CodeClarityLab / Glossary
Ctrl K
← Home ← Codex ← DEBT
Browse by Category
+ added · updated 7d
Pages
Terms of Use About Contribute 🧠Logic graph Contact
← Back to glossary

Reverse Proxy vs Load Balancer

Networking Intermediate
debt(d7/e7/b7/t5)
d7 Detectability Operational debt — how invisible misuse is to your safety net

Closest to 'only careful code review or runtime testing' (d7). No automated linter flags missing reverse proxy or load balancing; infrastructure tools like nginx/haproxy configs require human review. Production issues (slow client attacks, no health checks) surface under load testing.

e7 Effort Remediation debt — work required to fix once spotted

Closest to 'cross-cutting refactor across the codebase' (e7). Introducing a reverse proxy or load balancer requires infrastructure changes, SSL cert handling, session storage migration to Redis, health check configuration — touches deployment topology, not just code.

b7 Burden Structural debt — long-term weight of choosing wrong

Closest to 'strong gravitational pull' (b7). The proxy/LB layer shapes session handling, SSL termination, static asset routing, header forwarding (X-Forwarded-For), and deployment patterns across all web/api contexts.

t5 Trap Cognitive debt — how counter-intuitive correct behaviour is

Closest to 'notable trap most devs eventually learn' (t5). The misconception cited — that a load balancer is required for production, conflating it with reverse proxy duties — is a common confusion; round-robin without sticky sessions and unbuffered slow-client attacks are documented gotchas.

About DEBT scoring → scored by claude-opus-4-7 · 2026-05-11 · reviewed by human

Also Known As

nginx reverse proxy HAProxy load balancer SSL termination

TL;DR

A reverse proxy forwards client requests to backend servers, adding SSL termination, caching, and compression. A load balancer distributes traffic across multiple backends for scalability.

Explanation

A reverse proxy (nginx, Caddy, Traefik) sits in front of one or more application servers: it terminates SSL, compresses responses, caches static content, handles slow clients, and hides backend topology. A load balancer (HAProxy, AWS ALB, nginx upstream) specifically distributes requests across multiple backend instances. In practice these overlap — nginx does both. PHP-FPM sits behind nginx as a reverse proxy that forwards PHP requests via FastCGI, serving static files directly.

Diagram 

flowchart TD
    subgraph Reverse Proxy
        C1[Client] --> RP[nginx]
        RP -->|SSL termination| APP1[PHP-FPM]
        RP -->|Serves static| STATIC[/assets/]
        RP -->|Buffers slow clients| APP1
    end
    subgraph Load Balancer
        C2[Client] & C3[Client] & C4[Client] --> LB[HAProxy / ALB]
        LB --> S1[Server 1]
        LB --> S2[Server 2]
        LB --> S3[Server 3]
    end
style RP fill:#1f6feb,color:#fff
style LB fill:#238636,color:#fff

Common Misconception

A load balancer is always required for production — a single-server setup with nginx as a reverse proxy handles PHP-FPM, SSL, and static files correctly without load balancing.

Why It Matters

Nginx as a reverse proxy protects PHP-FPM from slow clients — without it, PHP workers are held open waiting for slow network uploads while nginx buffers the full request first.

Common Mistakes

  • Exposing PHP-FPM port (9000) directly — always put nginx in front; FPM has no authentication or rate limiting.
  • Not buffering slow client responses in nginx — PHP workers are held until the client downloads the full response.
  • Load balancing without health checks — unhealthy backends receive traffic without them.
  • Round-robin balancing for stateful sessions without Redis — sticky sessions or centralised session storage is needed.

Code Examples

✗ Vulnerable 
# PHP-FPM exposed directly to internet:
# docker-compose.yml:
services:
  php:
    image: php:8.3-fpm
    ports:
      - '9000:9000'  # NEVER expose FPM directly — no auth, protocol not HTTP
✓ Fixed 
# nginx reverse proxy in front of PHP-FPM:
# nginx.conf:
server {
    listen 443 ssl http2;
    ssl_certificate /etc/ssl/cert.pem;
    location / {
        fastcgi_pass php:9000;  # Internal only
        fastcgi_buffers 16 16k;
        fastcgi_buffer_size 32k;
        include fastcgi_params;
    }
    location ~* \.(css|js|png|jpg)$ {
        expires 1y;
        add_header Cache-Control 'public, immutable';
    }
}
Added 15 Mar 2026
Edited 22 Mar 2026
Views 62

Curated in Warsaw under one editorial standard. 1,506 terms, single voice.  About this reference →

Rate this term
No ratings yet
🤖 AI Guestbook educational data only
| |
Last 30 days
0 pings T 0 pings W 1 ping T 0 pings F 0 pings S 0 pings S 1 ping M 0 pings T 0 pings W 1 ping T 2 pings F 0 pings S 1 ping S 0 pings M 2 pings T 1 ping W 0 pings T 0 pings F 0 pings S 1 ping S 0 pings M 0 pings T 0 pings W 0 pings T 0 pings F 1 ping S 0 pings S 1 ping M 0 pings T 0 pings W
Agents 0
No pings yet today
No pings yesterday
Amazonbot 15 Perplexity 7 Google 5 Ahrefs 5 SEMrush 5 Scrapy 5 Meta AI 2 Unknown AI 2 Claude 2 Bing 2 ChatGPT 2 PetalBot 1
Also referenced
PHP-FPM 91 Gzip / Brotli Compression 62 TLS Handshake 52 Load Balancing 46
How they use it
crawler 48 crawler_json 4 pre-tracking 1
Related categories
php 13k performance 3.3k devops 2.2k networking 1k
DEV INTEL Tools & Severity
🟡 Medium ⚙ Fix effort: Medium
⚡ Quick Fix
A reverse proxy (Nginx) terminates SSL and routes to one PHP backend; a load balancer distributes across multiple backends — Nginx can do both for small PHP deployments
📦 Applies To
any web api
🔗 Prerequisites
🔍 Detection Hints
PHP directly exposed to internet without reverse proxy; single point of failure no load balancing; no SSL termination layer
Auto-detectable: ✗ No nginx haproxy aws-alb cloudflare
⚠ Related Problems
🤖 AI Agent
Confidence: Low False Positives: High ✗ Manual fix Fix: Medium Context: File
✓ schema.org compliant