6

A typical configuration for deploying a WSGI application includes a WSGI server (such as uWSGI or Gunicorn) behind a general-purpose web server (like nginx) that acts as a reverse proxy. One major reason I know for having a reverse proxy is to serve static files efficiently. Are there any other reasons?

Suppose my application involves only Python code and doesn’t care about static content. Why would I want the reverse proxy in this case? uWSGI and Gunicorn each already provide an asynchronous HTTP server capable of interfacing with the clients.

Are there any practical cases where I would be better off exposing the WSGI HTTP server directly to the outside world?

Vasiliy Faronov
  • 215
  • 2
  • 5

2 Answers2

8

  • you have more config-options with a full-blown reverse - proxy like

    • rewrite
    • locations
    • server
    • https
    • header-cleanup
    • expires
    • gzip
    • ....

  • you can do loadbalancing

  • you can use proxy_cache
  • you can implement custom error-pages, even when your app-servers are down
  • you can have a WAF implemented
  • you can (sometimes) hotpatch against vulnerabilities

BONUSPOINT

  • you can impress clients with 100.000 requests/second (on average hardware) with the following setup (nginx):

.

location /perftest/ {
    return 200;
}
that guy from over there
  • 1,355
  • 10
  • 11
3

Additional Advantages to using a reverse proxy.

Other benefits can be gained that MAY be of benefit to you.

  • You can hide information from the internet (web server version, app server, database server, api)
  • You can implement multiple web server technologies behind one domain (Linux tomcat + Windows IIS etc)
  • You can terminate https/SSL connections and map them to internal http services.
  • You can centralise all logging.
  • You can centralise all DDOS prevention
  • You can Implement identity management from the web server tier.

Security Advantages

  • Internal server hiding as above.
  • You can router/firewall your internal app server servers, and database servers from the internet without resorting to software firewalls on the host (called a DMZ).
  • You can protect a server that is not immediatly fixable from known problems (web application firewall) or known attack patterns.
Andrew Russell
  • 133
  • 5