The reverse proxy is accessible from your browser and is properly configured to not accept random requests from any webpage (See: CORS). The others are not directly accessible, but only through the reverse proxy server. Does that make sense?
not really, no. i still don't see what the reverse proxy or the VM are bringing to the table here. If i'm understanding the necessary CORS config here, it's to simply not send any access-control-allow-origin header, which does not require a VM or reverse proxy, most HTTP services do that by default.
simply being accessed through a reverse proxy instead of directly doesn't add any additional security
