Skip to content

What is the difference between a forward proxy and a reverse proxy?

Short answer

A forward proxy sits in front of clients and makes outbound requests on their behalf — used for egress control, filtering, caching, and anonymity. A reverse proxy sits in front of servers and receives inbound requests on their behalf — used for load balancing, TLS termination, caching, and as a security front for a WAF. The direction it faces, client-side or server-side, is the key distinction.

Both are intermediaries that relay traffic, but they sit on opposite ends of the conversation and serve different owners. Getting the direction right — and the security use cases — is what the interviewer is checking.

Forward proxy: in front of clients

A forward proxy acts on behalf of the clients behind it. When a user's browser is configured to use one, its requests go to the proxy, which forwards them to the internet and returns the response. The proxy knows the clients; the destination server typically sees only the proxy's IP.

Typical uses are client-side: enforcing acceptable-use and egress filtering, content filtering, caching to save bandwidth, logging/DLP for outbound traffic, and providing anonymity by masking the real client.

Reverse proxy: in front of servers

A reverse proxy acts on behalf of the servers behind it. Clients on the internet connect to the reverse proxy thinking it is the server; it forwards to one of several backends and returns the answer. The client doesn't know how many servers exist or their real addresses.

Typical uses are server-side: load balancing across backends, TLS termination (decrypting once at the edge), caching and compression, and acting as the chokepoint where a WAF, rate limiting, and DDoS protection are applied. Examples include Nginx, HAProxy, and CDN edges.

The mental model

Same machinery, opposite intent: a forward proxy hides and controls the clients; a reverse proxy hides and protects the servers. A load balancer is essentially a specialized reverse proxy focused on distributing inbound load.

Interviewers want the client-side vs server-side framing and at least one correct security use case for each direction.

Likely follow-ups

  • How does a reverse proxy help with TLS termination and a WAF?
  • How do enterprises use forward proxies for data loss prevention and egress filtering?
  • Where does a load balancer fit relative to a reverse proxy?

Sources

Certifications

Get 100 cybersecurity interview questions + answers

Drop your email and we'll send you the free PDF pack and the flashcard deck.

No spam. Unsubscribe anytime.