TLS reverse proxy

Published: 2017-09-17 (last updated: 2017-10-30)


The tlstunnel is a reverse proxy unikernel which listens for TLS connections, and forwards requests to backends, such as a web server. The backend is chosen by inspecting the Server Name Indication, a widely deployed extension of the TLS protocol, where a client requests the server name to talk with during the TLS handshake.

The project is similar to others, such as stunnel or stud, but uses our TLS implementation written in the memory-safe language OCaml, instead of one written in C. The backend web servers don't need TLS support, which lowers the maintenance burden. Most security problems in TLS implementations are caused by unsafe memory handling and support for weak cryptographic primitives.

This TLS reverse proxy is deployed on various websites, including Real World OCaml since 2015.