Open this lesson in your favourite AI. It'll walk you through the why, explain the demo, and quiz you on the try-it list.
Even on Day 0 you need a reverse proxy between the public internet and your app. The proxy terminates TLS (so your app speaks plain HTTP locally), buffers slow clients (so a phone on 2G doesn't pin a Python worker for ten seconds), sets timeouts (so a hung backend doesn't pin your sockets forever), and gives you one place to add gzip, redirects, and security headers. Without a proxy, your app has to do all of this — and most app frameworks do it badly. With Caddy you get TLS in three lines of config; with nginx you get a tuned production-grade proxy in 30.
Caddy auto-renews Let's Encrypt certs, serves HTTPS by default, and reverse-proxies in three lines. For more knobs (rate limiting, complex routing, multiple upstreams), nginx is the standard. Either way, the rule is: your app listens on 127.0.0.1:8080 (never 0.0.0.0), and the proxy is the only thing the firewall lets through on 443. This single hop also gives you somewhere to add per-IP rate limits and security headers — for free, before you need them.
0.0.0.0:443 to listening on 127.0.0.1:8080, with Caddy or nginx in front handling TLS. Confirm with ss -tlnp that your app is no longer exposed.slowhttptest -c 1000 -H -i 10 -r 200 -t POST -u https://yourdomain.com -x 24 -p 3 — your app should not blow up. Without a proxy it would.-I your domain and verify HSTS, X-Frame-Options, and X-Content-Type-Options headers are present.proxy_read_timeout to 1s, hit a slow endpoint, see a 504 from the proxy. Set it back. Now you know what controls that behavior.Use these three in order. Each builds on the one before.
In one paragraph, explain what a reverse proxy is and the five things it gives you in front of an application server.
Walk me through a TLS handshake at the proxy layer: client sends ClientHello, what happens server-side, what role does the cert play, and how does Caddy or certbot get one from Let's Encrypt automatically?
I'm getting reports that mobile users on slow networks see timeouts at our app even though the server is fine. Help me design a buffering/timeout strategy: what should the proxy timeout be vs the app's vs the load balancer's, and how should they compose?
# Caddyfile — the smallest production setup
yourdomain.com {
encode gzip
reverse_proxy 127.0.0.1:8080
# timeouts — protect against slow clients
request_body {
max_size 10MB
}
# one line of security headers
header {
Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
X-Frame-Options "SAMEORIGIN"
X-Content-Type-Options "nosniff"
Referrer-Policy "strict-origin-when-cross-origin"
}
}node main.js