Reverse Proxy

A reverse proxy is a server that sits between clients and one or more backend services, forwarding client requests to the appropriate backend and returning the responses. Unlike a forward proxy (which acts on behalf of clients), a reverse proxy acts on behalf of the servers, and clients typically do not know they are communicating through one.

How It Works

When a client sends an HTTP request to your application's public URL, the reverse proxy intercepts it first. It can then perform several operations before forwarding the request to the actual backend service:

• Routing: Directing requests to different backends based on URL path, headers, or other criteria.
• Authentication injection: Adding authorization headers (such as bearer tokens) so that backend services receive authenticated requests without exposing credentials to clients.
• SSL/TLS termination: Handling HTTPS encryption at the proxy layer so backends can operate over plain HTTP internally.
• WebSocket upgrades: Managing the protocol switch from HTTP to WebSocket for real-time communication channels.
• Load balancing: Distributing traffic across multiple backend instances.

Why It Matters

Reverse proxies are fundamental to secure, scalable web architecture. They decouple the public-facing interface from internal service topology, allowing you to change, scale, or restart backend services without affecting the client experience.

In Practice

In AI assistant deployments, a reverse proxy typically sits between the public internet and an internal gateway process. The proxy handles authentication by injecting bearer tokens into every forwarded request, including WebSocket upgrades. This means the end user's browser connects to the proxy without needing to know the gateway's internal token. The proxy also enables features like a setup wizard at one path while forwarding all other traffic to the AI gateway -- routing multiple concerns through a single public endpoint.