---
title: TLS reverse proxy
author: someone
abstract: ![TLS reverse proxy](/static/img/reverse.png)
---

![TLS reverse proxy](/static/img/reverse.png)

The [tlstunnel](https://github.com/hannesm/tlstunnel) is a unikernel (depicted
as Proxy) which listens for TLS connections, and forwards requests to backend
services (depicted as web server).  The specific backend is chosen by inspecting
the Server Name Indication, a widely deployed extension of the TLS protocol,
where a client requests the server name to talk with during the TLS handshake.

It is similar to other projects such as stunnel or stud, but uses our TLS
implementation written in the memory-safe language OCaml, instead of one written
in the error-prone language C.  The backend web servers don't need TLS support,
which lowers the maintainence burden.  Many security issues in TLS
implementations are due to memory safety and support for outdated ciphersuites.

This TLS reverse proxy is deployed on various websites, including [Real World
OCaml](https://realworldocaml.org) since 2015.