Reverse Proxy & Edge Servers 2026 Complete Guide — nginx · Caddy · Traefik · HAProxy · Envoy · OpenResty · Pingora · FrankenPHP Deep Dive

Prologue — Why Reverse Proxies Are the Heart of Infrastructure

The first question a junior backend engineer asks in 2026: "Can't I just run Node.js on port 3000? Why do I need nginx in front?"

Three months later, reality hits: the TLS certificate expired and you need a redeploy to renew it, traffic 3x-ed and a single Node can't keep up, some IP is hammering 10k requests per second and you have no way to block it, Node is at 80% CPU just serving static files, and every new microservice needs a fresh DNS record.

The answer to all of this is a reverse proxy — a middle layer between clients and your application servers that handles TLS termination, load balancing, caching, auth, rate limiting, and observability. It's the heart of modern infrastructure.

This article dissects the reverse proxy and edge server full stack as of May 2026. nginx 1.27 (F5) and the freenginx fork drama, Caddy 2.8 automatic HTTPS, Traefik 3 dynamic routing, HAProxy 3.x L4/L7 load balancer, Envoy 1.32 service mesh data plane, OpenResty Lua, Cloudflare Pingora Rust rewrite, FrankenPHP, K8s Ingress and Gateway API, Cloudflare Workers · Fastly Compute@Edge · Vercel Edge · Netlify Edge · Lambda@Edge · CloudFront Functions edge runtimes — all of it.

1 · What Is a Reverse Proxy — Five Core Roles

A reverse proxy is a middle layer that prevents clients from reaching the backend directly. It is "reverse" because it sits on the opposite side from a forward proxy (which sits with the client).

The five core roles:

• Load balancing. Distribute traffic across N instances of the same app. Round-robin, least-conn, IP hash, consistent hash algorithms.
• TLS termination. Decrypt HTTPS at the proxy and talk plain HTTP to the backend. Certificate management lives in one place.
• Caching. Store static files and HTTP responses in memory or on disk. Can cut backend load by 90%.
• Auth / authorization. OAuth, JWT verification, mTLS, IP allowlist. The app doesn't have to re-check on every request.
• Rate limiting · WAF. "Reject more than 100 req/s", "detect SQL injection patterns". The first line of defense.

Add observability — log every request, expose Prometheus metrics — and you have the 2026 picture. The reverse proxy is no longer just a router; it is an L7 security gateway plus observability hub.

2 · The Market Map — Eight Camps

The 2026 reverse proxy and edge market sorts into eight camps.

1. nginx camp. nginx 1.27 (F5 Networks), nginx Plus, freenginx (Maxim Dounin fork), OpenResty (nginx + Lua). Market leader, the oldest veteran.

2. Caddy camp. Caddy 2.8+ (Matt Holt). Automatic HTTPS, written in Go. FrankenPHP (Kévin Dunglas) embeds PHP into Caddy.

3. Traefik camp. Traefik 3.x (TraefikLabs). Docker · K8s native, dynamic config, plugins.

4. HAProxy camp. HAProxy 3.x (Willy Tarreau). L4/L7 load balancer, fastest TCP processing.

5. Envoy camp. Envoy Proxy 1.32 (CNCF, originally from Lyft). Data plane for Istio · Linkerd2 · Consul Connect. Envoy Gateway · Contour are K8s gateways.

6. Rust newcomers. Cloudflare Pingora (open-sourced 2024), Sozu, Hyper (a library). Memory safety and performance.

7. Edge serverless. Cloudflare Workers · Fastly Compute@Edge · Vercel Edge · Netlify Edge Functions · Lambda@Edge · CloudFront Functions · Akamai EdgeWorkers.

8. K8s Ingress. NGINX Ingress, Traefik Ingress, Contour, Istio Gateway, Kong Ingress, HAProxy Ingress, Cilium Gateway API, the Gateway API standard.

On top of these, CDN-integrated LBs (Cloudflare Load Balancer, AWS CloudFront, Akamai, Fastly, Azure Front Door, Google Cloud CDN) form a separate layer.

Memorizing the camps speeds up decision-making. Traditional static site → nginx, small team wanting auto-TLS → Caddy, K8s native → Traefik · Envoy, ultra-fast L4 → HAProxy, global edge → Cloudflare Workers is the default mapping.

3 · nginx 1.27 — The Veteran, Post-F5 Acquisition

nginx is the first-generation reverse proxy, created by Igor Sysoev in 2004.

History.

• 2004: Igor Sysoev releases nginx 0.1 for Rambler.
• 2011: Nginx, Inc. founded. Plus (paid) released.
• 2019: F5 Networks acquires for 670M USD.
• 2024: Maxim Dounin (longtime core developer) forks the project as freenginx, protesting F5's CVE-handling policy. Community splits.
• 2025–2026: nginx 1.27 mainline and freenginx 1.27 develop in parallel.

Strengths.

• Overwhelming market share — roughly 30% of all websites use nginx in 2026 (it passed Apache years ago).
• Modular architecture — async event loop, N worker processes.
• Rich module ecosystem — HTTP, mail, stream (TCP/UDP), gRPC, HTTP/3 QUIC (1.25+).
• Massive docs and tutorial corpus — almost nothing you can't find a guide for.

Configuration example.

upstream backend {
    least_conn;
    server app1.internal:3000 weight=3;
    server app2.internal:3000 weight=2;
    server app3.internal:3000 backup;
}

server {
    listen 443 ssl http2;
    listen 443 quic reuseport;
    server_name example.com;

    ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;

    location / {
        proxy_pass http://backend;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_http_version 1.1;
    }

    location /static/ {
        alias /var/www/static/;
        expires 1y;
    }
}

Weaknesses. Dynamic configuration is weak — you edit the config file and run nginx -s reload. Only Plus (paid) has a truly dynamic API. Modules are decided at build time — dynamic modules (.so) exist but are limited.

4 · freenginx — Maxim Dounin's Community Fork

In February 2024, longtime nginx core developer Maxim Dounin protested F5's security-patch policy and started a fork named freenginx.

The core argument. "F5 has moved to silently patching without issuing CVEs, which violates the security-transparency expectations of open source. The project should return to genuine open governance."

Status (May 2026).

• freenginx 1.27 mainline is active.
• Dozens of community patches merged.
• Some users (especially security-sensitive shops) have migrated.
• Market share is still dominated by nginx mainline — freenginx is around 1–2%.

Choosing.

• Existing nginx users → little difference, stay on nginx mainline.
• Care about security transparency or dislike F5 governance → freenginx.
• Need enterprise support → nginx Plus (F5).

The fork is a case study in how open-source governance can fracture. Same pattern as Redis-Valkey, Terraform-OpenTofu, Elasticsearch-OpenSearch.

5 · Caddy 2.8 — The Automatic HTTPS Revolution

Caddy is a Go-based web server started by Matt Holt in 2015. As of May 2026, it's at 2.8.x.

1.x era (2015–2018). The selling point: "one config line and you get automatic HTTPS". Single-binary deployment.

2.x (2019–2026). Complete rewrite. Modular architecture, JSON-based config, plugin system, REST API.

Strengths.

• Automatic HTTPS — Let's Encrypt and ZeroSSL integrated. Type your domain, the certificate just appears and renews.
• Single binary — Go-built, static binary with no dependencies.
• Modular — DNS providers, storage backends, middleware all as plugins.
• REST API — configuration can be changed at runtime.
• HTTP/3 by default — QUIC turns on with no extra config.

Caddyfile example.

example.com {
    reverse_proxy app1.internal:3000 app2.internal:3000 {
        lb_policy least_conn
        health_uri /health
        health_interval 10s
    }

    handle_path /static/* {
        root * /var/www/static
        file_server
    }

    encode gzip zstd
    log {
        output file /var/log/caddy/access.log
    }
}

That single block gives you Let's Encrypt certs, HTTP/3, load balancing, health checks, compression, and logging. In nginx it would take 50+ lines.

Weaknesses. Performance is slightly below nginx and HAProxy (10–20%). Go GC overhead exists, and the operational maturity in edge cases isn't quite at nginx's level. Still, the development velocity and operational ergonomics dominate, which is why small teams pick Caddy.

6 · Traefik 3 — Docker · K8s Native

Traefik is a Go-based proxy launched by Containous (now TraefikLabs) in 2015. As of May 2026, it's at v3.x.

Core idea: automatic configuration. Attach labels to a Docker container or define a K8s Ingress / CRD, and Traefik figures out the routing on its own. You almost never write a static config.

What's new in v3 (2024).

• Plugin system stabilized (Yaegi Go interpreter).
• HTTP/3 GA.
• Gateway API support (the K8s Ingress successor).
• Better gRPC, TCP/UDP routing.
• OpenTelemetry traces integrated.

Docker label example.

services:
  app:
    image: myapp:latest
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.app.rule=Host(`example.com`)"
      - "traefik.http.routers.app.tls=true"
      - "traefik.http.routers.app.tls.certresolver=letsencrypt"
      - "traefik.http.services.app.loadbalancer.server.port=3000"

Just these labels and Traefik routes traffic and issues a certificate. On K8s the IngressRoute CRD plays the same role.

Strengths. Unmatched ergonomics for Docker · K8s, a real-time dashboard, automatic ACME with DNS challenge support.

Weaknesses. Raw performance is below nginx · HAProxy. Memory usage is higher. The appeal shrinks in traditional, non-container environments.

7 · HAProxy 3.x — The Fastest L4/L7 Load Balancer

HAProxy is a C-based load balancer started by Willy Tarreau in 2001. As of May 2026, it's at 3.x.

Philosophy: do one thing really well — load balancing. It's a pure proxy, not an HTTP server. It will not serve static files, will not run PHP. It terminates TLS and routes.

Strengths.

• L4 (TCP) is dominantly fast — a single node handles a million connections per second.
• L7 (HTTP) matches nginx — header-based routing, ACLs, sticky sessions.
• Observability is first-class — built-in stats page, Prometheus exporter.
• HTTP/2, HTTP/3, gRPC supported (2.6+, 3.x).
• Rich LB algorithms — roundrobin, leastconn, source, uri, url_param, hdr, random, first.

Configuration example.

frontend https
    bind *:443 ssl crt /etc/haproxy/certs/example.pem alpn h2,http/1.1
    bind quic4@:443 ssl crt /etc/haproxy/certs/example.pem alpn h3
    default_backend app_pool

backend app_pool
    balance leastconn
    option httpchk GET /health
    server app1 10.0.1.10:3000 check inter 2s
    server app2 10.0.1.11:3000 check inter 2s
    server app3 10.0.1.12:3000 check inter 2s backup

Weaknesses. No static file serving, no direct PHP/FastCGI, no full-stack web server features — the common pattern when you need them is to pair HAProxy in front with nginx behind.

Who uses it. GitHub, Stack Overflow, Reddit, Twitter (X), Tumblr — many high-traffic sites.

8 · Envoy Proxy 1.32 — The Service Mesh Data Plane

Envoy is a C++ proxy created at Lyft in 2016, donated to CNCF in 2017. As of May 2026, it's at 1.32.

Philosophy: be the data plane of the service mesh. Not just a load balancer — it's designed to handle every aspect of inter-service microservice communication.

Core features.

• xDS API — dynamic configuration (LDS · CDS · RDS · EDS). The control plane pushes updates and Envoy applies them immediately.
• gRPC first-class — gRPC load balancing, transcoding (REST↔gRPC).
• Observability — detailed metrics, distributed tracing (Jaeger, Zipkin, OpenTelemetry).
• Circuit breakers, retries, outlier detection — microservice resiliency patterns built in.
• HTTP/3, mTLS, gRPC-Web, WebSocket all supported.

Who uses Envoy.

• Istio — K8s service mesh. Envoy sidecar on every Pod.
• Linkerd 2 — uses its own Rust proxy (linkerd2-proxy) for the dataplane but Envoy in some components.
• Consul Connect — HashiCorp service mesh.
• Envoy Gateway — K8s Gateway API implementation.
• Contour — VMware Tanzu (now Broadcom) K8s ingress.
• AWS App Mesh — Envoy-based.

Weakness. Configuration is complex. Hand-written YAML or JSON often runs into hundreds of lines. So in practice you drive it through a control plane like Istio or Envoy Gateway.

9 · OpenResty — Lua Full Stack on nginx

OpenResty is an nginx distribution that Yichun Zhang has been building since 2011.

Core idea. Embed LuaJIT into nginx so you can run Lua code on every request. nginx's async event loop pairs naturally with Lua coroutines for non-blocking logic.

Example.

location /api/auth {
    access_by_lua_block {
        local jwt = require "resty.jwt"
        local token = ngx.var.http_authorization
        local jwt_obj = jwt:verify("secret-key", token)
        if not jwt_obj.verified then
            ngx.status = 401
            ngx.say("Unauthorized")
            return ngx.exit(401)
        end
        ngx.req.set_header("X-User-Id", jwt_obj.payload.user_id)
    }
    proxy_pass http://backend;
}

Famous projects built on OpenResty.

• Kong API Gateway — OpenResty-based (some components moving to Go).
• APISIX (Apache) — OpenResty-based API gateway.
• 3scale (Red Hat).
• Some Cloudflare edge logic — until they migrated to Pingora in 2024.

Strengths. nginx's performance plus Lua's dynamic logic. You can build auth, transformation, routing, and A/B test middleware quickly.

Weaknesses. Lua learning curve, harder debugging, and the monolithic nginx build makes adding modules awkward.

10 · Cloudflare Pingora — The Rust Rewrite Ambition

Pingora is the Rust-based proxy framework Cloudflare built for its own edge. Open-sourced in February 2024, it drew massive attention.

Why they built it. Cloudflare originally ran nginx at the edge. But:

• The multi-process model meant connections couldn't be shared across workers.
• C-based codebases keep generating memory-safety CVEs.
• Adding custom logic required Lua and C modules to work around limits.

Cloudflare decided a Rust rewrite from scratch was better, and Pingora is the result.

Specs (May 2026).

• Language: Rust (safety + performance).
• Model: multi-threaded work-stealing (Tokio).
• Traffic: Cloudflare serves over a trillion requests per day through Pingora.
• CPU/memory: about 70% CPU and 67% memory of an equivalent nginx setup.
• HTTP/3, gRPC, WebSocket supported.

Open source = a framework. Pingora ships as crates. Unlike nginx ("write config and run"), you have to build your own proxy in Rust on top of it.

Who uses it (2026).

• Cloudflare itself.
• OSS projects built on Pingora: River (in development), pingora-load-balancing examples.
• Several large companies experimenting on their own edges.

Weakness. It's not a drop-in solution — you need Rust engineers. The learning curve is steep, so it's a poor fit for small teams.

11 · FrankenPHP — PHP Runtime Inside Caddy

FrankenPHP is a project started in 2022 by Kévin Dunglas (Symfony core, API Platform founder). As of May 2026, it's a stable 1.x.

Core idea. Get rid of PHP-FPM. Embed the PHP interpreter directly into Caddy (Go). PHP runs inside a long-running process.

Problems with classic PHP-FPM.

• Every request spawns a fresh PHP process (Opcache helps, but only so much).
• Many hops: nginx → FastCGI → PHP-FPM → back to nginx.
• Tuning the worker pool is painful.

FrankenPHP's answer.

• PHP runs inside the long-running Caddy process.
• HTTP/2, HTTP/3, WebSocket out of the box.
• Worker mode — keep Laravel · Symfony · Drupal long-running like Octane.
• Early hints (HTTP 103) supported.
• Static binary — a single file with PHP and the web server.

Benchmarks. On a Symfony demo app, 3.5x RPS versus PHP-FPM and a 75% latency reduction.

Adoption.

• API Platform official integration.
• A worker option in Laravel Octane.
• One of the officially recommended options in the Symfony docs.

FrankenPHP is one of the reasons PHP saw renewed attention in 2025–2026. It changed the perception that PHP is a "slow language".

12 · Sozu and Other Rust Proxies

As Rust became the next default for systems programming, several reverse proxies appeared.

Sozu — an HTTP reverse proxy built by CleverCloud. Its core feature is hot reload — zero downtime for config changes. AGPL license is somewhat controversial.

Hyper — Rust's most famous HTTP library. Not a proxy itself, but the foundation many Rust proxies build on.

Linkerd2-proxy — the Rust proxy Linkerd 2 uses as its sidecar. Small and fast.

River — an OSS proxy being built on top of Pingora (in development).

Others. Tonic (gRPC), Tower (middleware abstractions), Hudsucker (MITM proxy).

Bun's built-in server — Node-camp, but worth mentioning. Bun.serve() exposes a fetch-API-based HTTP server that is 5–10x faster than Express / Node http. Fast enough that small microservices can be exposed directly without nginx in front.

13 · K8s Ingress Controllers — Seven Options

To take external traffic into Kubernetes you need an Ingress controller. There are many options in 2026.

1. NGINX Ingress Controller — one of the official K8s controllers. nginx-based. Most widely deployed. Configured via ConfigMap plus annotations.

2. NGINX Ingress (F5 commercial) — a different controller. nginx Plus-based, dynamic config. F5 maintained.

3. Traefik Ingress — Traefik as the controller. The IngressRoute CRD is the draw.

4. Contour — Envoy-based, by VMware (Broadcom). HTTPProxy CRD.

5. Istio Gateway — Envoy-based, with the Istio control plane. The natural pick when you already run a service mesh.

6. Kong Ingress — the Kong API gateway as a controller. OpenResty-based.

7. HAProxy Ingress — HAProxy as a controller. Strong at L4.

8. Cilium Gateway API — eBPF-based data plane. Attractive when Cilium is your CNI.

How to choose:

• Simple start → NGINX Ingress (CNCF graduated, the most material online).
• Service mesh integration → Istio Gateway.
• Dynamic config and plugins → Traefik.
• API gateway features → Kong.

14 · Gateway API — The Successor to Ingress

Ingress, introduced in K8s 1.1 in 2015, was the first L7 routing API. After ten years its limits became obvious.

Problems with Ingress.

• Too simple — hosts and paths only, no header or method routing.
• Annotations differ across controllers — nginx, traefik, contour, kong all have their own dialect.
• No TCP/UDP routing.
• No separation of concerns — infra and app teams can't split ownership.

Gateway API (SIG Network) addresses all of this. It went GA in 2023; v1.2 as of May 2026.

Core resources.

• GatewayClass — which implementation to use (owned by infra).
• Gateway — the actual LB / entry point (created by infra).
• HTTPRoute, TCPRoute, UDPRoute, TLSRoute, GRPCRoute — routing rules (created by app teams).
• ReferenceGrant — cross-namespace reference permissions.

HTTPRoute example.

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: app-route
spec:
  parentRefs:
    - name: my-gateway
  hostnames:
    - "example.com"
  rules:
    - matches:
        - path:
            type: PathPrefix
            value: /api/v1
          headers:
            - name: X-API-Version
              value: "1"
      backendRefs:
        - name: app-v1
          port: 80
          weight: 80
        - name: app-v1-canary
          port: 80
          weight: 20

Implementations (2026). Istio, Envoy Gateway, Contour, Kong, Traefik, NGINX Gateway Fabric, Cilium Gateway API. Ingress isn't deprecated, but new projects should go with Gateway API.

15 · TLS · mTLS · ACME — The Certificate Ecosystem

Once HTTPS became the default (post the 2018 Chrome "Not Secure" campaign), the biggest single responsibility of a reverse proxy became TLS certificate management.

The ACME protocol. A standard for automated certificate issuance created by Let's Encrypt. HTTP-01, DNS-01, TLS-ALPN-01 challenges.

Free CAs (2026).

• Let's Encrypt — the most widely used free CA. 60-day certs.
• ZeroSSL — 90-day or 1-year (account signup required). Caddy tries Let's Encrypt and ZeroSSL by default.
• Google Trust Services — free ACME issuance since 2024.

Cert automation tools.

• Certbot — Let's Encrypt's official client. Renews via systemd timer.
• acme.sh — bash-based ACME client. The lightest option.
• cert-manager — automation on K8s via Issuer · Certificate CRDs. The de facto standard.
• lego — Go-based, embedded in Traefik.

ACME integration by proxy.

• Caddy — built in, no extra tool needed.
• Traefik — built in.
• nginx — external Certbot · acme.sh.
• HAProxy — external Certbot · acme.sh.
• Envoy — cert-manager or external.

mTLS (mutual TLS). Clients also authenticate with certificates. The heart of zero-trust security models in service meshes (Istio, Linkerd).

Private CAs.

• step-ca (smallstep) — internal CA. Runs as an ACME server.
• mkcert (Filippo Valsorda) — self-signed CA for local development.
• HashiCorp Vault PKI — enterprise CA.

16 · HTTP/3 · QUIC — The New Standard over UDP

HTTP/3 was standardized as RFC 9114 in 2022, and roughly 30% of global traffic is HTTP/3 by May 2026.

Key differences.

• Transport = QUIC (over UDP) — not TCP.
• TLS 1.3 baked in — 1-RTT handshake (vs. 3-RTT for TCP+TLS).
• Head-of-line blocking solved — overcomes the HTTP/2 limitation.
• Connection migration — a mobile device switching Wi-Fi to LTE keeps the connection.

Proxy support (May 2026).

• nginx 1.25+ — QUIC GA.
• Caddy 2.6+ — built in, zero config.
• HAProxy 2.6+ — quic binds.
• Envoy 1.27+ — HTTP/3 listener.
• Traefik 3.x — experimental: http3: true.

Client support. Chrome 87+, Firefox 88+, Safari 14+, curl 7.66+ (with a flag). Effectively every major browser uses HTTP/3.

When to enable it. For a global-facing site in 2026, just turn it on. Where UDP is blocked (some enterprise firewalls), the client falls back to HTTP/2 automatically, so there's almost no downside.

17 · Rate Limiting — Token Bucket · Sliding Window · Leaky Bucket

Rate limiting is a core security feature of any reverse proxy. Policies like "reject more than 100 req/s from one IP" block DoS, scraping, and brute-force attacks.

Three algorithms.

• Token bucket. Tokens refill at a fixed rate; each request consumes one. Allows bursts. nginx limit_req, HAProxy stick-table.
• Sliding window. Count requests in the last N seconds. Accurate but memory-heavy. Combine with Redis.
• Leaky bucket. Process at a fixed rate; queue or drop overflow. The default behavior of nginx limit_req.

nginx example.

http {
    limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;

    server {
        location /api/ {
            limit_req zone=api burst=200 nodelay;
            proxy_pass http://backend;
        }
    }
}

Distributed rate limiting. To share counts across multiple proxy nodes you need external storage. Redis is the standard. The same is true on edges like Cloudflare Workers · Vercel · Lambda.

At the API gateway layer. Kong · Traefik · APISIX provide richer plugins for differentiated rate limits per IP, user, or API key.

18 · WAF — ModSecurity · Coraza · Cloud WAF

A WAF (Web Application Firewall) uses pattern matching to block L7 attacks like SQL injection, XSS, path traversal, and RCE.

ModSecurity — open-source WAF that started in 2002. Originally an Apache module, later expanded to nginx and IIS. The OWASP Core Rule Set (CRS) is the canonical ruleset. In 2024 Trustwave handed ModSecurity governance to OWASP, and the future is a little uncertain.

Coraza — a Go-written replacement for ModSecurity. Officially supported by OWASP and integrated with Caddy · Traefik · Envoy. For new projects in 2026, Coraza is the recommendation.

Cloud WAFs (SaaS).

• Cloudflare WAF — the largest global footprint, OWASP CRS plus ML rules.
• AWS WAF — integrated with CloudFront · ALB · API Gateway.
• Azure WAF — integrated with Front Door · App Gateway.
• Google Cloud Armor — integrated with Cloud Load Balancer.
• Akamai Kona — enterprise-only.
• Imperva — classic enterprise WAF.

Korean WAFs. AhnLab TrusGuard · WAPPLES · Penta Security Cloudbric. Financial-sector compliance drives strong domestic adoption.

19 · Cloudflare Workers — The Edge Serverless Champion

Cloudflare Workers is an edge serverless runtime launched in 2017.

Specs.

• Runtime: V8 isolates (each request runs in its own isolate, near-zero cold start).
• Languages: JavaScript, TypeScript, WebAssembly, (experimental) Python.
• Global: 330+ PoP cities.
• Latency: under 50ms to most users.

Cloudflare's full stack (2026).

• Workers — compute.
• R2 — object storage (S3-compatible, free egress).
• D1 — distributed SQLite-based database.
• KV — global key-value store.
• Durable Objects — single-instance stateful objects.
• Queues — message queue.
• Hyperdrive — cache layer for external Postgres.
• Cloudflare Tunnel (cloudflared) — expose internal servers via the edge without revealing your IP.

Workers example.

export default {
  async fetch(request: Request, env: Env) {
    const url = new URL(request.url)
    if (url.pathname === '/api/hello') {
      return Response.json({ greeting: 'hello world', region: request.cf.colo })
    }
    return fetch(request)
  },
}

Why it dominates. Workers has become the standard for edge compute. Vercel · Netlify have similar models, but Cloudflare's scale and pricing leadership are overwhelming.

20 · Vercel · Netlify · Fastly · AWS · Azure Edge Comparison

Vercel Edge Functions / Middleware. Built on top of Cloudflare Workers (Vercel's actual infrastructure). Deep integration with Next.js · SvelteKit · Astro. The Edge Runtime is V8 isolates.

Netlify Edge Functions. Deno-runtime-based, running on Deno Deploy infrastructure. Supports both JSR and npm.

Fastly Compute@Edge. WebAssembly-based — write code in Rust, AssemblyScript, or Go (JS). Cold starts under 0.1ms. Strong security isolation.

AWS Lambda@Edge. Lambda integrated with CloudFront. Node.js, Python. Cold starts 100–500ms (slow relative to other edges).

CloudFront Functions. A lighter version of Lambda@Edge. Sub-millisecond execution, JS only. URL rewrites, header manipulation, and other simple work.

Akamai EdgeWorkers. JavaScript runtime, 300+ PoPs. Enterprise pricing.

Azure Front Door + Azure CDN + Azure Static Web Apps.

Google Cloud CDN + Cloud Load Balancer + Cloud Run (not strictly edge).

Comparison matrix:

Choosing. Next.js → Vercel. Full-stack edge data → Cloudflare. AWS lock-in → CloudFront Functions. Strong WASM isolation → Fastly.

21 · Dev Tunnels — Cloudflare Tunnel · ngrok · Tailscale Funnel · Pinggy

Exposing a server on your laptop to the internet requires a tunneling tool.

Cloudflare Tunnel (cloudflared). A free tunnel operated by Cloudflare. Run the cloudflared daemon locally and map a domain. Your IP stays hidden. Stable enough for production.

ngrok. The oldest tunnel SaaS. Free plan gives random subdomains; paid plans give fixed ones. 1GB/month free. The standard for demos and webhook testing.

Tailscale Funnel. A newer Tailscale feature. Expose a node inside your tailnet to the internet. Free if you already use Tailscale.

Pinggy — an India-based startup, an ngrok alternative. SSH-one-liner tunneling.

localtunnel · serveo — free open-source alternatives, less reliable.

Use cases.

• Demoing a local dev server → ngrok · cloudflared.
• Webhook testing (Stripe, GitHub, Slack) → ngrok is the standard.
• Exposing internal systems → Cloudflare Tunnel (production-grade).
• Quick SSH access → Tailscale Funnel.

22 · API Gateways — The Adjacent Category

API gateways are the layer above reverse proxies — L7 routing plus auth, rate limiting, transformation, and analytics. Major options in 2026:

Kong Gateway. OpenResty-based (some pieces migrating to Go). The biggest plugin ecosystem. OSS free, Enterprise paid.

Tyk. Go-based, open source. A Kong competitor.

KrakenD. Go-based, declarative config, extremely fast. Strong at response aggregation.

APISIX (Apache). OpenResty-based, an OSS alternative to Kong. etcd-backed.

Express Gateway. Node.js-based, for small teams.

Gravitee · WSO2. Enterprise, API management plus gateway.

Cloud-native. AWS API Gateway, Azure API Management, Google Cloud API Gateway, GCP Apigee.

Reverse proxy vs API gateway. The line is blurry. Traefik · Envoy can do both. Kong · Tyk lean into API gateway territory. The real difference is whether you get developer portals, billing, and analytics on top of plain routing.

23 · Observability — Prometheus · OpenTelemetry · Access Logs

The reverse proxy is where all traffic passes, making it the prime observability spot.

Metrics (Prometheus).

• nginx — external nginx-prometheus-exporter; Plus has it built in.
• Caddy — built-in /metrics endpoint.
• Traefik — built in.
• HAProxy — built in, or haproxy_exporter.
• Envoy — built in, statsd and Prometheus.

Key metrics.

• requests per second
• latency p50, p95, p99
• error rate (5xx, 4xx)
• upstream health (active connections, queued, failed)
• TLS handshake duration

Traces (OpenTelemetry). Envoy · Traefik have OTel built in. nginx has the nginx-otel module (1.24+). Distributed tracing is the standard for debugging microservices.

Access logs. Log every request as JSON. Analyze in ELK · Loki · Grafana. Access logs are also essential for post-incident forensics.

24 · Korea–Japan Adoption — Cloud LBs and WAFs

Korea.

• NAVER Cloud Load Balancer — ALB · NLB · CLB lineup. Envoy- and nginx-based.
• Kakao Cloud Load Balancer — similar lineup.
• NHN Cloud Load Balancer — used by Toss Payments and other fintechs.
• AhnLab TrusGuard WAF · WAPPLES · Penta Security Cloudbric — the de facto standard for financial-sector WAF.
• NAVER · Kakao · Coupang in-house edge — nginx, OpenResty, and Envoy combinations internally.

Japan.

• NTT Communications Smart Data Platform — LB and CDN.
• SAKURA Internet — VPS and cloud LB.
• IIJ GIO — enterprise cloud LB.
• ConoHa — individuals and SMBs.
• AWS Tokyo · Osaka regions — about 80% of Japanese enterprises use AWS, with CloudFront + ALB as the default.
• Mercari · LINE · Rakuten in-house edge — Envoy- and Istio-based service mesh.

Regulation. Korea has K-ISMS, Japan has ISMS-AC and PCI-DSS. Both demand WAF, TLS 1.2+, and access-log retention of at least a year.

25 · Decision Matrix — Which Proxy to Pick

Recommendations by situation.

• Single machine, small team, PHP or static site → nginx or Caddy. Caddy is easier.
• Docker · K8s, automation-first → Traefik or NGINX Ingress.
• Microservices plus service mesh → Envoy (via Istio or Envoy Gateway).
• Ultra-fast L4 (DB proxy, TCP routing) → HAProxy or Envoy.
• PHP full stack (Laravel, Symfony) → FrankenPHP.
• Global edge compute → Cloudflare Workers + R2.
• AWS lock-in edge → CloudFront + Lambda@Edge.
• Next.js · SvelteKit full stack → Vercel Edge.
• Exposing internal systems externally → Cloudflare Tunnel.
• API gateway (developer portal, billing) → Kong or Apigee.
• Legacy nginx stability → freenginx or nginx mainline.
• Rust engineers in-house, custom ultra-performance → Pingora.

Anti-patterns.

• "Caddy has auto-HTTPS so it's strictly better than nginx" — nginx still leads on raw performance and the module ecosystem.
• "Envoy is the most powerful, so use Envoy everywhere" — configuration complexity overwhelms small teams.
• "Just use Cloudflare Workers and infra is done" — lock-in, debugging difficulty, and pricing surprises at scale.

26 · References — Official Docs and Quality Writeups

• nginx official docs
• freenginx
• Caddy official docs
• Traefik official docs
• HAProxy official docs
• Envoy Proxy official docs
• OpenResty official
• Cloudflare Pingora announcement (2024)
• FrankenPHP official
• Sozu official
• Kubernetes Gateway API
• NGINX Ingress Controller
• Istio official
• Linkerd official
• Let's Encrypt
• cert-manager
• step-ca (smallstep)
• OWASP ModSecurity Core Rule Set
• Coraza WAF
• HTTP/3 RFC 9114
• Cloudflare Workers official
• Fastly Compute@Edge
• Vercel Edge Functions
• Netlify Edge Functions
• AWS Lambda@Edge official
• Kong Gateway official
• Apache APISIX
• Tailscale Funnel
• ngrok