If you manage web servers, you know direct exposure can be risky. Setting up a reverse proxy is one of the smartest moves to strengthen your network security while improving performance. Let’s walk through the basics and best practices.
What Is a Reverse Proxy?
A reverse proxy sits between clients (like browsers) and your backend servers. Instead of users hitting your application server directly, they connect to the proxy, which then forwards requests. This setup acts as a gatekeeper, hiding your server’s IP address and adding vital security layers.
Key Security Benefits
- IP masking: Attackers cannot target your backend IP directly.
- SSL termination: Offload HTTPS decryption to the proxy, reducing server load.
- DDoS mitigation: Rate-limit and filter malicious traffic before it reaches your app.
- Web application firewall (WAF): Block SQL injection, XSS, and other exploits at the proxy level.
- Access control: Restrict requests by IP, geographic location, or HTTP headers.
Popular Reverse Proxy Software
Three common choices are Nginx, Apache (with mod_proxy), and HAProxy. Nginx is especially popular for high-traffic sites due to low resource usage. HAProxy excels at load balancing and health checks.
Basic Setup with Nginx
You’ll need a server (e.g., Ubuntu 22.04) and your backend app running on a private port (like 3000). Install Nginx:
sudo apt update && sudo apt install nginx -y
Create a configuration file at /etc/nginx/sites-available/reverse-proxy.conf:
server {
listen 80;
server_name yourdomain.com;
location / {
proxy_pass http://localhost:3000;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}
}
Then enable the site and reload: sudo ln -s /etc/nginx/sites-available/reverse-proxy.conf /etc/nginx/sites-enabled/ then sudo systemctl reload nginx.
Hardening the Proxy
- Disable dir listing: Add
autoindex off;in the server block. - Restrict methods: Only allow GET, POST, HEAD if possible:
if ($request_method !~ ^(GET|POST|HEAD)$) { return 405; } - Set timeouts: Use
proxy_read_timeout 30s;to prevent slow attacks. - Enable HTTPS: Use Certbot (Let’s Encrypt) for free SSL certificates.
Monitoring and Logging
Keep an eye on Nginx logs at /var/log/nginx/access.log and error.log. Use tools like fail2ban to block repeated malicious IPs. Integrate with Prometheus or Grafana for real-time traffic visibility.
Common Pitfalls
Don’t forget to update your firewall (e.g., ufw) to allow only proxy ports (80/443) and deny direct access to backend ports. Also, ensure your backend server trusts X-Forwarded-For headers for correct client IP logging.
Setting up a reverse proxy is not just about performance — it’s a foundational security control. Start with these steps, test thoroughly, and your network will be significantly harder to breach.
