tlsrp: a simple TLS reverse proxy

HTTPS is one of the largest improvements that has been made to the web in the last 10 years. While the average person doesn't see any tangible difference between HTTP and HTTPS, the change means that it is harder for ISPs and even random people to see what you are looking at online.

Of course HTTPS is just HTTP over TLS, the Transport Layer Security. TLS creates an encrypted tunnel between a server and a client, over which any data can pass securely. In the case of HTTPS, the data happens to be HTTP requests and responses, but TLS can be used for any protocol.

Typically HTTPS support is built into a webserver, but there is nothing about HTTPS that makes this a requirement. You could feasible separate the HTTPS server into a HTTP server and a TLS server. In fact, this would allow you to factor out the common functionality of TLS from servers that use different protocols, simplifying the code for the server. You could have the TLS server act as a middleman between a client and the HTTP server. All the TLS server would do is decrypt traffic headed toward the HTTP server and encrypt traffic headed back to the client. To the client, everything will look like proper HTTPS, and they will get their little lock icon. To the HTTP server, everything coming in will just look like normal HTTP traffic. This "TLS server" is called a TLS reverse proxy.

tlsrp is a TLS reverse proxy built using libtls, a library from the LibreSSL project meant to make dealing with TLS easier than the standard libssl. I also used libbsd for strlcpy, which is unfortunately still not present in glibc.

The usage is very simple:

 tlsrp [-h host] -p port -f PORT -ca ca_path -cert cert_path -key key_path

and if your backend server is serving on a unix socket:

 tlsrp -U unixsocket -f PORT -ca ca_path -cert cert_path -key key_path

I have not tested it on an actual webserver yet, and a few more people should probably look at the code before anyone uses it. It might be interesting to do some benchmarking to see how it compares to other TLS reverse proxies. If anyone finds any issues or wants to submit patches, my email address

You can find the code here.