Why use gunicorn with a reverse-proxy?

Question

From Gunicorn's documentation:

Deploying Gunicorn

We strongly recommend to use Gunicorn behind a proxy server.

Nginx Configuration

Although there are many HTTP proxies available, we strongly advise that you use Nginx. If you choose another proxy server you need to make sure that it buffers slow clients when you use default Gunicorn workers. Without this buffering Gunicorn will be easily susceptible to denial-of-service attacks. You can use slowloris to check if your proxy is behaving properly.

Why is it strongly recommended to use a proxy server, and how would the buffering prevent DOS attacks?

Answer 1

According to the Nginx documentation, a reverse proxy can be used to provide load balancing, provide web acceleration through caching or compressing inbound and outbound data, and provide an extra layer of security by intercepting requests headed for back-end servers.

Gunicorn is designed to be an application server that sits behind a reverse proxy server that handles load balancing, caching, and preventing direct access to internal resources.

By exposing Gunicorn's synchronous workers directly to the internet, a DOS attack could be performed by creating a load that trickles data to the servers, like the Slowloris.

Answer 2

The reason is that there are many slow clients that need time to consume server responses, while Gunicorn is designed to respond fast. There is an explanation of this situation for a similar web server for Ruby called Unicorn.