23 lines
1 KiB
Text
23 lines
1 KiB
Text
|
---
|
||
|
|
title: TLS reverse proxy
|
||
|
|
author: someone
|
||
|
|
abstract: 
|
||
|
|
---
|
||
|
|
|
||
|
|
|
||
|
|
|
||
|
|
The [tlstunnel](https://github.com/hannesm/tlstunnel) is a unikernel (depicted
|
||
|
|
as Proxy) which listens for TLS connections, and forwards requests to backend
|
||
|
|
services (depicted as web server). The specific backend is chosen by inspecting
|
||
|
|
the Server Name Indication, a widely deployed extension of the TLS protocol,
|
||
|
|
where a client requests the server name to talk with during the TLS handshake.
|
||
|
|
|
||
|
|
It is similar to other projects such as stunnel or stud, but uses our TLS
|
||
|
|
implementation written in the memory-safe language OCaml, instead of one written
|
||
|
|
in the error-prone language C. The backend web servers don't need TLS support,
|
||
|
|
which lowers the maintainence burden. Many security issues in TLS
|
||
|
|
implementations are due to memory safety and support for outdated ciphersuites.
|
||
|
|
|
||
|
|
This TLS reverse proxy is deployed on various websites, including [Real World
|
||
|
|
OCaml](https://realworldocaml.org) since 2015.
|