Web Dev Tools
Categories

API Gateways & Reverse Proxies

Routing, TLS, rate limit, auth, and traffic shaping in front of your services.

The thing that sits in front of one or more backend services and handles the cross-cutting concerns: TLS, routing, rate limit, authn/z, transformations, observability.

Reverse proxies (lightest weight)

  • Caddy — single-binary; automatic HTTPS via Let's Encrypt out of the box; great DX. The default for new self-hosted setups.
  • Nginx — the incumbent; ubiquitous; lots of recipes for any scenario. OpenResty is Nginx + Lua scripting.
  • Traefik — Docker- / Kubernetes-native; auto-discovers services from labels; great for container-heavy stacks.
  • HAProxy — TCP- and L7-savvy; battle-tested for high-traffic load balancing.
  • Envoy — Lyft-built proxy underlying many service meshes; powerful, complex.

API gateways (more than just routing)

  • Kong — feature-rich, OSS + Enterprise; plugin ecosystem (auth, rate-limit, transforms, OIDC, caching). The default heavyweight pick.
  • Apache APISIX — modern alternative to Kong; etcd-backed config; lots of built-in plugins.
  • Tyk — OSS + paid; clean dashboard.
  • KrakenD — config-driven gateway; great when you're aggregating multiple backend APIs into a single client-facing surface.
  • Zuplo — TypeScript-first hosted gateway; programmable in JS, free tier.
  • Hookdeck — primarily for webhooks, but works as an event gateway too.

Cloud-provider native

  • Cloudflare — Workers + Cache API + Rate Limiting + WAF + Access (zero-trust auth) gives you a full gateway without a separate product. The default for new edge-first projects.
  • AWS API Gateway — REST, HTTP, and WebSocket APIs; AWS-native.
  • AWS App Runner / ALB — for HTTP services in front of containers.
  • GCP API Gateway / Apigee — Apigee is the heavy enterprise choice.
  • Azure API Management — same niche on Azure.

"Frontend ingress" for Next.js / Remix / etc.

  • Vercel Edge Network — if you deploy on Vercel, this is your gateway.
  • Cloudflare Pages / Workers — same idea on Cloudflare.
  • Fly.io's Anycast network — global routing with regional VMs.

TLS / cert tooling

  • Let's Encrypt — free certs.
  • Caddy does ACME automatically.
  • certbot — Nginx / Apache classic.
  • acme.sh — POSIX-shell ACME client; tiny.
  • Cloudflare Origin Certs — free 15-year certs valid only between origin and Cloudflare.

When you need a gateway, when you don't

  • Don't need it (yet): one app, one language, hosted on Vercel / Cloudflare Pages / Fly. The platform's built-in routing is your gateway.
  • Do need it: multiple backend services, each with its own auth scheme; selling APIs as a product (key management, throttling per customer); enforcing request shape transformations across many backends; an internal team that operates the gateway separately.

Pick this if…

  • Self-host, one process, automatic HTTPS: Caddy.
  • Existing Nginx setup: stay; or move to Caddy when refactoring.
  • Container-heavy, auto-discovery: Traefik.
  • Selling APIs to customers: Kong or APISIX (OSS) or Zuplo (TS-friendly hosted).
  • All-Cloudflare: Workers + Cache API + Rate Limiting + Access.
  • Aggregating multiple backends: KrakenD or a custom Hono / Workers proxy.

Previous

Feature Flags & Experimentation

Next

Logging

On this page