2017-09-17 13:13:28 +00:00
|
|
|
---
|
|
|
|
title: TLS reverse proxy
|
|
|
|
author: someone
|
|
|
|
abstract: ![TLS reverse proxy](/static/img/reverse.png)
|
|
|
|
---
|
|
|
|
|
|
|
|
![TLS reverse proxy](/static/img/reverse.png)
|
|
|
|
|
2017-09-17 13:14:29 +00:00
|
|
|
The [tlstunnel](https://github.com/hannesm/tlstunnel) is a proxy unikernel which
|
|
|
|
listens for TLS connections, and forwards requests to backend services, such as a
|
|
|
|
web server. The specific backend is chosen by inspecting the Server Name
|
|
|
|
Indication, a widely deployed extension of the TLS protocol, where a client
|
|
|
|
requests the server name to talk with during the TLS handshake.
|
2017-09-17 13:13:28 +00:00
|
|
|
|
|
|
|
It is similar to other projects such as stunnel or stud, but uses our TLS
|
|
|
|
implementation written in the memory-safe language OCaml, instead of one written
|
|
|
|
in the error-prone language C. The backend web servers don't need TLS support,
|
|
|
|
which lowers the maintainence burden. Many security issues in TLS
|
|
|
|
implementations are due to memory safety and support for outdated ciphersuites.
|
|
|
|
|
|
|
|
This TLS reverse proxy is deployed on various websites, including [Real World
|
|
|
|
OCaml](https://realworldocaml.org) since 2015.
|