Skip to content

Core Architectural Decision: Reverse Proxy vs Application-Layer Gateway

Executive Summary

This document discusses two potential architectures that were considered during the design phase of this solution: a reverse proxy architecture and an alternative tools gateway architecture. We analyze both approaches from multiple perspectives: performance, security, long-term maintainability, scaling, and operational complexity, and explain why the reverse proxy approach was selected.

The reverse proxy approach provides better performance, protocol independence, and allows continued Python development while leveraging Nginx for message routing. The tools gateway approach offers better developer experience and enterprise integration but requires Go/Rust implementation for enterprise performance requirements.

These recommendations are not universal but represent the architectural choices we made while building this system.

Architecture Overview

Reverse Proxy Pattern (Current)

AI Agent/Coding Assistant
           |
           | Multiple Endpoints
           v
    ┌─────────────────┐
    │  Nginx Gateway  │
    │  /fininfo/      │ ──auth_request──> Auth Server
    │  /mcpgw/        │                        │
    │  /currenttime/  │ <──auth_headers───────┘
    └─────────────────┘
           │ │ │
           │ │ └─── localhost:8003 (currenttime)
           │ └───── localhost:8002 (mcpgw)
           └─────── localhost:8001 (fininfo)
                        v
                Individual MCP Servers

Key Characteristics:

  • Path-based routing (/fininfo/, /mcpgw/, etc.)
  • Nginx handles auth validation and proxying
  • Direct streaming connections to backend servers
  • Protocol-agnostic (HTTP, WebSocket, SSE, etc.)

Tools Gateway Pattern (Alternative)

AI Agent/Coding Assistant
           |
           | Single Endpoint
           v
    ┌─────────────────┐
    │  Tools Gateway  │ ──auth_request──> Auth Server
    │     /mcp        │                        │
    │  (aggregates    │ <──auth_headers───────┘
    │   all tools)    │
    └─────────────────┘
           | Tool routing logic
           v
    ┌─────────────────┐
    │ MCP Client Pool │
    │  fininfo_*      │ ──> localhost:8001 (fininfo)
    │  mcpgw_*        │ ──> localhost:8002 (mcpgw)
    │  currenttime_*  │ ──> localhost:8003 (currenttime)
    └─────────────────┘

Key Characteristics:

  • Single endpoint with tool aggregation
  • Gateway implements MCP protocol parsing
  • Connection termination and re-establishment
  • Tool name prefixing for disambiguation

Architectural Comparison

Performance

Aspect Reverse Proxy (Current) Tools Gateway Preferable Approach
Latency Direct proxy routing = minimal overhead (~1-2ms) Additional hop through gateway logic (~5-10ms minimum) Reverse Proxy
Throughput Each connection directly streams to target server Gateway becomes bottleneck for all tool calls Reverse Proxy
Network Efficiency Client maintains persistent connections to specific servers Gateway must proxy all request/response payloads Reverse Proxy
CPU Usage Nginx handles routing, minimal Python involvement Gateway must parse, route, and proxy every MCP message Reverse Proxy
Memory Low gateway memory usage, servers handle their own state Gateway must buffer requests/responses, maintain backend connections Reverse Proxy
Protocol Independence Nginx passes through any protocol - not MCP-specific Gateway must understand MCP protocol specifics Reverse Proxy
Implementation Language Python suitable due to Nginx handling message routing Requires Go/Rust for enterprise performance requirements Reverse Proxy
Implementation Complexity Nginx handles protocol details, minimal state management needed Requires elaborate state management, protocol awareness, connection lifecycle management Reverse Proxy

Security

Aspect Reverse Proxy (Current) Tools Gateway Preferable Approach
Authentication Nginx auth_request pattern = proven, battle-tested Gateway must implement auth validation Equivalent
Authorization Fine-grained scope validation per server/tool before routing Can implement same fine-grained scopes Equivalent
Audit Trail Complete Nginx access logs + auth server logs + IdP logs Gateway logs all tool calls Equivalent
Attack Surface Direct server access blocked, only authenticated routes exposed Single endpoint, easier to monitor but single point of failure Equivalent
Token Validation Centralized in auth server, cached for performance Must implement JWT/session validation Equivalent

Maintainability

Aspect Reverse Proxy (Current) Tools Gateway Preferable Approach
Service Registration & Configuration Dynamic Nginx config generation and reload for new servers Dynamic tool registration without infrastructure changes Tools Gateway
Debugging Multi-component debugging (Nginx + auth server + target server) Centralized logging and error handling Tools Gateway
Transport Support Must handle SSE/HTTP variations per server Must implement transport variations in gateway code Equivalent
Error Handling Error propagation through multiple layers Must implement error translation from backends Equivalent

Scaling

Aspect Reverse Proxy (Current) Tools Gateway Preferable Approach
Horizontal Scaling Can load balance multiple gateway instances easily Gateway must maintain backend connection pools Reverse Proxy
Backend Scaling Each MCP server scales independently Gateway must implement backend load balancing Reverse Proxy
Resource Isolation Both handle backend failures via health checks, but Nginx transparently proxies data plane traffic end-to-end Gateway must maintain both data plane MCP connections AND separate health checks to backends Reverse Proxy
Connection Pooling Direct client connections to needed servers only Gateway must manage M×N connection pools Reverse Proxy
Geographic Distribution Can proxy to servers in different regions Complex backend routing required Reverse Proxy
Protocol Extensibility Same architecture works for Agent-to-Agent (A2A) or other protocols MCP-specific implementation limits future protocol support Reverse Proxy

Operational Complexity

Aspect Reverse Proxy (Current) Tools Gateway Preferable Approach
Monitoring Must monitor Nginx + auth server + N backend servers Monitor gateway + auth server + N backend servers (simpler) Tools Gateway
Service Discovery Complex Nginx config regeneration Dynamic tool registration Tools Gateway
Health Checking Health status triggers Nginx config regeneration and reload Gateway makes runtime routing decisions based on health Equivalent
Certificate Management Single domain cert for gateway endpoint Only gateway needs external certs Equivalent
Log Aggregation Focused logs per component (Nginx, auth, individual MCP servers) All tool calls centralized in gateway logs Equivalent

Enterprise Integration & User Experience

Aspect Reverse Proxy (Current) Tools Gateway Preferable Approach
Client Configuration & Mental Model Must configure N server endpoints, understand Nginx routing + auth + backend servers Single endpoint configuration, simple "one gateway, many tools" concept Tools Gateway
Network Policies Must allowlist N different paths Single path to allowlist Tools Gateway
Change Management Adding new server requires client reconfiguration New tools appear automatically via discovery Tools Gateway
Vendor Integration Each vendor needs separate endpoint configuration Vendors configure single endpoint Tools Gateway
Tool Discovery Discovery via Registry UI or MCPGW MCP server Automatic through tools/list call Equivalent
Error Messages May be confusing due to multiple layers Clearer, centralized error formatting Tools Gateway
Testing Must test each server endpoint individually Single endpoint for all testing Tools Gateway

Implementation Considerations

Protocol Independence Benefits

The reverse proxy architecture provides protocol independence:

  • Future Protocols: Can support Agent-to-Agent (A2A), custom protocols without gateway changes
  • Protocol Evolution: MCP protocol changes don't require gateway modifications
  • Mixed Environments: Can proxy HTTP, WebSocket, gRPC, or custom protocols simultaneously

Tools Gateway Implementation Challenges

A tools gateway requires:

  • Language Choice: Python insufficient for performance; requires Go/Rust implementation
  • MCP Client Library: Must embed full MCP client for backend communication and keep client updated with evolving MCP specification changes
  • Protocol Parsing: Must understand and parse all MCP message types
  • Connection Handling: Complex connection lifecycle management
  • Error Translation: Convert backend MCP errors to client-readable format

Conclusion

Both architectures have merits:

  • Reverse Proxy: Better performance, proven scalability, protocol independence, battle-tested Nginx foundation, allows Python implementation due to Nginx handling message routing
  • Tools Gateway: Better developer experience, easier enterprise adoption, simpler operations, requires Go/Rust implementation for enterprise performance requirements

The choice depends on organizational priorities:

  • Performance-first organizations (high-frequency trading, real-time systems): Stay with reverse proxy
  • Protocol-diverse environments (supporting A2A, custom protocols): Reverse proxy provides flexibility
  • Python-preferred development teams: Reverse proxy allows continued Python development while Nginx handles performance-critical routing
  • Developer experience-first organizations (internal tooling, enterprise IT): Consider tools gateway but must invest in Go/Rust development expertise
  • Hybrid organizations: Implement both patterns and let teams choose

The current implementation is production-ready and protocol-independent. The reverse proxy approach provides more architectural flexibility for future protocol support while allowing the team to continue developing in Python.