TLSPROXY is a versatile TLS termination proxy designed to secure various network services. It automatically handles TLS encryption using Let's Encrypt, allowing multiple services and server names to share the same port. Beyond TLS termination, TLSPROXY can function as a simple web server, a reverse proxy for HTTP(S) services, and offers robust user authentication and authorization features.
Key Features:
- Automatic TLS Certificates: Integrates with Let's Encrypt for automatic certificate acquisition using http-01 and tls-alpn-01 challenges.
- Flexible TLS Termination:
- Terminates TLS and forwards data to TCP servers in plain text.
- Terminates TLS and forwards data to TLS servers (encrypted in transit, proxy sees plain text).
- Passes through raw TLS connections to backend TLS servers (proxy does not see plain text).
- QUIC and HTTP/3 Support: Terminates QUIC connections and forwards data to QUIC or TLS/TCP servers.
- Encrypted Client Hello (ECH): Enhances privacy by encrypting ClientHello messages.
- Static File Serving: Can serve static content directly from the local filesystem.
- PROXY Protocol Support: Integrates with the PROXY protocol for incoming TCP connections (not for QUIC or HTTP/3 backends).
- Client Authentication & Authorization: Supports TLS client authentication and authorization when the proxy terminates TLS connections.
- Built-in Certificate Authorities:
- Manages client and backend server TLS certificates.
- Issues SSH user certificates based on SSO credentials.
- User Authentication: Supports OpenID Connect, SAML, and Passkeys for HTTP and HTTPS connections. Can optionally issue JSON Web Tokens (JWTs) and run a local OpenID Connect server.
- Access Control: Implements access control based on IP addresses.
- Routing & Load Balancing: Routes requests based on Server Name Indication (SNI) with optional default routes and simple round-robin load balancing.
- ALPN Protocol Support: Supports any ALPN protocol in TLS, TLSPASSTHROUGH, QUIC, or TCP mode.
- OCSP Stapling & Verification: Includes OCSP stapling and certificate verification.
- Local TLS Certificates: Supports using locally stored TLS certificates.
- Hardware-backed Cryptographic Keys: Can use a Trusted Platform Module (TPM) for enhanced security of cryptographic keys.
- Port Sharing: Allows multiple server names to share the same IP address and port.
For more details, visit the TLSPROXY GitHub project.