Using a Reverse Proxy to Improve Performance and Security
Practical guide to reverse proxies: how they work, when to use them, performance benefits, security benefits, SSL handling, caching and common configuration mistakes.
Introduction
A reverse proxy sits in front of a website, application or origin server. Instead of visitors connecting directly to the backend application, they connect to the reverse proxy first. The reverse proxy then forwards requests to the correct internal service.
Reverse proxies are commonly used with Nginx, Apache, HAProxy, Cloudflare, CDN services, load balancers and application gateways. They can improve performance, protect backend services, terminate SSL, cache content, route traffic and reduce direct exposure of the origin server.
Quick answer
A reverse proxy improves performance and security by receiving public requests before they reach the backend server. It can handle SSL, caching, compression, rate limiting, redirects, routing and security filtering. Use it carefully: wrong proxy headers, SSL mode, DNS or redirects can cause loops, 502 errors, wrong visitor IPs or broken applications.
What is a reverse proxy?
A reverse proxy is a server or service that accepts requests from visitors and forwards them to one or more backend servers.
Visitor:
https://example.com
Reverse proxy:
Nginx, Cloudflare, HAProxy, load balancer or CDN
Backend:
Application server, WordPress server, API, container or VPS service
The visitor usually does not connect directly to the backend application. This allows the proxy to control traffic, apply security rules, cache responses and hide internal services.
Reverse proxy vs forward proxy
A forward proxy represents the client. A reverse proxy represents the server.
Forward proxy
- Used by users or organizations to access the internet through another server
- Example: VPN or corporate proxy
Reverse proxy
- Used by websites and applications to receive traffic before it reaches backend servers
- Example: Nginx in front of a Node.js app
For website hosting, performance and security, reverse proxies are the relevant concept.
Common reverse proxy types
Reverse proxies can be implemented in different ways.
Common examples:
- Nginx reverse proxy on a VPS
- Apache reverse proxy
- HAProxy load balancer
- Cloudflare proxy/CDN
- CDN edge proxy
- managed load balancer
- Kubernetes ingress controller
- application gateway
- Docker reverse proxy
The concept is the same: public traffic reaches the proxy first, and the proxy forwards traffic to the backend.
Performance benefits
A reverse proxy can improve performance when configured correctly.
Performance features:
- static file caching
- CDN edge caching
- compression
- HTTP/2 or HTTP/3 support
- connection reuse
- TLS termination
- load balancing
- request buffering
- image optimization through CDN
- routing to faster backend services
- reducing repeated origin requests
A reverse proxy does not automatically make a slow application fast. It helps most when caching, routing and backend configuration are planned properly.
Security benefits
A reverse proxy can reduce direct exposure of the origin server.
Security benefits:
- hide backend application ports
- terminate SSL at a controlled layer
- block unwanted traffic
- rate limit abusive requests
- filter common attacks
- protect origin IP where possible
- enforce HTTPS
- add security headers
- restrict admin paths
- separate public traffic from internal services
- centralize logging
A reverse proxy is not a full security solution by itself. The backend server still needs updates, firewall rules, secure application code and proper access control.
SSL termination
SSL termination means the reverse proxy handles HTTPS certificates and decrypts traffic before forwarding it to the backend.
Common setups:
- HTTPS visitor → reverse proxy → HTTP backend
- HTTPS visitor → reverse proxy → HTTPS backend
- CDN SSL at edge → HTTPS to origin
- Nginx SSL → local app on 127.0.0.1
If the backend receives HTTP but the visitor used HTTPS, the proxy must pass headers such as X-Forwarded-Proto so the application knows the original request was secure.
Caching and CDN
Reverse proxies can cache static or full-page content to reduce origin load.
Can cache:
- images
- CSS
- JavaScript
- fonts
- public HTML pages
- API responses where safe
- downloads
Be careful with:
- logged-in pages
- carts and checkout
- admin pages
- personalized content
- user dashboards
- forms
- search results
- API responses with private data
Wrong caching rules can show stale content or private user data. Cache only what is safe to cache.
Real client IP and proxy headers
When traffic passes through a reverse proxy, the backend may see the proxy IP instead of the real visitor IP.
Important headers:
- X-Forwarded-For
- X-Real-IP
- X-Forwarded-Proto
- X-Forwarded-Host
- CF-Connecting-IP for Cloudflare setups
The backend application or web server must trust the proxy correctly. Otherwise logs, rate limits, analytics and security rules may use the wrong IP address.
Load balancing
A reverse proxy can distribute traffic across multiple backend servers.
Common methods:
- round robin
- least connections
- IP hash
- weighted upstreams
- health-check-based routing
Useful for:
- high traffic websites
- APIs
- multiple app servers
- failover setups
- horizontal scaling
- separating frontend and backend services
Load balancing only works well when sessions, uploads, cache and database architecture are planned correctly.
Why this matters
Reverse proxies matter because they are often the public front door of modern websites and applications. They can improve speed, protect backend services, simplify SSL, control redirects and reduce load on origin servers.
A misconfigured reverse proxy can also break a site. Common issues include 502 Bad Gateway, redirect loops, wrong visitor IPs, SSL mismatch, stale cache, blocked validation paths and exposed backend ports.
How to check reverse proxy setup
Use Domain Health Checker, Website Status Checker, HTTP Header Checker and SSL Checker to verify public behavior.
- DNS — Confirm the domain points to the proxy or correct origin.
- Website status — Confirm the final URL returns the expected status code.
- SSL — Confirm certificate is valid for the public hostname.
- Redirects — Check HTTP to HTTPS and www/non-www behavior.
- Headers — Check security headers and proxy-related headers.
- Backend availability — Confirm the origin application is running.
- Client IP handling — Confirm logs show real visitor IP where needed.
- Cache behavior — Confirm dynamic pages are not cached incorrectly.
Check reverse proxy and domain setup
Use Domain Health Checker to review DNS, SSL, website status and related signals for your reverse proxy setup.
Common problems
502 Bad Gateway
HighThe proxy cannot reach the backend application or origin server.
Next step: Check upstream host, port, service status and firewall rules.
Redirect loop
HighProxy, CDN, application or backend redirects conflict.
Next step: Review HTTPS settings, X-Forwarded-Proto and canonical redirect rules.
Wrong visitor IP in logs
MediumThe backend logs proxy IP instead of real client IP.
Next step: Configure real IP/trusted proxy headers.
Backend port exposed publicly
MediumThe application is reachable directly instead of only through the proxy.
Next step: Bind backend to localhost or restrict access with firewall.
SSL mismatch
HighCertificate does not match the public hostname or proxy/origin SSL mode.
Next step: Check SSL certificate, CDN mode and origin certificate.
Cache serves stale content
MediumProxy or CDN cache keeps old content after updates.
Next step: Purge cache and adjust cache rules.
Private pages cached
HighPersonalized or logged-in content may be cached publicly.
Next step: Exclude admin, account, cart, checkout and authenticated pages.
Certbot validation blocked
MediumProxy or CDN blocks ACME challenge paths.
Next step: Allow /.well-known/acme-challenge/ or use DNS validation.
Large uploads fail
MediumProxy upload limits are too low.
Next step: Adjust client_max_body_size or equivalent setting.
WebSockets broken
MediumUpgrade headers are missing or proxy does not support WebSockets.
Next step: Enable WebSocket proxy headers and test real-time features.
How to use a reverse proxy safely
-
Step 1: Define the traffic flow
Decide what the public proxy receives and where it forwards traffic.
-
Step 2: Confirm DNS
Point the domain to the proxy or correct public endpoint.
-
Step 3: Protect backend
Keep backend services private or restrict them by firewall.
-
Step 4: Configure SSL
Use a valid public certificate and decide whether backend also uses HTTPS.
-
Step 5: Set proxy headers
Pass host, protocol and real client IP correctly.
-
Step 6: Configure redirects
Choose one canonical HTTPS hostname and avoid duplicate redirect layers.
-
Step 7: Set cache rules carefully
Cache static/public content, not private user pages.
-
Step 8: Test status and headers
Verify HTTP status, redirects, SSL and security headers.
-
Step 9: Check logs
Review proxy logs and backend logs during testing.
-
Step 10: Monitor continuously
Watch origin health, proxy errors, cache behavior and SSL expiry.
Nginx reverse proxy example
server {
listen 80;
server_name example.com www.example.com;
return 301 https://example.com$request_uri;
}
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://127.0.0.1:3000;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
}
}
This is a simplified example. Real setups may need WebSocket support, upload limits, app-specific routes, caching rules or CDN integration.
CDN reverse proxy example
Visitor:
https://example.com
CDN/proxy:
Cloudflare or another CDN
Origin:
VPS server IP
DNS:
example.com → proxied CDN record
Origin server:
Nginx/Apache listens on 80/443
Important:
- SSL mode must match origin setup
- origin must accept CDN traffic
- cache rules must exclude private pages
- real visitor IP headers must be configured
CDN proxy setups are powerful, but SSL mode and redirect rules must be aligned to avoid loops.
Useful reverse proxy checks
Check public status:
curl -I https://example.com
Follow redirects:
curl -IL http://example.com
Check response headers:
curl -I https://example.com
Check local backend:
curl -I http://127.0.0.1:3000
Check listening ports:
sudo ss -tulpn
Check Nginx config:
sudo nginx -t
Check Nginx errors:
sudo tail -100 /var/log/nginx/error.log
Check SSL certificate:
openssl s_client -connect example.com:443 -servername example.com </dev/null 2>/dev/null | openssl x509 -noout -subject -issuer -dates
Commands are examples. Replace example.com and backend port with your real values.
Reverse proxy security checklist
Reverse proxy security checklist
Use this checklist after configuring a reverse proxy for performance and security.
Backend ports are not publicly exposed
Keep internal apps behind the proxy or firewall.
SSL certificate is valid
Confirm the public hostname is covered.
HTTP redirects to HTTPS
Use one canonical HTTPS URL.
Proxy headers are correct
Pass host, protocol and client IP as needed.
Real visitor IP is logged correctly
Configure trusted proxy settings in the app.
Cache excludes private pages
Do not cache admin, account or checkout pages.
Admin paths are protected
Restrict sensitive routes where possible.
Upload limits are appropriate
Set proxy upload limits for forms and APIs.
WebSocket support is configured if needed
Enable upgrade headers for real-time apps.
CDN/proxy SSL mode is correct
Align CDN SSL mode with origin setup.
Origin firewall rules are reviewed
Allow only required public ports.
Backend services are updated
Keep origin software patched.
Logs are monitored
Review proxy and backend logs after changes.
Certbot renewal is tested if used
Run certbot renew --dry-run after SSL setup.
Frequently asked questions
What is a reverse proxy?
A reverse proxy receives public requests and forwards them to backend servers or applications.
Does a reverse proxy improve performance?
It can, especially with caching, compression, CDN edge delivery, connection reuse and load balancing.
Does a reverse proxy improve security?
It can reduce backend exposure and apply filtering or rate limits, but the backend still needs proper security.
Why do I get 502 Bad Gateway?
The proxy cannot reach the backend app, or the backend is returning an invalid response.
Why do I get redirect loops?
Usually because proxy, CDN, backend or application HTTPS settings conflict.
Can a reverse proxy hide my origin IP?
Sometimes, especially with a CDN, but only if origin firewall and DNS history are managed carefully.
Should I cache everything?
No. Cache static and public content carefully. Do not cache private, logged-in or checkout pages publicly.
Related tools
Use these free tools to verify your configuration after applying changes.
Related guides
Browse all Hosting & VPS guides →Need help applying this fix?
Send us your domain, report link or issue details. CheckDomainHealth will review the request and route it to the right technical team if hands-on support is needed.
Was this guide helpful?
Your feedback helps us improve our guides for everyone.
Thanks for your feedback!