Proxy layers and reverse routing

Brief Summary

The proxy layer is the "front bus" of the platform: it completes TLS, certifies clients, distributes traffic, smoothes peaks and makes the release safe (canaries, blue-green). Minimum maturity set: clear stratification of proxy roles, deterministic routing rules, timeout/retray control, cache + rate-limit, end-to-end observability and automation.

Proxy taxonomy

Forward proxy - outbound traffic of clients/services outside (egress), filters/mirroring, DLP.
Reverse proxy - accepts external requests and routes to backends (our main focus).

Layers in the production path:

1. Edge/CDN/WAF (Anycast, bot filters, cache)

2. L7 Ingress/API-gateway (routing, authentication, policies)

3. Service Layer/Mesh (sidecar) for east-west, mTLS and Retras

4. Egress-gateway for outbound integrations (PSP, partners)

Routing (L4/L7) and Algorithms

L4 (TCP/UDP, passthrough TLS): minimum delay, without understanding HTTP.
L7 (HTTP/1. 1, HTTP/2, HTTP/3/gRPC): host/path/header/cookie rules, transformation, WAF, cache.

Algorithms:

Round-robin/Least-connections/EWMA - common cases.
Consistent-hash (by cookie/identifier) - sticky sessions and cache locality.
Header-/Geo-/Latency-based - targeting by region/provider, fast PoPs.
Canary/Weighted - phased rollout (5→25→50→100%).
Shadow/Mirroring - a copy of traffic to a new service without affecting responses.

Query/Response Transformation

URL rewrite/redirect: unify paths, versioning ('/v1/ →/svc/v1/').
Headers: normalize 'X-Forwarded-For/Proto/Host', add 'traceparent '/' x-request-id', filter unnecessary.
CORS/CSRF: centralize in the gateway, do not produce settings in every service.
Compression/Decompression: Brotli/gzip, control by type.
Body-limits and protection against slowloris/oversized headers.

Authentication and Security

TLS 1. 3 + OCSP stapling + HSTS on external fronts.
mTLS: admins, operational APIs, partner channels.
OAuth2/OIDC: authorization via gateway (token introspection/JWT-verify) → forwarding to claims in upstream.
API Keys/Signatures (HMAC) for cross-service and partner integrations.
WAF/bot filters: signatures + behavioral rules, greypass/captcha.
CSP/X-Frame-Options/Referrer-Policy - security headers at the edge.

Reliability: Retras/Timeouts/TT

Timeouts: connect/read/write on the L4/L7, single policy (for example, 'connect 500ms', 'read 3-5s' for API).
Retrays: only idempotent ('GET/HEAD'), time/quantity limit, 'retry-budget'.
Circuit-breaker: restrictions on simultaneous requests/errors, fast failure and degradation.
Outlier detection - excludes bad instances from the pool.

Backoff + jitter: so as not to create a "herd effect."

Cache and Traffic Management

Cache L7: static/semi-dynamic (catalogs, configs), 's-maxage' + 'stale-while-revalidate'.
Rate-limit/Quota: by IP/ASN/device/cookie, distributed counter (Redis/Rate-service).

Sticky sessions: cookie/consistent-hash; consider failover and "re-pasting."

Request collapsing (dedupe): protecting origin from a "storm" of identical GETs.

Protocols and features

HTTP/2: multiplexing, priorities; hold 'ALPN: h2'.
HTTP/3/QUIC: loss/jitter resistance; open the UDP/443, monitor the MTU/PMTUD.
gRPC: health-checks, streaming, deadlines; proxies must support'grpc-status'.
WebSocket/SSE: long-lived connections, competent idle timeouts and limits.

Observability and SLO

Metrics:

L4/L7: `p50/p95/p99`, ошибки (`4xx/5xx/Grpc-codes`), `open_conns`, `CPS/RPS`, `retry_rate`.
TLS: version/ciphers, p95 handshake, resumption.
Routing: shares by route/cluster, outlier-ejections.
Rate-limit/WAF: triggers/FP-rate.
Logs: access (without PII), routing reasons, trace headers.
Traces: 'traceparent '/B3, sampling.

SLO (examples):

p95 TTFB API ≤ 250-300 ms; error L7 ≤ 0. 5%.
The success of canaries (without degradation of metrics) ≥ 99% of launches.
FP-rate WAF ≤ 0. 1%.

Typical configs

Nginx (reverse proxy, HTTP/2, canary, compression)

nginx map $http_x_canary $upstream_pool {
default "stable";
~^1$ "canary";
}

upstream api_stable { zone zst 64k; server 10. 0. 1. 10:8443; server 10. 0. 1. 11:8443; keepalive 256; }
upstream api_canary { zone zcn 64k; server 10. 0. 2. 10:8443; keepalive 64; }

server {
listen 443 ssl http2 reuseport;
server_name api. example. com;

ssl_protocols TLSv1. 2 TLSv1. 3;
ssl_stapling on; ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000" always;

basic limits/protection client_max_body_size 10m;
sendfile on; brotli on; gzip on;

location / {
proxy_http_version 1. 1;
proxy_set_header Host $host;
proxy_set_header X-Request-Id $request_id;
proxy_set_header X-Forwarded-Proto https;
proxy_connect_timeout 500ms;
proxy_read_timeout 5s;
proxy_next_upstream error timeout http_502 http_503 http_504;
proxy_next_upstream_tries 1; # Retrays are limited to proxy_pass https://api_$upstream_pool;
}
}

HAProxy (JWT-verify + mTLS to backend + rate-limit)

haproxy frontend fe_https bind:443 ssl crt /etc/haproxy/certs/ alpn h2,http/1. 1 http-request set-header X-Request-Id %[unique-id]
http-request lua. jwt_verify # external verification script JWT stick-table type ip size 1m expire 10m store http_req_rate (10s)
http-request deny if { src_http_req_rate(10s) gt 100 }

default_backend be_api

backend be_api balance roundrobin option httpchk GET /healthz server s1 10. 0. 1. 10:8443 check ssl verify required ca-file /etc/haproxy/ca. pem server s2 10. 0. 1. 11:8443 check ssl verify required ca-file /etc/haproxy/ca. pem

Envoy (JWT + weighted routes + outlier detection)

yaml static_resources:
listeners:
- name: https address: { socket_address: { address: 0. 0. 0. 0, port_value: 443 } }
filter_chains:
- filters:
- name: envoy. filters. network. http_connection_manager typed_config:
"@type": type. googleapis. com/envoy. extensions. filters. network. http_connection_manager. v3. HttpConnectionManager stat_prefix: ingress route_config:
virtual_hosts:
- name: api domains: ["api. example. com"]
routes:
- match: { prefix: "/" }
route:
weighted_clusters:
clusters:
- { name: api-stable, weight: 95 }
- { name: api-canary, weight: 5 }
http_filters:
- name: envoy. filters. http. jwt_authn typed_config: { "@type": type. googleapis. com/envoy. extensions. filters. http. jwt_authn. v3. JwtAuthentication }
- name: envoy. filters. http. router clusters:
- name: api-stable connect_timeout: 0. 5s type: STRICT_DNS lb_policy: ROUND_ROBIN outlier_detection: { consecutive_5xx: 3, interval: 2s, base_ejection_time: 30s }
transport_socket:
name: envoy. transport_sockets. tls
- name: api-canary connect_timeout: 0. 5s type: STRICT_DNS lb_policy: ROUND_ROBIN transport_socket:
name: envoy. transport_sockets. tls

Traefik (rule-based routes, concept)

yaml http:
routers:
api:
rule: "Host(`api. example. com`) && PathPrefix(`/v1/`)"
service: api-svc tls: { certResolver: letsencrypt }
services:
api-svc:
loadBalancer:
servers:
- url: "https://10. 0. 1. 10:8443"
- url: "https://10. 0. 1. 11:8443"

Proxy performance

Connection pooling and keepalive to backends, connection limit per instance.
Reuseport, pin CPU/IRQ, sufficient socket buffers.
TLS: ECDSA + short chains, resumption ≥ 70%, HTTP/2/3 enabled.
Cache in proxy for "hot" responses (including 304-validation).
Warm-up: warming up DNS/TLS/connections before peaks.

DR and fault tolerance

Auto-removal of degraded nodes ('outlier-ejection').
Health-checks L4/L7 (HTTP body-version token).
Fail-open/Fail-closed - choose consciously for payment/critical paths.
Shadow mode before switching traffic to a new service.

Runbooks: "cluster collapse," "redirect loop," "connection leaks," "retray storm."

Implementation checklist

Stratification: Edge → Ingress/API-GW → Mesh/Egress, roles and responsibilities.
Routing policies: host/path/header/weight, canary/blue-green, shadow.
Security: TLS 1. 3, mTLS for sensitive pathways, JWT/OAuth2, WAF.
Timeouts/Retrays/CB: uniform values, idempotency, retry-budget.
Cache/Rate-limit/Request-collapsing where appropriate.
Observability: metrics/logs/trails, correlation identifiers.
SLO: p95/errors/resources; alerts to perimeter failures.
IaC/GitOps: repository proxy configs, canary releases, fast rollback.
Tests: e2e routes, chaos scripts, load before events.

Common errors

A "magic" proxy harvester without role separation → complex RCA and high blast radius.
Retrays for non-idempotent queries → duplicate transactions.
No header/URL normalization → cache-poisoning and bad keys.
Sticky sessions without failover plans → sticking on a degraded instance.
Missing 'traceparent '/' x-request-id' → cannot correlate problems.
Hard 301/302 at the proxy level → loops and loss of API version control.

iGaming/fintech specific

Payments/PSP: dedicated egress-gateway with mTLS, strict timeouts, idempotent keys, IP/ASN whitelists.

Peaks (matches/tournaments): canary/weighted, gray routes for bots, aggressive GET cache, origin defense against the "storm."

Regulation/logging: fix policy versions and route reasons in audit logs; minimize PII.
Content providers: consistent-hash by provider key for cache locality and even distribution.

Mini playbooks

1) Canary API release

1. Include 5% weight on 'api-canary'; 2) p95/error monitoring; 3) expand the share; 4) auto-rollback during degradation.

2) Emergency removal of the degraded node

1. Outlier-ejection or manual 'drain'; 2) checking the pool and hit of the cache; 3) post-incident RCA.

3) Function mirroring

1. Enable shadow without affecting responses; 2) compare metrics/response diff; 3) decide on switching.

4) Retray storm

1. Reduce retry-budget/time limits; 2) enable request-collapsing; 3) local stubs/cache; 4) stabilize origin.

Result

A well-designed proxy layer is role separation, deterministic routing, trusted policies (timeouts/retrays/CB), security (mTLS/JWT/WAF), and observability. Pin configurations to IaC, use canaries and shadow, measure SLO - and your platform will be scalable, predictable and secure even during the hottest peak hours.