Reverse Proxy Configuration

Reverse Proxy Configuration

A reverse proxy sits in front of one or more application servers and forwards client requests to them. The client only sees the proxy's IP address — not the backend server. Reverse proxies are used to terminate SSL (handle HTTPS so app servers only deal with plain HTTP), add caching, rate limiting, and authentication at the proxy layer, and expose multiple applications on standard ports 80/443 without running each on a different port.

What is a reverse proxy?

Without reverse proxy:
  Client → :3000 (Node.js app) — exposed directly, no SSL, port in URL
  Client → :8080 (Python app) — same problem

With reverse proxy (Nginx on port 80/443):
  Client ──HTTPS──→ Nginx :443
                        ↓ proxies to
                    Node.js :3000 (internal, not exposed)
                    Python  :8080 (internal, not exposed)
  Benefits: SSL in one place, single port, firewall blocks :3000 and :8080

Nginx reverse proxy

# Nginx reverse proxy to a Node.js app on port 3000:
sudo nano /etc/nginx/sites-available/myapp.conf

/etc/nginx/sites-available/myapp.conf

upstream nodejs_backend {
    server 127.0.0.1:3000;
    keepalive 32;     # Keep 32 connections open to backend
}

server {
    listen 80;
    server_name myapp.example.com;
    return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    server_name myapp.example.com;
    ssl_certificate /etc/letsencrypt/live/myapp.example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/myapp.example.com/privkey.pem;

    location / {
        proxy_pass http://nodejs_backend;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection 'upgrade';   # Required for WebSocket
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_cache_bypass $http_upgrade;
    }
}

Apache reverse proxy

# Enable required modules:
sudo a2enmod proxy proxy_http proxy_balancer lbmethod_byrequests

# Apache reverse proxy to a Python app on port 8000:
sudo nano /etc/apache2/sites-available/pyapp.conf

Apache proxy virtual host

<VirtualHost *:80>
    ServerName pyapp.example.com
    ProxyPreserveHost On
    ProxyPass        / http://127.0.0.1:8000/
    ProxyPassReverse / http://127.0.0.1:8000/
</VirtualHost>

Preserving real client IP

# When proxied, the backend sees the proxy's IP (127.0.0.1) not the client's
# Fix this by reading X-Forwarded-For header in the application

# Verify the header is being sent:
curl -H "Host: myapp.example.com" http://localhost/ -v 2>&1 | grep X-

# In the Nginx config (already shown above):
# proxy_set_header X-Real-IP $remote_addr;
# proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

# Application-side: configure your framework to trust the proxy
# Node.js Express:  app.set('trust proxy', 1)
# Django:           ALLOWED_HOSTS and USE_X_FORWARDED_HOST = True

Conclusion

For most setups, Nginx as a reverse proxy is the better choice over Apache: simpler config, lower memory overhead for the proxy layer, and excellent WebSocket support. The essential proxy headers to always include: Host (so the backend knows which site was requested), X-Real-IP and X-Forwarded-For (so the backend logs real client IPs), and X-Forwarded-Proto (so the backend knows if the original request was HTTPS). Missing these headers causes problems with redirects, session cookies, and IP-based access control in the application.