checker and SSL Checker to verify public behavior.

  1. DNS — Confirm the domain points to the proxy or correct origin.
  2. Website status — Confirm the final URL returns the expected status code.
  3. SSL — Confirm certificate is valid for the public hostname.
  4. Redirects — Check HTTP to HTTPS and www/non-www behavior.
  5. Headers — Check security headers and proxy-related headers.
  6. Backend availability — Confirm the origin application is running.
  7. Client IP handling — Confirm logs show real visitor IP where needed.
  8. Cache behavior — Confirm dynamic pages are not cached incorrectly.

Check reverse proxy and domain setup

Use Domain Health Checker to review DNS, SSL, website status and related signals for your reverse proxy setup.

Run Domain Health Check →

Common problems

502 Bad Gateway

High

The proxy cannot reach the backend application or origin server.

Next step: Check upstream host, port, service status and firewall rules.

Redirect loop

High

Proxy, CDN, application or backend redirects conflict.

Next step: Review HTTPS settings, X-Forwarded-Proto and canonical redirect rules.

Wrong visitor IP in logs

Medium

The backend logs proxy IP instead of real client IP.

Next step: Configure real IP/trusted proxy headers.

Backend port exposed publicly

Medium

The application is reachable directly instead of only through the proxy.

Next step: Bind backend to localhost or restrict access with firewall.

SSL mismatch

High

Certificate does not match the public hostname or proxy/origin SSL mode.

Next step: Check SSL certificate, CDN mode and origin certificate.

Cache serves stale content

Medium

Proxy or CDN cache keeps old content after updates.

Next step: Purge cache and adjust cache rules.

Private pages cached

High

Personalized or logged-in content may be cached publicly.

Next step: Exclude admin, account, cart, checkout and authenticated pages.

Certbot validation blocked

Medium

Proxy or CDN blocks ACME challenge paths.

Next step: Allow /.well-known/acme-challenge/ or use DNS validation.

Large uploads fail

Medium

Proxy upload limits are too low.

Next step: Adjust client_max_body_size or equivalent setting.

WebSockets broken

Medium

Upgrade headers are missing or proxy does not support WebSockets.

Next step: Enable WebSocket proxy headers and test real-time features.

How to use a reverse proxy safely

  1. Step 1: Define the traffic flow

    Decide what the public proxy receives and where it forwards traffic.

  2. Step 2: Confirm DNS

    Point the domain to the proxy or correct public endpoint.

  3. Step 3: Protect backend

    Keep backend services private or restrict them by firewall.

  4. Step 4: Configure SSL

    Use a valid public certificate and decide whether backend also uses HTTPS.

  5. Step 5: Set proxy headers

    Pass host, protocol and real client IP correctly.

  6. Step 6: Configure redirects

    Choose one canonical HTTPS hostname and avoid duplicate redirect layers.

  7. Step 7: Set cache rules carefully

    Cache static/public content, not private user pages.

  8. Step 8: Test status and headers

    Verify HTTP status, redirects, SSL and security headers.

  9. Step 9: Check logs

    Review proxy logs and backend logs during testing.

  10. Step 10: Monitor continuously

    Watch origin health, proxy errors, cache behavior and SSL expiry.

Nginx reverse proxy example

Nginx reverse proxy example
server {
    listen 80;
    server_name example.com www.example.com;

    return 301 https://example.com$request_uri;
}

server {
    listen 443 ssl http2;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://127.0.0.1:3000;

        proxy_http_version 1.1;

        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto https;
    }
}

This is a simplified example. Real setups may need WebSocket support, upload limits, app-specific routes, caching rules or CDN integration.

CDN reverse proxy example

CDN reverse proxy example
Visitor:
https://example.com

CDN/proxy:
Cloudflare or another CDN

Origin:
VPS server IP

DNS:
example.com  proxied CDN record

Origin server:
Nginx/Apache listens on 80/443

Important:
- SSL mode must match origin setup
- origin must accept CDN traffic
- cache rules must exclude private pages
- real visitor IP headers must be configured

CDN proxy setups are powerful, but SSL mode and redirect rules must be aligned to avoid loops.

Useful reverse proxy checks

Useful reverse proxy checks
Check public status:
curl -I https://example.com

Follow redirects:
curl -IL http://example.com

Check response headers:
curl -I https://example.com

Check local backend:
curl -I http://127.0.0.1:3000

Check listening ports:
sudo ss -tulpn

Check Nginx config:
sudo nginx -t

Check Nginx errors:
sudo tail -100 /var/log/nginx/error.log

Check SSL certificate:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates

Commands are examples. Replace example.com and backend port with your real values.

Reverse proxy security checklist

Reverse proxy security checklist

Use this checklist after configuring a reverse proxy for performance and security.

Backend ports are not publicly exposed

Keep internal apps behind the proxy or firewall.

SSL certificate is valid

Confirm the public hostname is covered.

HTTP redirects to HTTPS

Use one canonical HTTPS URL.

Proxy headers are correct

Pass host, protocol and client IP as needed.

Real visitor IP is logged correctly

Configure trusted proxy settings in the app.

Cache excludes private pages

Do not cache admin, account or checkout pages.

Admin paths are protected

Restrict sensitive routes where possible.

Upload limits are appropriate

Set proxy upload limits for forms and APIs.

WebSocket support is configured if needed

Enable upgrade headers for real-time apps.

CDN/proxy SSL mode is correct

Align CDN SSL mode with origin setup.

Origin firewall rules are reviewed

Allow only required public ports.

Backend services are updated

Keep origin software patched.

Logs are monitored

Review proxy and backend logs after changes.

Certbot renewal is tested if used

Run certbot renew --dry-run after SSL setup.

Frequently asked questions

What is a reverse proxy?

A reverse proxy receives public requests and forwards them to backend servers or applications.

Does a reverse proxy improve performance?

It can, especially with caching, compression, CDN edge delivery, connection reuse and load balancing.

Does a reverse proxy improve security?

It can reduce backend exposure and apply filtering or rate limits, but the backend still needs proper security.

Why do I get 502 Bad Gateway?

The proxy cannot reach the backend app, or the backend is returning an invalid response.

Why do I get redirect loops?

Usually because proxy, CDN, backend or application HTTPS settings conflict.

Can a reverse proxy hide my origin IP?

Sometimes, especially with a CDN, but only if origin firewall and DNS history are managed carefully.

Should I cache everything?

No. Cache static and public content carefully. Do not cache private, logged-in or checkout pages publicly.

Use these free tools to verify your configuration after applying changes.

Browse all Hosting & VPS guides →

Need help applying this fix?

Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.

Get Help Run Domain Health Check

Was this guide helpful?

Your feedback helps us improve our guides for everyone.