Why reverse proxy after all

This always felt obvious but I got asked this question in a couple of interviews so I sat down to condense some of my thoughts.

What?

I host this site and a few of my pet projects on a VPS. And of course I use Nginx to serve whatever it can serve by itself and to proxy the requests to some application.

I also strongly believe that you should have such a reverse proxy set up even when hosting your app on a server completely dedicated to running this app and this app only.

Why? Feelings mostly.

Why wouldn’t I?

Those are, well, reasons, but are those good enough?

Single Responsibility Principle

The S in SOLID. We refer to SRP when developing software, but it’s also a good idea to keep your concerns separated when building your infrastructure. Apache or Nginx are incredibly good at what they’re built for — serving HTTP requests and dealing with the minutia of it.

Yea, I just really wanted to use the word minutia: serving static content, caching policies, zipping and basic load balancing — these are solved. No need to put it on your application server’s shoulders. Nginx will handle it better simply because this is what its development team focuses on.

Application servers, on the other hand, are good at exactly what they are. Unicorn dev team built a reliable application server with great process management. Focus on its strengths and keep your infrastructure simple. Event if this simplicity means using more than one tool.

Security

This dovetails with the previous point. Apache and Nginx are simply bigger projects massively focused on security. Have you seen how fast a zero-day gets fixed there? Have you thought why?

Because everyone is using it. Thus the devs have the resources, and the massive audience means the vulnerabilities are discovered earlier. An application server made specifically for Ruby/Python/whatever just can’t compete here.

Now don’t get me wrong. For most of us the biggest attack vector is our shitty application code anyway. Nonetheless, having a thoroughly tested (and timely upgraded) HTTP server manning your frontline just adds to the peace of mind. I warned you — my opinion rests on feelings.