What happens when you type https://example.com into your browser and press Enter? In less than half a second, your browser resolves names, negotiates encrypted channels, fetches assets from edge storage locations, and routes through gateway layers to reach application code.
In this guide, we'll walk through the journey of a web request. We will examine the Domain Name System (DNS), HTTP/HTTPS protocols, TCP and TLS handshakes, Content Delivery Networks (CDNs), and the reverse proxies that manage traffic at the edge of production networks.
System Goal: Deliver pages with minimal latency, ensure communication is encrypted, and distribute traffic across backend hosts without exposing internal systems directly to the internet.
Phase 1: The Phonebook of the Web (DNS)
Computers communicate using IP addresses (like 192.0.2.1 or 2606:4700:3030::6815:180d), but humans prefer domains. The Domain Name System (DNS) resolves names into IP addresses.
When you look up a domain, your system executes a hierarchical lookup:
- Local Cache: The browser and OS check their local DNS cache. If not found, they query a Recursive Resolver (like your ISP or Cloudflare's
1.1.1.1). - Root Servers (
.): The resolver queries a root nameserver, which directs it to the Top-Level Domain (TLD) server (like.comor.org). - TLD Servers: The TLD server directs the resolver to the domain's Authoritative Nameserver.
- Authoritative Nameserver: This server holds the actual DNS records (e.g.
A,AAAA,CNAME) and returns the destination IP address.
dinesh@devops ~ โฏ dig +nocmd +noquestion +nostats example.com A example.com. 172800 IN A 93.184.216.34
Phase 2: Connecting securely (TCP and TLS Handshakes)
Once your browser has the IP address, it establishes a TCP connection to the server on port 443 (for HTTPS) using the **TCP Three-Way Handshake**:
- SYN: Client sends a synchronize packet to the server.
- SYN-ACK: Server acknowledges and sends a synchronize-acknowledgment packet back.
- ACK: Client sends an acknowledgment packet. The TCP pipe is now open.
Next, because we requested a secure URL (https://), the connection negotiates encryption using the **TLS Handshake**:
- Client Hello: The browser shares its supported TLS version and cipher suites.
- Server Hello: The server selects the cipher suite and sends its SSL/TLS Certificate.
- Key Exchange & Verification: The client verifies the certificate against built-in certificate authorities, generates session keys, and establishes symmetric encryption.
Phase 3: The Edge Layer (Content Delivery Networks)
In modern setups, requests rarely hit the origin server immediately. Instead, they hit a **Content Delivery Network (CDN)** at the network edge.
A CDN consists of geographically distributed proxy servers (Points of Presence, or PoPs). When a request arrives, Anycast routing automatically routes it to the closest PoP:
- Static Assets: If the requested asset (images, CSS, JS) is cached at the edge, the CDN returns it immediately, reducing latency from 200ms to 15ms.
- Dynamic Routing: If the request requires server-side processing, the CDN forwards it over optimized routing pathways to the origin server.
Phase 4: The Gatekeeper (Reverse Proxies & Load Balancers)
Once a request reaches the origin infrastructure, it hits a **Reverse Proxy** (like Nginx, HAProxy, or AWS ALB) which serves as the gatekeeper.
Forward vs Reverse Proxy: A forward proxy helps internal clients access the public internet (e.g. office firewalls). A reverse proxy directs public internet traffic to private internal servers.
The reverse proxy performs several critical functions:
- SSL Termination: Decrypts HTTPS requests at the gatekeeper level so backend application servers only handle plain HTTP traffic, reducing CPU load.
- Load Balancing: Distributes incoming requests across multiple app servers using algorithms like Round Robin or Least Connections.
- Security (WAF): Filters out malicious requests, SQL injections, and DDoS traffic.
Here is a basic Nginx configuration routing traffic to a pool of backend application instances:
upstream app_servers { server 10.0.10.15:3000; server 10.0.11.20:3000; } server { listen 443 ssl; server_name example.com; ssl_certificate /etc/nginx/certs/example.com.crt; ssl_certificate_key /etc/nginx/certs/example.com.key; location / { proxy_pass http://app_servers; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } }
Summary Flow of a Request
Let's map out the final step-by-step route of a packet:
Conclusion
Modern web infrastructure is designed to isolate application tiers, speed up static content distribution, and secure network traffic. By routing incoming requests through DNS, CDNs, and load-balanced reverse proxies, systems can handle millions of simultaneous operations while keeping internal network interfaces fully private.
Understanding this end-to-end request flow is essential for troubleshooting outages, resolving latency bottlenecks, and designing highly resilient cloud platforms.