What are HTTP Proxies, Geteways and Tunnels?

Let's learn about HTTP intermediaries - proxy, gateway and tunnel - to understand how the work.
Published 2024-03-19 4 min read
What are HTTP Proxies, Geteways and Tunnels?

HTTP is a client-server protocol, but there are additional roles worth understanding. Throughout your career, you might encounter terms like Proxy, Gateway (or Reverse Proxy), and Tunnel. These terms often come up in the context of HTTP communication, and it’s beneficial to know what they mean. Fortunately, they are well-defined within HTTP Semantics (RFC 9110), allowing us to accurately explain these concepts.


  • All of these serve as intermediaries in HTTP communication.
  • A Proxy (also called Forward Proxy) is an intermediary chosen by the client to forward a request.
  • A Gateway (also called Reverse Proxy) forwards incoming traffic to another server or servers, acting on behalf of those servers.
  • A Tunnel is a blind relay between two connections that does not modify the message.
  • Proxy, Reverse Proxy, and Tunnel can switch behavior depending on the context (although it’s not always necessary).

Now, let’s delve deeper and explain each one to better understand their roles.


HTTP Proxy

A HTTP Proxy acts as an intermediary between a client and the internet. When a client sends a request to a server, it first goes to the proxy. The proxy then forwards the request to the appropriate origin server. Once the server responds, the proxy relays that data back to the client.

Proxies are often used to manage traffic for security reasons, caching, or the need to modify outgoing requests.

Sometimes a proxy is referred to as a forward proxy to emphasize that it forwards the requests in the direction originally intended by the client.

A proxy acts on behalf of the client. Here, the client doesn’t only mean a browser but any program that sends HTTP requests. This is why in some projects, you might encounter custom proxies that handle outgoing HTTP communication on behalf of services and apps that make up the system.

Gateway (aka Reverse Proxy)

HTTP Gateway

A gateway, positioned in front of one or more web servers, intercepts requests from clients. Unlike a forward proxy, which acts on behalf of clients, a reverse proxy acts on behalf of the server.

Its main roles include distributing client requests to different backend servers, providing load balancing, SSL termination, caching, and ensuring security and anonymity for backend servers. This setup can significantly enhance the performance, scalability, and reliability of web applications.

It’s called a gateway because it’s a passage through which you must go to communicate with the servers behind it. It’s also called a reverse proxy to highlight its similarity to a forward proxy, but operating in the reverse direction.

From the outside, a reverse proxy appears and behaves like an origin server, making it effective at concealing the inner workings of your system. It’s common in modern web development and essential in cloud environments. Examples of reverse proxy software include nginx and haproxy, as well as services like AWS API Gateway.


A Tunnel acts as a blind relay between connections without changing any messages.

The key feature of a tunnel is its ability to transmit data between networks using protocols that might be blocked or unsupported by intermediate networks or firewalls. It achieves this by encapsulating the original protocol or data within a standard HTTP request and response structure, effectively “tunneling” through networks that only permit HTTP traffic.

Typically, a client initiates a connection to a tunneling proxy server, specifying the ultimate destination. The proxy then establishes a persistent connection to the destination, relaying data between the client and destination transparently. To intermediate networks or firewalls, the traffic appears as regular HTTP or HTTPS, even though it may encapsulate other protocol data.

One More Thing

As mentioned in the TL;DR section, intermediaries can change behavior on a request-to-request basis.

A great example is nginx, which acts as a reverse proxy for dynamic content but serves as an origin server for static content, taking care of serving it directly.

If you try to access resources from a forbidden domain, then your proxy may choose not to forward your request, instead serving you a page with a warning.

Hopefully, you’ve learned something about HTTP intermediaries today!