What Is a Reverse Proxy and Why Do You Need One?
You have probably seen the term reverse proxy mentioned in Nginx configs, Docker Compose examples, and self-hosting guides. This article explains what a reverse proxy actually does, how it differs from a forward proxy, and where Localtonet fits into the picture when you need to make a local service reachable from the internet without setting one up yourself.
📋 What's in this article
What Is a Reverse Proxy?
A reverse proxy is a server that sits in front of one or more backend services and forwards incoming client requests to the appropriate one. The client a browser, a mobile app, an API consumer sends its request to the reverse proxy. The proxy decides where to send it, forwards it, gets the response back, and returns it to the client.
From the client's perspective, it is always talking to the reverse proxy. It has no idea how many backend servers are behind it, what they are running, or even what ports they are listening on. That invisibility is exactly the point.
The basic flow
Client sends request to https://yourdomain.com/api
↓
Reverse proxy receives the request on port 443
↓
Proxy forwards it to http://localhost:3000 on the backend server
↓
Backend responds, proxy returns the response to the client
Forward Proxy vs Reverse Proxy
The naming is confusing at first. Both are intermediary servers, but they sit on opposite sides of the connection.
A forward proxy sits between clients and the internet on behalf of the clients. When you use a VPN or a corporate proxy, your traffic goes through a forward proxy before reaching the destination. The destination server sees the proxy's IP, not yours. The proxy represents the client.
A reverse proxy sits in front of your servers on behalf of those servers. When a user visits your website, they hit the reverse proxy before their request reaches your app. The client sees only the proxy's address. The proxy represents the server.
| Forward Proxy | Reverse Proxy | |
|---|---|---|
| Sits in front of | Clients | Servers |
| Represents | The client to the internet | The server to clients |
| Hides | The client's identity | The server's identity and structure |
| Common uses | VPN, corporate filtering, anonymity | Load balancing, TLS, routing, caching |
| Examples | Squid, corporate proxies, VPNs | Nginx, Traefik, Caddy, HAProxy |
What a Reverse Proxy Actually Does
In practice, a reverse proxy takes on several jobs at once. Most setups use it for a combination of these.
🔒 TLS termination
Your backend app runs on plain HTTP no certificates, no encryption configuration. The reverse proxy handles HTTPS at its end, decrypts incoming traffic, and forwards the plain request to the app on the internal network. The app never deals with TLS at all. Tools like Caddy and Traefik can even request and renew Let's Encrypt certificates automatically.
🗂️ Path-based routing
One domain, multiple services. Requests to /api go to your Node.js backend on port 3000.
Requests to /docs go to a documentation site on port 4000.
Requests to / go to your React frontend on port 5173.
The client uses a single domain and never knows about the different services behind it.
🏷️ Virtual host routing
Multiple domains, one server. Requests to api.yourdomain.com go to one service.
Requests to app.yourdomain.com go to another.
Requests to admin.yourdomain.com go to a third.
All of them hit the same IP address and the same reverse proxy, which routes based on the host header.
⚖️ Load balancing
When traffic is more than one backend server can handle, a reverse proxy distributes requests across multiple instances of the same service. If one instance goes down, the proxy stops sending traffic to it and routes everything to the healthy ones.
⚡ Caching and compression
A reverse proxy can cache responses for static assets so the backend does not have to serve the same file thousands of times. It can also compress responses before sending them to clients, reducing bandwidth usage without any changes to the app itself.
🛡️ Security layer
Rate limiting, IP allowlisting, DDoS mitigation, and basic authentication can all be enforced at the reverse proxy level before a request ever reaches your application code. This is also where a Web Application Firewall (WAF) typically sits.
Who Uses Reverse Proxies and Why
Popular Reverse Proxy Tools
| Tool | Best for | Notable feature |
|---|---|---|
| Nginx | Production servers, high traffic | Extremely fast, widely documented, also serves static files |
| Caddy | Developers who want zero TLS config | Automatic HTTPS with no configuration, simple Caddyfile syntax |
| Traefik | Docker and container environments | Auto-discovers services via Docker labels, built-in Let's Encrypt |
| HAProxy | High availability and load balancing | Very high performance, fine-grained health checks and failover |
| Apache | Legacy setups, shared hosting | Mature, extensive module ecosystem, familiar to many admins |
The Problem a Reverse Proxy Cannot Solve on Its Own
Setting up Nginx or Caddy on your home server handles routing and TLS perfectly well inside your network. The problem starts the moment you want to reach that server from the internet.
Your home router sits between your server and the public internet. Incoming traffic from outside has no way to reach your server unless you configure port forwarding on the router. And even if you do configure port forwarding, many home internet connections today are behind CGNAT (Carrier-Grade NAT), where the ISP puts hundreds of customers behind a single public IP. In that case, port forwarding on your router does nothing because there is no direct public IP to forward from in the first place.
So you have a reverse proxy routing everything correctly inside your network, but the internet still cannot reach it. That is the gap a tunnel fills.
The What Is NAT and CGNAT? article covers how these technologies work and why they block incoming connections to home servers.
Where Localtonet Fits Into This Picture
Localtonet is not a reverse proxy. It is a tunneling service. The two serve different purposes and are often used together, but understanding the difference matters.
A reverse proxy routes traffic between services on the same network. A tunnel creates a path for traffic to travel between networks when no direct path exists. Localtonet solves the CGNAT and firewall problem by having your local machine make an outbound connection to a relay server. That relay becomes the public-facing address. Traffic arrives at the relay and gets forwarded back through the tunnel to your machine.
Reverse proxy handles
- Routing requests to the right service on your server
- TLS termination and certificate management
- Virtual host and path-based routing
- Load balancing across backend instances
- Caching, compression, security headers
Localtonet tunnel handles
- Making your server reachable from the internet
- Bypassing CGNAT, double NAT, and firewall restrictions
- No router or ISP configuration required
- Encrypted transport between the relay and your machine
- Public HTTPS URL without a public IP
For many self-hosted setups, Localtonet's HTTP tunnel replaces the need for a local reverse proxy entirely. You point the tunnel at your app's port, and Localtonet's relay handles TLS and gives you a public HTTPS URL. Your app receives plain HTTP internally with no certificate setup.
For more complex setups multiple apps on the same server, custom domains, path routing you can run Nginx or Caddy locally and point a single Localtonet HTTP tunnel at that proxy. The proxy handles internal routing and the tunnel handles external reachability.
Simple setup: one app, Localtonet HTTP tunnel
Your app runs on port 3000. Create an
HTTP tunnel
in Localtonet pointing at 127.0.0.1:3000.
Localtonet provides a public HTTPS URL. No reverse proxy needed, no certificate configuration.
Advanced setup: multiple apps, reverse proxy plus tunnel
You run Nginx or Caddy on port 80 as a local reverse proxy routing to several services. Create one HTTP tunnel pointing at your reverse proxy on port 80. All routing decisions happen inside your network. The single tunnel carries everything out to the internet.
TCP services: databases, SSH, game servers
HTTP tunnels only carry web traffic. For anything running over raw TCP a database, an SSH server, a game server use a TCP tunnel. It forwards any TCP traffic transparently without inspecting or modifying it.
Frequently Asked Questions
Do I need a reverse proxy to use Localtonet?
No. For most single-app setups, a Localtonet HTTP tunnel is all you need. It handles TLS and gives you a public URL without any local reverse proxy configuration. A reverse proxy becomes useful when you want to serve multiple apps through one tunnel using path or host-based routing.
Can I use Cloudflare as a reverse proxy in front of Localtonet?
Yes. If you attach a custom domain to your Localtonet HTTP tunnel and point that domain's DNS at Localtonet's servers, you can optionally proxy through Cloudflare by enabling the orange cloud on the DNS record. Cloudflare then sits in front and adds its CDN and DDoS protection, while Localtonet handles the tunnel to your local server.
Is Nginx hard to set up for a home server?
Nginx has a learning curve mainly around its configuration file syntax. For simple use cases routing two or three services the configuration is short and there are many working examples available. Caddy is generally considered easier for home use because its configuration is simpler and it handles certificates automatically.
What is TLS termination and why does it matter?
TLS is the encryption protocol behind HTTPS. TLS termination means the reverse proxy handles the encrypted connection with the client and decrypts it before passing the request to the backend. The backend only receives plain HTTP, which is simpler to configure. Without TLS termination, every backend service would need its own certificate and TLS configuration.
What is the difference between a reverse proxy and a load balancer?
A load balancer is a specific function that a reverse proxy can perform. Most reverse proxies support load balancing as a feature, but a reverse proxy does not have to be a load balancer. You can use Nginx purely as a routing and TLS termination layer with no load balancing at all. In practice, the terms are often used interchangeably at the infrastructure level, but technically a load balancer is just one of the things a reverse proxy can do.
Does Localtonet replace a reverse proxy?
For simple setups, yes one HTTP tunnel covers what a basic reverse proxy would do for a single app. For complex setups with many services and custom routing rules, no. Localtonet handles the network path between the internet and your server. A reverse proxy handles the routing once traffic arrives at your server. Both tools solve different problems and work well together.
Get a Public URL for Your Local Server Without the Complexity
Create a free Localtonet account, open an HTTP or TCP tunnel, and your local service is reachable from the internet in under a minute no reverse proxy configuration required.
Create Free Account →
