필사 모드: Reverse Proxy & Edge Servers 2026 Complete Guide — nginx · Caddy · Traefik · HAProxy · Envoy · OpenResty · Pingora · FrankenPHP Deep Dive
EnglishPrologue — Why Reverse Proxies Are the Heart of Infrastructure
The first question a junior backend engineer asks in 2026: "Can't I just run Node.js on port 3000? Why do I need nginx in front?"
Three months later, reality hits: the TLS certificate expired and you need a redeploy to renew it, traffic 3x-ed and a single Node can't keep up, some IP is hammering 10k requests per second and you have no way to block it, Node is at 80% CPU just serving static files, and every new microservice needs a fresh DNS record.
The answer to all of this is a **reverse proxy** — a middle layer between clients and your application servers that handles TLS termination, load balancing, caching, auth, rate limiting, and observability. It's the **heart of modern infrastructure**.
This article dissects the reverse proxy and edge server full stack as of May 2026. **nginx 1.27** (F5) and the **freenginx** fork drama, **Caddy 2.8** automatic HTTPS, **Traefik 3** dynamic routing, **HAProxy 3.x** L4/L7 load balancer, **Envoy 1.32** service mesh data plane, **OpenResty** Lua, **Cloudflare Pingora** Rust rewrite, **FrankenPHP**, **K8s Ingress** and **Gateway API**, **Cloudflare Workers** · **Fastly Compute@Edge** · **Vercel Edge** · **Netlify Edge** · **Lambda@Edge** · **CloudFront Functions** edge runtimes — all of it.
1 · What Is a Reverse Proxy — Five Core Roles
**A reverse proxy is a middle layer that prevents clients from reaching the backend directly.** It is "reverse" because it sits on the opposite side from a forward proxy (which sits with the client).
The five core roles:
- **Load balancing.** Distribute traffic across N instances of the same app. Round-robin, least-conn, IP hash, consistent hash algorithms.
- **TLS termination.** Decrypt HTTPS at the proxy and talk plain HTTP to the backend. Certificate management lives in one place.
- **Caching.** Store static files and HTTP responses in memory or on disk. Can cut backend load by 90%.
- **Auth / authorization.** OAuth, JWT verification, mTLS, IP allowlist. The app doesn't have to re-check on every request.
- **Rate limiting · WAF.** "Reject more than 100 req/s", "detect SQL injection patterns". The first line of defense.
Add **observability** — log every request, expose Prometheus metrics — and you have the 2026 picture. The reverse proxy is no longer just a router; it is an **L7 security gateway plus observability hub**.
2 · The Market Map — Eight Camps
The 2026 reverse proxy and edge market sorts into eight camps.
**1. nginx camp.** nginx 1.27 (F5 Networks), nginx Plus, freenginx (Maxim Dounin fork), OpenResty (nginx + Lua). Market leader, the oldest veteran.
**2. Caddy camp.** Caddy 2.8+ (Matt Holt). Automatic HTTPS, written in Go. FrankenPHP (Kévin Dunglas) embeds PHP into Caddy.
**3. Traefik camp.** Traefik 3.x (TraefikLabs). Docker · K8s native, dynamic config, plugins.
**4. HAProxy camp.** HAProxy 3.x (Willy Tarreau). L4/L7 load balancer, fastest TCP processing.
**5. Envoy camp.** Envoy Proxy 1.32 (CNCF, originally from Lyft). Data plane for Istio · Linkerd2 · Consul Connect. Envoy Gateway · Contour are K8s gateways.
**6. Rust newcomers.** Cloudflare Pingora (open-sourced 2024), Sozu, Hyper (a library). Memory safety and performance.
**7. Edge serverless.** Cloudflare Workers · Fastly Compute@Edge · Vercel Edge · Netlify Edge Functions · Lambda@Edge · CloudFront Functions · Akamai EdgeWorkers.
**8. K8s Ingress.** NGINX Ingress, Traefik Ingress, Contour, Istio Gateway, Kong Ingress, HAProxy Ingress, Cilium Gateway API, the Gateway API standard.
On top of these, **CDN-integrated LBs** (Cloudflare Load Balancer, AWS CloudFront, Akamai, Fastly, Azure Front Door, Google Cloud CDN) form a separate layer.
Memorizing the camps speeds up decision-making. **Traditional static site → nginx, small team wanting auto-TLS → Caddy, K8s native → Traefik · Envoy, ultra-fast L4 → HAProxy, global edge → Cloudflare Workers** is the default mapping.
3 · nginx 1.27 — The Veteran, Post-F5 Acquisition
nginx is the first-generation reverse proxy, created by Igor Sysoev in 2004.
**History.**
- **2004**: Igor Sysoev releases nginx 0.1 for Rambler.
- **2011**: Nginx, Inc. founded. Plus (paid) released.
- **2019**: F5 Networks acquires for 670M USD.
- **2024**: Maxim Dounin (longtime core developer) forks the project as **freenginx**, protesting F5's CVE-handling policy. Community splits.
- **2025–2026**: nginx 1.27 mainline and freenginx 1.27 develop in parallel.
**Strengths.**
- **Overwhelming market share** — roughly 30% of all websites use nginx in 2026 (it passed Apache years ago).
- **Modular architecture** — async event loop, N worker processes.
- **Rich module ecosystem** — HTTP, mail, stream (TCP/UDP), gRPC, HTTP/3 QUIC (1.25+).
- **Massive docs and tutorial corpus** — almost nothing you can't find a guide for.
**Configuration example.**
upstream backend {
least_conn;
server app1.internal:3000 weight=3;
server app2.internal:3000 weight=2;
server app3.internal:3000 backup;
}
server {
listen 443 ssl http2;
listen 443 quic reuseport;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_pass http://backend;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_http_version 1.1;
}
location /static/ {
alias /var/www/static/;
expires 1y;
}
}
**Weaknesses.** Dynamic configuration is weak — you edit the config file and run `nginx -s reload`. Only Plus (paid) has a truly dynamic API. Modules are decided at build time — dynamic modules (.so) exist but are limited.
4 · freenginx — Maxim Dounin's Community Fork
In February 2024, longtime nginx core developer **Maxim Dounin** protested F5's security-patch policy and started a fork named **freenginx**.
**The core argument.** "F5 has moved to silently patching without issuing CVEs, which violates the security-transparency expectations of open source. The project should return to genuine open governance."
**Status (May 2026).**
- freenginx 1.27 mainline is active.
- Dozens of community patches merged.
- Some users (especially security-sensitive shops) have migrated.
- Market share is still dominated by nginx mainline — freenginx is around 1–2%.
**Choosing.**
- Existing nginx users → little difference, stay on nginx mainline.
- Care about security transparency or dislike F5 governance → freenginx.
- Need enterprise support → nginx Plus (F5).
The fork is a case study in how open-source governance can fracture. Same pattern as Redis-Valkey, Terraform-OpenTofu, Elasticsearch-OpenSearch.
5 · Caddy 2.8 — The Automatic HTTPS Revolution
**Caddy** is a Go-based web server started by Matt Holt in 2015. As of May 2026, it's at 2.8.x.
**1.x era (2015–2018).** The selling point: "one config line and you get automatic HTTPS". Single-binary deployment.
**2.x (2019–2026).** Complete rewrite. Modular architecture, JSON-based config, plugin system, REST API.
**Strengths.**
- **Automatic HTTPS** — Let's Encrypt and ZeroSSL integrated. Type your domain, the certificate just appears and renews.
- **Single binary** — Go-built, static binary with no dependencies.
- **Modular** — DNS providers, storage backends, middleware all as plugins.
- **REST API** — configuration can be changed at runtime.
- **HTTP/3 by default** — QUIC turns on with no extra config.
**Caddyfile example.**
example.com {
reverse_proxy app1.internal:3000 app2.internal:3000 {
lb_policy least_conn
health_uri /health
health_interval 10s
}
handle_path /static/* {
root * /var/www/static
file_server
}
encode gzip zstd
log {
output file /var/log/caddy/access.log
}
}
That single block gives you Let's Encrypt certs, HTTP/3, load balancing, health checks, compression, and logging. In nginx it would take 50+ lines.
**Weaknesses.** Performance is slightly below nginx and HAProxy (10–20%). Go GC overhead exists, and the operational maturity in edge cases isn't quite at nginx's level. Still, the **development velocity and operational ergonomics dominate**, which is why small teams pick Caddy.
6 · Traefik 3 — Docker · K8s Native
**Traefik** is a Go-based proxy launched by Containous (now TraefikLabs) in 2015. As of May 2026, it's at v3.x.
**Core idea: automatic configuration.** Attach labels to a Docker container or define a K8s Ingress / CRD, and Traefik figures out the routing on its own. You almost never write a static config.
**What's new in v3 (2024).**
- Plugin system stabilized (Yaegi Go interpreter).
- HTTP/3 GA.
- Gateway API support (the K8s Ingress successor).
- Better gRPC, TCP/UDP routing.
- OpenTelemetry traces integrated.
**Docker label example.**
services:
app:
image: myapp:latest
labels:
- "traefik.enable=true"
- "traefik.http.routers.app.rule=Host(`example.com`)"
- "traefik.http.routers.app.tls=true"
- "traefik.http.routers.app.tls.certresolver=letsencrypt"
- "traefik.http.services.app.loadbalancer.server.port=3000"
Just these labels and Traefik routes traffic and issues a certificate. **On K8s the IngressRoute CRD** plays the same role.
**Strengths.** Unmatched ergonomics for Docker · K8s, a real-time dashboard, automatic ACME with DNS challenge support.
**Weaknesses.** Raw performance is below nginx · HAProxy. Memory usage is higher. The appeal shrinks in traditional, non-container environments.
7 · HAProxy 3.x — The Fastest L4/L7 Load Balancer
**HAProxy** is a C-based load balancer started by Willy Tarreau in 2001. As of May 2026, it's at 3.x.
**Philosophy: do one thing really well — load balancing.** It's a pure proxy, not an HTTP server. It will not serve static files, will not run PHP. It terminates TLS and routes.
**Strengths.**
- **L4 (TCP) is dominantly fast** — a single node handles a million connections per second.
- **L7 (HTTP) matches nginx** — header-based routing, ACLs, sticky sessions.
- **Observability is first-class** — built-in stats page, Prometheus exporter.
- **HTTP/2, HTTP/3, gRPC supported** (2.6+, 3.x).
- **Rich LB algorithms** — roundrobin, leastconn, source, uri, url_param, hdr, random, first.
**Configuration example.**
frontend https
bind *:443 ssl crt /etc/haproxy/certs/example.pem alpn h2,http/1.1
bind quic4@:443 ssl crt /etc/haproxy/certs/example.pem alpn h3
default_backend app_pool
backend app_pool
balance leastconn
option httpchk GET /health
server app1 10.0.1.10:3000 check inter 2s
server app2 10.0.1.11:3000 check inter 2s
server app3 10.0.1.12:3000 check inter 2s backup
**Weaknesses.** No static file serving, no direct PHP/FastCGI, no full-stack web server features — the common pattern when you need them is to pair HAProxy in front with nginx behind.
**Who uses it.** GitHub, Stack Overflow, Reddit, Twitter (X), Tumblr — many high-traffic sites.
8 · Envoy Proxy 1.32 — The Service Mesh Data Plane
**Envoy** is a C++ proxy created at Lyft in 2016, donated to CNCF in 2017. As of May 2026, it's at 1.32.
**Philosophy: be the data plane of the service mesh.** Not just a load balancer — it's designed to handle **every aspect of inter-service microservice communication**.
**Core features.**
- **xDS API** — dynamic configuration (LDS · CDS · RDS · EDS). The control plane pushes updates and Envoy applies them immediately.
- **gRPC first-class** — gRPC load balancing, transcoding (REST↔gRPC).
- **Observability** — detailed metrics, distributed tracing (Jaeger, Zipkin, OpenTelemetry).
- **Circuit breakers, retries, outlier detection** — microservice resiliency patterns built in.
- **HTTP/3, mTLS, gRPC-Web, WebSocket** all supported.
**Who uses Envoy.**
- **Istio** — K8s service mesh. Envoy sidecar on every Pod.
- **Linkerd 2** — uses its own Rust proxy (linkerd2-proxy) for the dataplane but Envoy in some components.
- **Consul Connect** — HashiCorp service mesh.
- **Envoy Gateway** — K8s Gateway API implementation.
- **Contour** — VMware Tanzu (now Broadcom) K8s ingress.
- **AWS App Mesh** — Envoy-based.
**Weakness.** Configuration is complex. Hand-written YAML or JSON often runs into hundreds of lines. So in practice you drive it through a **control plane** like Istio or Envoy Gateway.
9 · OpenResty — Lua Full Stack on nginx
**OpenResty** is an nginx distribution that Yichun Zhang has been building since 2011.
**Core idea.** Embed LuaJIT into nginx so you can **run Lua code on every request**. nginx's async event loop pairs naturally with Lua coroutines for non-blocking logic.
**Example.**
location /api/auth {
access_by_lua_block {
local jwt = require "resty.jwt"
local token = ngx.var.http_authorization
local jwt_obj = jwt:verify("secret-key", token)
if not jwt_obj.verified then
ngx.status = 401
ngx.say("Unauthorized")
return ngx.exit(401)
end
ngx.req.set_header("X-User-Id", jwt_obj.payload.user_id)
}
proxy_pass http://backend;
}
**Famous projects built on OpenResty.**
- **Kong API Gateway** — OpenResty-based (some components moving to Go).
- **APISIX** (Apache) — OpenResty-based API gateway.
- **3scale** (Red Hat).
- **Some Cloudflare edge logic** — until they migrated to Pingora in 2024.
**Strengths.** nginx's performance plus Lua's dynamic logic. You can build auth, transformation, routing, and A/B test middleware quickly.
**Weaknesses.** Lua learning curve, harder debugging, and the monolithic nginx build makes adding modules awkward.
10 · Cloudflare Pingora — The Rust Rewrite Ambition
**Pingora** is the Rust-based proxy framework Cloudflare built for its own edge. **Open-sourced in February 2024**, it drew massive attention.
**Why they built it.** Cloudflare originally ran nginx at the edge. But:
- The multi-process model meant connections couldn't be shared across workers.
- C-based codebases keep generating memory-safety CVEs.
- Adding custom logic required Lua and C modules to work around limits.
Cloudflare decided **a Rust rewrite from scratch was better**, and Pingora is the result.
**Specs (May 2026).**
- **Language**: Rust (safety + performance).
- **Model**: multi-threaded work-stealing (Tokio).
- **Traffic**: Cloudflare serves **over a trillion requests per day** through Pingora.
- **CPU/memory**: about 70% CPU and 67% memory of an equivalent nginx setup.
- **HTTP/3, gRPC, WebSocket** supported.
**Open source = a framework.** Pingora ships as crates. Unlike nginx ("write config and run"), you have to **build your own proxy in Rust** on top of it.
**Who uses it (2026).**
- Cloudflare itself.
- OSS projects built on Pingora: River (in development), pingora-load-balancing examples.
- Several large companies experimenting on their own edges.
**Weakness.** It's not a drop-in solution — you need Rust engineers. The learning curve is steep, so it's a poor fit for small teams.
11 · FrankenPHP — PHP Runtime Inside Caddy
**FrankenPHP** is a project started in 2022 by Kévin Dunglas (Symfony core, API Platform founder). As of May 2026, it's a stable 1.x.
**Core idea.** Get rid of PHP-FPM. **Embed the PHP interpreter directly into Caddy (Go)**. PHP runs inside a long-running process.
**Problems with classic PHP-FPM.**
- Every request spawns a fresh PHP process (Opcache helps, but only so much).
- Many hops: nginx → FastCGI → PHP-FPM → back to nginx.
- Tuning the worker pool is painful.
**FrankenPHP's answer.**
- PHP runs inside the long-running Caddy process.
- HTTP/2, HTTP/3, WebSocket out of the box.
- **Worker mode** — keep Laravel · Symfony · Drupal long-running like Octane.
- **Early hints** (HTTP 103) supported.
- Static binary — a single file with PHP and the web server.
**Benchmarks.** On a Symfony demo app, **3.5x RPS** versus PHP-FPM and a 75% latency reduction.
**Adoption.**
- API Platform official integration.
- A worker option in Laravel Octane.
- One of the officially recommended options in the Symfony docs.
FrankenPHP is one of the reasons PHP saw renewed attention in 2025–2026. It changed the perception that PHP is a "slow language".
12 · Sozu and Other Rust Proxies
As Rust became the next default for systems programming, several reverse proxies appeared.
**Sozu** — an HTTP reverse proxy built by CleverCloud. Its core feature is **hot reload** — zero downtime for config changes. AGPL license is somewhat controversial.
**Hyper** — Rust's most famous HTTP library. Not a proxy itself, but the foundation many Rust proxies build on.
**Linkerd2-proxy** — the Rust proxy Linkerd 2 uses as its sidecar. Small and fast.
**River** — an OSS proxy being built on top of Pingora (in development).
**Others.** Tonic (gRPC), Tower (middleware abstractions), Hudsucker (MITM proxy).
**Bun's built-in server** — Node-camp, but worth mentioning. Bun.serve() exposes a fetch-API-based HTTP server that is 5–10x faster than Express / Node http. Fast enough that small microservices can be exposed directly without nginx in front.
13 · K8s Ingress Controllers — Seven Options
To take external traffic into Kubernetes you need an **Ingress controller**. There are many options in 2026.
**1. NGINX Ingress Controller** — one of the official K8s controllers. nginx-based. Most widely deployed. Configured via ConfigMap plus annotations.
**2. NGINX Ingress (F5 commercial)** — a different controller. nginx Plus-based, dynamic config. F5 maintained.
**3. Traefik Ingress** — Traefik as the controller. The IngressRoute CRD is the draw.
**4. Contour** — Envoy-based, by VMware (Broadcom). HTTPProxy CRD.
**5. Istio Gateway** — Envoy-based, with the Istio control plane. The natural pick when you already run a service mesh.
**6. Kong Ingress** — the Kong API gateway as a controller. OpenResty-based.
**7. HAProxy Ingress** — HAProxy as a controller. Strong at L4.
**8. Cilium Gateway API** — eBPF-based data plane. Attractive when Cilium is your CNI.
How to choose:
- Simple start → NGINX Ingress (CNCF graduated, the most material online).
- Service mesh integration → Istio Gateway.
- Dynamic config and plugins → Traefik.
- API gateway features → Kong.
14 · Gateway API — The Successor to Ingress
**Ingress**, introduced in K8s 1.1 in 2015, was the first L7 routing API. After ten years its limits became obvious.
**Problems with Ingress.**
- Too simple — hosts and paths only, no header or method routing.
- Annotations differ across controllers — nginx, traefik, contour, kong all have their own dialect.
- No TCP/UDP routing.
- No separation of concerns — infra and app teams can't split ownership.
**Gateway API** (SIG Network) addresses all of this. It went GA in 2023; v1.2 as of May 2026.
**Core resources.**
- **GatewayClass** — which implementation to use (owned by infra).
- **Gateway** — the actual LB / entry point (created by infra).
- **HTTPRoute, TCPRoute, UDPRoute, TLSRoute, GRPCRoute** — routing rules (created by app teams).
- **ReferenceGrant** — cross-namespace reference permissions.
**HTTPRoute example.**
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: app-route
spec:
parentRefs:
- name: my-gateway
hostnames:
- "example.com"
rules:
- matches:
- path:
type: PathPrefix
value: /api/v1
headers:
- name: X-API-Version
value: "1"
backendRefs:
- name: app-v1
port: 80
weight: 80
- name: app-v1-canary
port: 80
weight: 20
**Implementations (2026).** Istio, Envoy Gateway, Contour, Kong, Traefik, NGINX Gateway Fabric, Cilium Gateway API. **Ingress isn't deprecated, but new projects should go with Gateway API.**
15 · TLS · mTLS · ACME — The Certificate Ecosystem
Once **HTTPS became the default** (post the 2018 Chrome "Not Secure" campaign), the biggest single responsibility of a reverse proxy became TLS certificate management.
**The ACME protocol.** A standard for automated certificate issuance created by Let's Encrypt. HTTP-01, DNS-01, TLS-ALPN-01 challenges.
**Free CAs (2026).**
- **Let's Encrypt** — the most widely used free CA. 60-day certs.
- **ZeroSSL** — 90-day or 1-year (account signup required). Caddy tries Let's Encrypt and ZeroSSL by default.
- **Google Trust Services** — free ACME issuance since 2024.
**Cert automation tools.**
- **Certbot** — Let's Encrypt's official client. Renews via systemd timer.
- **acme.sh** — bash-based ACME client. The lightest option.
- **cert-manager** — automation on K8s via Issuer · Certificate CRDs. The de facto standard.
- **lego** — Go-based, embedded in Traefik.
**ACME integration by proxy.**
- Caddy — built in, no extra tool needed.
- Traefik — built in.
- nginx — external Certbot · acme.sh.
- HAProxy — external Certbot · acme.sh.
- Envoy — cert-manager or external.
**mTLS (mutual TLS).** Clients also authenticate with certificates. The heart of zero-trust security models in service meshes (Istio, Linkerd).
**Private CAs.**
- **step-ca** (smallstep) — internal CA. Runs as an ACME server.
- **mkcert** (Filippo Valsorda) — self-signed CA for local development.
- **HashiCorp Vault PKI** — enterprise CA.
16 · HTTP/3 · QUIC — The New Standard over UDP
**HTTP/3** was standardized as RFC 9114 in 2022, and roughly 30% of global traffic is HTTP/3 by May 2026.
**Key differences.**
- **Transport = QUIC (over UDP)** — not TCP.
- **TLS 1.3 baked in** — 1-RTT handshake (vs. 3-RTT for TCP+TLS).
- **Head-of-line blocking solved** — overcomes the HTTP/2 limitation.
- **Connection migration** — a mobile device switching Wi-Fi to LTE keeps the connection.
**Proxy support (May 2026).**
- nginx 1.25+ — QUIC GA.
- Caddy 2.6+ — built in, zero config.
- HAProxy 2.6+ — quic binds.
- Envoy 1.27+ — HTTP/3 listener.
- Traefik 3.x — `experimental: http3: true`.
**Client support.** Chrome 87+, Firefox 88+, Safari 14+, curl 7.66+ (with a flag). Effectively every major browser uses HTTP/3.
**When to enable it.** For a global-facing site in 2026, just turn it on. Where UDP is blocked (some enterprise firewalls), the client falls back to HTTP/2 automatically, so there's almost no downside.
17 · Rate Limiting — Token Bucket · Sliding Window · Leaky Bucket
**Rate limiting** is a core security feature of any reverse proxy. Policies like "reject more than 100 req/s from one IP" block DoS, scraping, and brute-force attacks.
**Three algorithms.**
- **Token bucket.** Tokens refill at a fixed rate; each request consumes one. Allows bursts. nginx `limit_req`, HAProxy stick-table.
- **Sliding window.** Count requests in the last N seconds. Accurate but memory-heavy. Combine with Redis.
- **Leaky bucket.** Process at a fixed rate; queue or drop overflow. The default behavior of nginx `limit_req`.
**nginx example.**
http {
limit_req_zone $binary_remote_addr zone=api:10m rate=100r/s;
server {
location /api/ {
limit_req zone=api burst=200 nodelay;
proxy_pass http://backend;
}
}
}
**Distributed rate limiting.** To share counts across multiple proxy nodes you need external storage. Redis is the standard. The same is true on edges like Cloudflare Workers · Vercel · Lambda.
**At the API gateway layer.** Kong · Traefik · APISIX provide richer plugins for differentiated rate limits per IP, user, or API key.
18 · WAF — ModSecurity · Coraza · Cloud WAF
A **WAF (Web Application Firewall)** uses pattern matching to block L7 attacks like SQL injection, XSS, path traversal, and RCE.
**ModSecurity** — open-source WAF that started in 2002. Originally an Apache module, later expanded to nginx and IIS. The **OWASP Core Rule Set (CRS)** is the canonical ruleset. In 2024 Trustwave handed ModSecurity governance to OWASP, and the future is a little uncertain.
**Coraza** — a Go-written replacement for ModSecurity. Officially supported by OWASP and integrated with Caddy · Traefik · Envoy. **For new projects in 2026, Coraza is the recommendation.**
**Cloud WAFs (SaaS).**
- **Cloudflare WAF** — the largest global footprint, OWASP CRS plus ML rules.
- **AWS WAF** — integrated with CloudFront · ALB · API Gateway.
- **Azure WAF** — integrated with Front Door · App Gateway.
- **Google Cloud Armor** — integrated with Cloud Load Balancer.
- **Akamai Kona** — enterprise-only.
- **Imperva** — classic enterprise WAF.
**Korean WAFs.** AhnLab TrusGuard · WAPPLES · Penta Security Cloudbric. Financial-sector compliance drives strong domestic adoption.
19 · Cloudflare Workers — The Edge Serverless Champion
**Cloudflare Workers** is an edge serverless runtime launched in 2017.
**Specs.**
- **Runtime**: V8 isolates (each request runs in its own isolate, near-zero cold start).
- **Languages**: JavaScript, TypeScript, WebAssembly, (experimental) Python.
- **Global**: 330+ PoP cities.
- **Latency**: under 50ms to most users.
**Cloudflare's full stack (2026).**
- **Workers** — compute.
- **R2** — object storage (S3-compatible, free egress).
- **D1** — distributed SQLite-based database.
- **KV** — global key-value store.
- **Durable Objects** — single-instance stateful objects.
- **Queues** — message queue.
- **Hyperdrive** — cache layer for external Postgres.
- **Cloudflare Tunnel (cloudflared)** — expose internal servers via the edge without revealing your IP.
**Workers example.**
export default {
async fetch(request: Request, env: Env) {
const url = new URL(request.url)
if (url.pathname === '/api/hello') {
return Response.json({ greeting: 'hello world', region: request.cf.colo })
}
return fetch(request)
},
}
**Why it dominates.** Workers has become the standard for edge compute. Vercel · Netlify have similar models, but Cloudflare's scale and pricing leadership are overwhelming.
20 · Vercel · Netlify · Fastly · AWS · Azure Edge Comparison
**Vercel Edge Functions / Middleware.** Built on top of Cloudflare Workers (Vercel's actual infrastructure). Deep integration with Next.js · SvelteKit · Astro. The Edge Runtime is V8 isolates.
**Netlify Edge Functions.** Deno-runtime-based, running on **Deno Deploy** infrastructure. Supports both JSR and npm.
**Fastly Compute@Edge.** **WebAssembly-based** — write code in Rust, AssemblyScript, or Go (JS). Cold starts under 0.1ms. Strong security isolation.
**AWS Lambda@Edge.** Lambda integrated with CloudFront. Node.js, Python. Cold starts 100–500ms (slow relative to other edges).
**CloudFront Functions.** A lighter version of Lambda@Edge. Sub-millisecond execution, JS only. URL rewrites, header manipulation, and other simple work.
**Akamai EdgeWorkers.** JavaScript runtime, 300+ PoPs. Enterprise pricing.
**Azure Front Door** + **Azure CDN** + **Azure Static Web Apps**.
**Google Cloud CDN** + **Cloud Load Balancer** + **Cloud Run** (not strictly edge).
Comparison matrix:
| Platform | Runtime | Cold Start | Price per 1M req |
| --- | --- | --- | --- |
| Cloudflare Workers | V8 isolate | ~0ms | 0.30 USD |
| Vercel Edge | V8 isolate | ~0ms | 0.65 USD |
| Netlify Edge | Deno | ~5ms | 2.00 USD |
| Fastly Compute | WASM | ~0.1ms | 1.00 USD |
| Lambda@Edge | Node/Python | 100~500ms | 0.60 USD |
| CloudFront Func | JS | ~1ms | 0.10 USD |
**Choosing.** Next.js → Vercel. Full-stack edge data → Cloudflare. AWS lock-in → CloudFront Functions. Strong WASM isolation → Fastly.
21 · Dev Tunnels — Cloudflare Tunnel · ngrok · Tailscale Funnel · Pinggy
Exposing a server on your laptop to the internet requires a **tunneling tool**.
**Cloudflare Tunnel (cloudflared).** A free tunnel operated by Cloudflare. Run the cloudflared daemon locally and map a domain. Your IP stays hidden. Stable enough for production.
**ngrok.** The oldest tunnel SaaS. Free plan gives random subdomains; paid plans give fixed ones. 1GB/month free. The standard for demos and webhook testing.
**Tailscale Funnel.** A newer Tailscale feature. Expose a node inside your tailnet to the internet. Free if you already use Tailscale.
**Pinggy** — an India-based startup, an ngrok alternative. SSH-one-liner tunneling.
**localtunnel · serveo** — free open-source alternatives, less reliable.
**Use cases.**
- Demoing a local dev server → ngrok · cloudflared.
- Webhook testing (Stripe, GitHub, Slack) → ngrok is the standard.
- Exposing internal systems → Cloudflare Tunnel (production-grade).
- Quick SSH access → Tailscale Funnel.
22 · API Gateways — The Adjacent Category
**API gateways** are the layer above reverse proxies — L7 routing plus auth, rate limiting, transformation, and analytics. Major options in 2026:
**Kong Gateway.** OpenResty-based (some pieces migrating to Go). The biggest plugin ecosystem. OSS free, Enterprise paid.
**Tyk.** Go-based, open source. A Kong competitor.
**KrakenD.** Go-based, declarative config, extremely fast. Strong at response aggregation.
**APISIX (Apache).** OpenResty-based, an OSS alternative to Kong. etcd-backed.
**Express Gateway.** Node.js-based, for small teams.
**Gravitee · WSO2.** Enterprise, API management plus gateway.
**Cloud-native.** AWS API Gateway, Azure API Management, Google Cloud API Gateway, GCP Apigee.
**Reverse proxy vs API gateway.** The line is blurry. Traefik · Envoy can do both. Kong · Tyk lean into API gateway territory. The real difference is whether you get **developer portals, billing, and analytics** on top of plain routing.
23 · Observability — Prometheus · OpenTelemetry · Access Logs
The reverse proxy is **where all traffic passes**, making it the prime observability spot.
**Metrics (Prometheus).**
- **nginx** — external nginx-prometheus-exporter; Plus has it built in.
- **Caddy** — built-in `/metrics` endpoint.
- **Traefik** — built in.
- **HAProxy** — built in, or haproxy_exporter.
- **Envoy** — built in, statsd and Prometheus.
**Key metrics.**
- requests per second
- latency p50, p95, p99
- error rate (5xx, 4xx)
- upstream health (active connections, queued, failed)
- TLS handshake duration
**Traces (OpenTelemetry).** Envoy · Traefik have OTel built in. nginx has the nginx-otel module (1.24+). Distributed tracing is the standard for debugging microservices.
**Access logs.** Log every request as JSON. Analyze in ELK · Loki · Grafana. Access logs are also essential for post-incident forensics.
24 · Korea–Japan Adoption — Cloud LBs and WAFs
**Korea.**
- **NAVER Cloud Load Balancer** — ALB · NLB · CLB lineup. Envoy- and nginx-based.
- **Kakao Cloud Load Balancer** — similar lineup.
- **NHN Cloud Load Balancer** — used by Toss Payments and other fintechs.
- **AhnLab TrusGuard WAF · WAPPLES · Penta Security Cloudbric** — the de facto standard for financial-sector WAF.
- **NAVER · Kakao · Coupang in-house edge** — nginx, OpenResty, and Envoy combinations internally.
**Japan.**
- **NTT Communications Smart Data Platform** — LB and CDN.
- **SAKURA Internet** — VPS and cloud LB.
- **IIJ GIO** — enterprise cloud LB.
- **ConoHa** — individuals and SMBs.
- **AWS Tokyo · Osaka regions** — about 80% of Japanese enterprises use AWS, with CloudFront + ALB as the default.
- **Mercari · LINE · Rakuten in-house edge** — Envoy- and Istio-based service mesh.
**Regulation.** Korea has K-ISMS, Japan has ISMS-AC and PCI-DSS. Both demand WAF, TLS 1.2+, and access-log retention of at least a year.
25 · Decision Matrix — Which Proxy to Pick
**Recommendations by situation.**
- **Single machine, small team, PHP or static site** → nginx or Caddy. Caddy is easier.
- **Docker · K8s, automation-first** → Traefik or NGINX Ingress.
- **Microservices plus service mesh** → Envoy (via Istio or Envoy Gateway).
- **Ultra-fast L4 (DB proxy, TCP routing)** → HAProxy or Envoy.
- **PHP full stack (Laravel, Symfony)** → FrankenPHP.
- **Global edge compute** → Cloudflare Workers + R2.
- **AWS lock-in edge** → CloudFront + Lambda@Edge.
- **Next.js · SvelteKit full stack** → Vercel Edge.
- **Exposing internal systems externally** → Cloudflare Tunnel.
- **API gateway (developer portal, billing)** → Kong or Apigee.
- **Legacy nginx stability** → freenginx or nginx mainline.
- **Rust engineers in-house, custom ultra-performance** → Pingora.
**Anti-patterns.**
- "Caddy has auto-HTTPS so it's strictly better than nginx" — nginx still leads on raw performance and the module ecosystem.
- "Envoy is the most powerful, so use Envoy everywhere" — configuration complexity overwhelms small teams.
- "Just use Cloudflare Workers and infra is done" — lock-in, debugging difficulty, and pricing surprises at scale.
26 · References — Official Docs and Quality Writeups
- [nginx official docs](https://nginx.org/en/docs/)
- [freenginx](https://freenginx.org/)
- [Caddy official docs](https://caddyserver.com/docs/)
- [Traefik official docs](https://doc.traefik.io/traefik/)
- [HAProxy official docs](https://www.haproxy.com/documentation/)
- [Envoy Proxy official docs](https://www.envoyproxy.io/docs)
- [OpenResty official](https://openresty.org/en/)
- [Cloudflare Pingora announcement (2024)](https://blog.cloudflare.com/pingora-open-source/)
- [FrankenPHP official](https://frankenphp.dev/)
- [Sozu official](https://www.sozu.io/)
- [Kubernetes Gateway API](https://gateway-api.sigs.k8s.io/)
- [NGINX Ingress Controller](https://kubernetes.github.io/ingress-nginx/)
- [Istio official](https://istio.io/)
- [Linkerd official](https://linkerd.io/)
- [Let's Encrypt](https://letsencrypt.org/)
- [cert-manager](https://cert-manager.io/)
- [step-ca (smallstep)](https://smallstep.com/docs/step-ca/)
- [OWASP ModSecurity Core Rule Set](https://coreruleset.org/)
- [Coraza WAF](https://coraza.io/)
- [HTTP/3 RFC 9114](https://www.rfc-editor.org/rfc/rfc9114.html)
- [Cloudflare Workers official](https://workers.cloudflare.com/)
- [Fastly Compute@Edge](https://www.fastly.com/products/edge-compute)
- [Vercel Edge Functions](https://vercel.com/docs/functions/runtimes/edge)
- [Netlify Edge Functions](https://docs.netlify.com/edge-functions/overview/)
- [AWS Lambda@Edge official](https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/lambda-at-the-edge.html)
- [Kong Gateway official](https://docs.konghq.com/)
- [Apache APISIX](https://apisix.apache.org/)
- [Tailscale Funnel](https://tailscale.com/kb/1223/funnel)
- [ngrok](https://ngrok.com/docs)
현재 단락 (1/479)
The first question a junior backend engineer asks in 2026: "Can't I just run Node.js on port 3000? W...