Reverse proxy.
A receptionist who takes every visitor at the front desk and quietly routes them to the right office in back.
Imagine an office building with one front desk. Every visitor checks in there, and the receptionist decides which office handles them, takes their coat, checks their ID, and sends them on. The visitor never needs to know the building's layout.
A reverse proxy is that front desk for your servers. It sits in front of them as the single public entry point: clients only ever talk to it, and it forwards each request to whichever back-end server should handle it. The servers behind stay hidden.
- Which office do I want?1
A building full of back offices is no good if visitors have to find the right one alone.
- 2
So you put one front desk out front — the single public door.
- 3
Every visitor checks in there; nobody talks to the offices directly.
- 4
The desk unseals the envelope (terminates TLS) and checks the request.
- 5
Then it routes each ask to the right office and spreads load across healthy ones.
- Same desk as always.6
You can swap, restart, or add offices in back, and the visitor never notices.
Forward vs reverse
A forward proxy sits in front of clients and represents them to the wider internet (a company gateway, for example). A reverse proxy is the mirror image: it sits in front of servers and represents them to the world. Clients think they are talking to one machine; in reality the proxy is fronting a whole fleet.
Why one front desk earns its keep
Putting one controlled chokepoint in front lets you do a lot in one place: spread traffic across servers (load balancing), handle encryption once (TLS termination), cache common responses, compress data, block abusive callers, and route /api to one service and /images to another. You can also add, remove, or restart back-end servers without clients ever noticing, since they only ever see the proxy. Tools like Nginx and Envoy do exactly this.