Reverse Proxy

A reverse proxy is a server that sits in front of one or more backend applications and forwards client requests to them, returning the responses as if it were the origin itself. Where a traditional forward proxy acts on behalf of clients reaching out, a reverse proxy acts on behalf of servers receiving connections. For someone self-hosting several services on one machine, it is the tidy front door that lets them all share a single public address and certificate.

What it does

A reverse proxy commonly terminates TLS, so encryption is handled in one place rather than configured separately in every backend. It routes incoming requests by hostname or URL path, sending node.example.com to a block explorer and pay.example.com to a payment server, each running on its own internal port. It can also add access controls, rate limiting, and logging in front of applications that lack those features.

Why self-hosters use it

Running a reverse proxy such as a lightweight web server in front of a personal node stack means only ports 80 and 443 need to be exposed, while a dozen services hide on internal ports unreachable from outside. Some reverse proxies automate certificate issuance and renewal, removing a recurring chore. The proxy becomes the single point where you enforce HTTPS, authentication, and consistent security headers.

A consideration

Because everything flows through it, a misconfigured reverse proxy can expose a backend that was meant to stay private. The internal services should still bind to localhost so the proxy remains their only public path.

A reverse proxy typically handles the encryption described under Self-Signed Certificate / TLS, and the public ports it listens on are usually made reachable via Port Forwarding.