Proxy
Proxy Server
An intermediary server that receives requests from clients, forwards them to the destination on the client's behalf, and returns the response — substituting its own IP address and optionally caching, filtering, or inspecting traffic in the process.
A proxy server inserts itself between your device and the internet. When you send a request through a proxy, the proxy makes the request on your behalf — the destination server sees the proxy's IP address, not yours. Proxies can be configured at the application level (browser proxy settings) or at the OS level. They are used by enterprises to filter and log web traffic, by CDNs to cache content close to users, by individuals to bypass geo-restrictions, and by developers to inspect and debug HTTP traffic.
Forward proxy vs reverse proxy
The most important distinction in proxying is direction. A forward proxy acts on behalf of clients — it sits between users and the internet, forwarding outbound requests. The client is configured to send its requests to the proxy, which relays them to the destination. The destination sees the proxy's IP, not the client's. A reverse proxy acts on behalf of servers — it sits in front of backend servers and receives inbound requests from the internet. Clients connect to the reverse proxy thinking it is the server; the reverse proxy forwards requests to one or more backend servers and returns their responses. The client is typically unaware a reverse proxy is involved. Forward proxies protect and control clients; reverse proxies protect and scale servers.
Proxy types
| Type | Direction | Common use |
|---|---|---|
| Forward proxy | Client → internet | Anonymity, filtering, caching for users |
| Reverse proxy | Internet → servers | Load balancing, TLS termination, DDoS protection |
| Transparent proxy | Client → internet (intercepted) | ISP caching, enterprise filtering (invisible to user) |
| SOCKS5 proxy | Client → internet | Any TCP/UDP traffic, not just HTTP |
| HTTP CONNECT proxy | Client → internet | Tunnelling HTTPS through corporate proxy |
Forward proxy use cases
Corporate web filtering is the most common enterprise use: all employee web traffic is routed through a forward proxy that enforces acceptable use policies, logs URLs, and blocks categories like social media or malware sites. Privacy-focused users configure a proxy to mask their IP from websites, though the proxy operator itself can still see all traffic. Geo-bypass uses a proxy in another country to make a website believe the request originates there — streaming services, for example, present different content libraries by region. Developers use local forward proxies like Burp Suite or mitmproxy to intercept and inspect HTTP/HTTPS traffic from their own applications for debugging.
Reverse proxy use cases
Load balancing distributes incoming requests across multiple backend servers — the reverse proxy routes each request to a healthy backend based on round-robin, least-connections, or IP-hash algorithms. TLS termination offloads the TLS handshake and decryption from backend servers to the reverse proxy, which handles certificates centrally and communicates with backends over plain HTTP on the internal network. Caching stores responses from backend servers and serves them directly to subsequent clients without reaching the backend — dramatically reducing load for static or cacheable content. DDoS mitigation and WAF (Web Application Firewall) functionality are typically implemented at the reverse proxy layer, inspecting and filtering traffic before it reaches application servers.
Transparent proxy
A transparent proxy (also called an intercepting proxy) intercepts network traffic without requiring any client configuration — the client is unaware it exists. ISPs have historically used transparent proxies to cache popular content, reducing their bandwidth costs. Enterprise networks use them to enforce filtering policies on devices that cannot be individually configured. A transparent proxy works by having the network infrastructure (a router or firewall) redirect traffic destined for port 80 or 443 to the proxy instead. For HTTPS, a transparent proxy that attempts to decrypt traffic must present its own certificate, causing certificate warnings unless the proxy's CA certificate is installed on client devices — this is the basis of corporate TLS inspection (MITM).
SOCKS vs HTTP proxy
HTTP proxies understand HTTP — they inspect the request, can modify headers, and handle the CONNECT method for HTTPS tunnelling. They only work for HTTP/HTTPS traffic. SOCKS (Socket Secure) proxies operate at a lower level — they establish a TCP (SOCKS4/5) or UDP (SOCKS5) relay without inspecting the payload. Any protocol that runs over TCP or UDP can be tunnelled through a SOCKS5 proxy: SSH, FTP, SMTP, gaming protocols. SOCKS5 also supports authentication and, uniquely, UDP relaying for protocols like DNS. This makes SOCKS5 more versatile than HTTP proxies for non-web traffic, though HTTP proxies offer better caching and filtering for web use cases.
Proxy vs VPN
A proxy handles specific application traffic at the app layer — only the browser or app configured to use it is affected. A VPN captures all traffic at the OS level by creating a virtual network interface that all traffic is routed through. Proxies are typically faster (no encryption overhead) and easier to set up for a single app, but they don't encrypt your traffic and only mask your IP from the destination server — not from your ISP or the proxy operator. For privacy, VPNs provide significantly stronger protection. Proxy chaining — routing traffic through multiple proxies in sequence — increases anonymity at the cost of latency, similar in concept to Tor's multi-hop onion routing.
Common reverse proxy software
Nginx is the most widely deployed reverse proxy and web server, used by over 30% of the top million websites. HAProxy is purpose-built for high-performance load balancing with sophisticated health checking and routing rules. Caddy is a modern reverse proxy with automatic HTTPS (Let's Encrypt certificate provisioning built in). Cloudflare operates as a reverse proxy for millions of websites, providing DDoS protection, caching, and WAF at the network edge. Traefik is popular in container environments, automatically discovering services in Docker and Kubernetes and configuring routing rules dynamically.
Frequently Asked Questions
What is the difference between a proxy and a VPN?
A proxy forwards specific app traffic through an intermediary, substituting its IP for yours — no encryption by default. A VPN encrypts all device traffic at the OS level. VPNs offer full coverage and encryption; proxies are faster for specific app use cases but provide less security.
What is a reverse proxy?
A reverse proxy sits in front of servers (not users), forwarding incoming requests to backend servers. Used for load balancing, TLS termination, caching, and DDoS protection. Nginx, Caddy, HAProxy, and Cloudflare all act as reverse proxies.
Does a proxy hide my real IP address?
From the destination server, yes. But the proxy operator sees your real IP, and your ISP sees you connecting to the proxy. HTTP proxies also expose traffic in plaintext. For stronger anonymity, use a VPN (encrypts the proxy connection) or Tor (multiple hops).