Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Is it ok if I don’t like the term “reverse proxy”?

I find it entirely confusing and non-intuitive. I put it up there with idiotic terms like “OTT” which AFAIK just means “connected to the internet”.



Has always bothered me also, but that's the industry term so we are kind of stuck with it.


Proxy components are officially called Intermediaries in thr HTTP semantic specification; see https://httpwg.org/http-core/draft-ietf-httpbis-semantics-la....

Intermediaries can have different purposes. The official alternative to reverse proxy is "gateway", which is unfortunately overloaded with other kinds of gateways in networking.

Naming things is hard. Reverse proxy isn't great but all things considered is unique enough to allow folks to discriminate the sort of HTTP proxying that is happening


An HTTP reverse proxy forwards HTTP requests and adds e.g. X-Forwarded-For and X-Forwarded-Host headers.

https://www.nginx.com/resources/wiki/start/topics/examples/f... :

  X-Forwarded-For: 12.34.56.78, 23.45.67.89
  X-Real-IP: 12.34.56.78
  X-Forwarded-Host: example.com
  X-Forwarded-Proto: https
TIL from the nginx docs that there's a standardized way to forward HTTP without the X- prefix on the unregistered headers:

  Forwarded: for=12.34.56.78;host=example.com;proto=https, for=23.45.67.89
What is the difference between a reverse proxy and a load balancer?

k8s calls this "Ingress" and there are multiple "Ingress API" implementers; which essentially must reload the upstream server list on SIGHUP. https://kubernetes.io/docs/concepts/services-networking/ingr...

List of k8s Ingress Controllers: https://kubernetes.io/docs/concepts/services-networking/ingr...


> What is the difference between a reverse proxy and a load balancer?

Reverse proxy may or may not loadbalance requests. For example, in a sidecar configuration it can just terminate tls, provide telemetry, etc and forward everything to local port.


A [load-balancing] reverse proxy can also keep WAF rules in RAM for processing requests and responses. WAF: Web Application Firewall (OWASP CRS ruleset, CF ruleset,)

Methods for delegating HTTP requests to another application, with per-message overhead and inevitably-necessarily-tunable buffering: Layer 2 (MAC on a local segment), Layer 3 (IP), Layer 4 (TCP, UDP ports), Layer 7: HTTP parse and forward over network sockets or file sockets, defy separation of concerns and least privileges and run the (e.g. non-blocking Lua,) app within the webserver, Layer 7+: container service mesh Ingress API,

e.g. FastCGI uses file sockets, which avoids additional TCP overhead but doesn't really scale because sockets and network filesystems.

(ASGI is the Asynchronous WSGI, which specifies $ENVIRONMENT_VARIABLE names as an interface contract in order to decouple web [[reverse] proxy] servers from web applications.)

Fundamentally, which variables passed in the e.g. os.environ dict like $REMOTE_USER and IDK is it like $SSL_CLIENT_CERT_SHA384, SSL_CLIENT_CERT_*; should downstream web applications simply trust as valid strings over what network path?

TLS re-termination.

Non-root [web] servers must run on ports less than 1024, which e.g. iptables or nftables (or eBPF) can easily port-forward to only if rewriting URLs within potentially-signed assets within HTTP messages and HTTP/3 UDP streams isn't necessary.


What would be a more intuitive term for it?


Server-side proxy, or inbound proxy, perhaps.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: