Reverse Proxy & API Gateway
nginx, Envoy, Kong, AWS API Gateway; routing, auth, rate limiting
A reverse proxy sits between clients and backend servers, handling concerns like TLS termination, request routing, rate limiting, authentication offload, compression, and caching. nginx handles 10,000+ concurrent connections per worker process using an event-driven architecture; Envoy (CNCF) is the standard data-plane proxy in service meshes and API gateways; Kong adds a plugin ecosystem (OAuth2, rate limiting, JWT validation) on top of nginx/OpenResty. AWS API Gateway and Azure API Management are managed L7 proxy-as-a-service.
Key Points
- nginx worker model: one worker per CPU core, each handling thousands of connections via non-blocking epoll/kqueue — `worker_processes auto; worker_connections 10240` is a common production config.
- nginx upstream keepalive: `keepalive 64` maintains a pool of 64 persistent connections per upstream block, eliminating TCP setup overhead for high-QPS backends.
- Envoy's xDS (Discovery Service) API (LDS, RDS, CDS, EDS) allows dynamic reconfiguration without restart — used by Istio control plane to push routing, cluster, and endpoint changes to sidecars.
- Kong plugins are ordered (authentication → rate limiting → logging) and executed per-request — available in Lua (native), Go (Go Plugin Server), or JavaScript (js-plugins) sandboxes.
- Rate limiting at the reverse proxy layer (nginx limit_req, Kong rate-limiting plugin) protects backends from overload without requiring application code changes — implement sliding-window rate limits backed by Redis for distributed counting.
- API Gateway request transformation: modify request headers (add `X-Request-ID`, strip `Authorization` before forwarding), transform query params, or aggregate multiple backend calls into one response.
- AWS API Gateway throttling: account-level default 10,000 RPS with burst of 5,000; stage and method level limits override defaults — return 429 with `Retry-After` header on throttle.
- Reverse proxy caching: nginx `proxy_cache_path` with `Cache-Control: public, max-age=300` caches backend responses in RAM/disk — reduces backend QPS by 60–80% for read-heavy APIs with stable data.
Real-World Example
Cloudflare processes 55+ million HTTP requests per second through its global network of nginx/NGINX-derived proxies, using edge-based WAF, DDoS mitigation, and rate limiting before traffic ever reaches origin servers.