2017-09-17 13:13:28 +00:00
|
|
|
---
|
|
|
|
title: TLS reverse proxy
|
|
|
|
abstract: ![TLS reverse proxy](/static/img/reverse.png)
|
|
|
|
---
|
|
|
|
|
2017-09-17 18:52:58 +00:00
|
|
|
![TLStunnel](/static/img/reverse.png)
|
2017-09-17 13:13:28 +00:00
|
|
|
|
2017-09-17 18:52:58 +00:00
|
|
|
The [tlstunnel](https://github.com/hannesm/tlstunnel) is a reverse proxy unikernel which
|
|
|
|
listens for TLS connections, and forwards requests to backends, such as a
|
2017-09-17 14:00:44 +00:00
|
|
|
web server. The backend is chosen by inspecting the Server Name
|
2017-09-17 13:14:29 +00:00
|
|
|
Indication, a widely deployed extension of the TLS protocol, where a client
|
|
|
|
requests the server name to talk with during the TLS handshake.
|
2017-09-17 13:13:28 +00:00
|
|
|
|
2017-09-17 14:00:44 +00:00
|
|
|
The project is similar to others, such as stunnel or stud, but uses our TLS
|
2017-09-17 13:13:28 +00:00
|
|
|
implementation written in the memory-safe language OCaml, instead of one written
|
2017-09-17 14:00:44 +00:00
|
|
|
in C. The backend web servers don't need TLS support,
|
2017-10-30 20:05:22 +00:00
|
|
|
which lowers the maintenance burden. Most security problems in TLS
|
2017-09-17 14:00:44 +00:00
|
|
|
implementations are caused by unsafe memory handling and support for weak cryptographic primitives.
|
2017-09-17 13:13:28 +00:00
|
|
|
|
|
|
|
This TLS reverse proxy is deployed on various websites, including [Real World
|
|
|
|
OCaml](https://realworldocaml.org) since 2015.
|