Reverse Proxy
Forward traffic, hide origins, terminate TLS, and spread load before requests hit the app servers.
Same entrance, different jobs
These are roles, not always separate products. One vendor can collapse two or three of these into one box, which is why the diagrams can look similar.
WAF / Firewall
Is this malicious enough to block?
Security filtering, bot rules, attack scoring, challenge or block.
Reverse Proxy
Where should I forward this?
Forwarding, TLS termination, load balancing, buffering, hiding origins.
API Gateway
Is this API request allowed?
Auth, quotas, validation, transforms, versioning, aggregation.
Backend
What does the business logic do?
Domain rules, database writes, long jobs, transactions.
Direct Client to Server
Smart Load Balancing
What the Proxy Actually Owns
This is the forwarding path. WAF decisions can happen before it, and API gateway policy can happen around or behind it.
What the Reverse Proxy Handles
These are traffic-handling jobs. Security filtering belongs more to WAF, and API consumer policy belongs more to an API gateway.
Load Balancing
Hover to activate
SSL Termination
Hover to activate
Hides Backend
Hover to activate
Caching
Hover to activate
What this looks like in real config
server {
listen 443 ssl http2;
server_name app.example.com;
location / {
proxy_pass http://app_cluster;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}