Wiki: NGINX Reverse Proxy Pattern
TL;DR
- traffic flows from gateway to environment proxy to sidecar to app
- the environment proxy only publishes to host loopback
- the sidecar is the only direct ingress to the app
- rootless networking changes how loopback is reached from the proxy layer
Working model
The pattern is intentionally layered:
- gateway handles public TLS and accepted hostnames
- environment proxy handles environment routing
- sidecar bridges into the app namespace
- app stays bound to local loopback only
Why I kept it
This is not the smallest possible setup, but it is easier to reason about than one giant proxy configuration.
Each layer has:
- its own logs
- its own health check
- its own failure mode
That makes the system slower to misunderstand when something breaks.