📑 Table of Contents
Incoming HTTPS traffic gets decrypted and forwarded to a web service in the private network.

A TLS termination proxy (or SSL termination proxy,[1] or SSL offloading[2]) is a proxy server that acts as an intermediary point between client and server applications. It is used to terminate and/or establish TLS (or DTLS) tunnels by decrypting and/or encrypting communications. This differs from TLS pass-through proxies, which forward encrypted (D)TLS traffic between clients and servers without terminating the tunnel.

Uses

edit

TLS termination proxies can be used to:

  • secure plaintext communications over untrusted networks by tunnelling them in (D)TLS,
  • allow inspection of encrypted traffic by an intrusion detection system to detect and block malicious activities,
  • allow network surveillance and analysis of encrypted traffic,
  • enable otherwise unsupported integration with other applications that provide additional capabilities such as content filtering or Hardware security modules,
  • enable (D)TLS protocol versions, extensions, or capabilities (e.g., OCSP stapling, ALPN, DANE, CT validation, etc.) unsupported by client or server applications to enhance their compatibility and/or security,
  • work around buggy or insecure (D)TLS implementations in client or server applications to improve their compatibility and/or security,
  • provide additional certificate-based authentication unsupported by server and/or client applications or protocols,
  • provide an additional defense-in-depth layer for centralised control and consistent management of (D)TLS configuration and associated security policies, and
  • reduce the load on the main servers by offloading the cryptographic processing to another machine.

Types

edit

TLS termination proxies can provide three connectivity patterns:[3]

  • TLS Offloading: Terminates an inbound encrypted (D)TLS connection from a client and forwards communications over a plaintext connection to the server.
  • TLS Encryption: Accepts an inbound plaintext connection from a client and forwards communications over an encrypted (D)TLS connection to the server.
  • TLS Bridging: Terminates two encrypted (D)TLS connections to allow inspection and filtering of traffic. The proxy decrypts the inbound (D)TLS connection from the client and re-encrypts it using a separate (D)TLS connection to the server.

Combining a TLS Encrypting proxy in front of a client with a TLS Offloading proxy in front of a server can allow (D)TLS encryption and authentication for protocols and applications that do not otherwise support it, with the two proxies maintaining a secure (D)TLS tunnel over untrusted network segments between client and server.

A proxy used by clients as an intermediary gateway for all outbound connections is typically called a Forward proxy, while a proxy used by servers as an intermediary gateway for all inbound connections is typically called a Reverse proxy. Forward TLS bridging proxies that allow an intrusion detection system to analyse all client traffic are typically marketed as "SSL Forward Proxy".[4][5][6]

TLS Offloading and TLS Bridging proxies typically need to authenticate themselves to clients with a digital certificate using either PKIX or DANE authentication. Usually, the server operator supplies its reverse proxy with a valid certificate for use during the (D)TLS handshake with clients. A forward proxy operator, however, must create their own private CA, install it into the trust store of all clients, and have the proxy generate a new certificate signed by the private CA in real time for each server that a client attempts to connect to.

When network traffic between a client and server is routed via a proxy, it can operate in transparent mode by using the client's IP address instead of its own when connecting to the server, and using the server's IP address when responding to the client. If a Transparent TLS Bridging Proxy possesses a valid server certificate, neither the client nor the server would be able to detect the proxy's presence. An adversary who has compromised the private key of the server's digital certificate, or who can use a compromised or coerced PKIX CA to issue a new valid certificate for the server, could perform a man-in-the-middle attack by routing TLS traffic between the client and server through a Transparent TLS Bridging Proxy. This would grant the adversary the ability to copy decrypted communications (including logon credentials) and modify the content of communications on the fly without detection.

See also

edit

References

edit
  1. ^ "What is SSL Termination?". F5 Networks. Archived from the original on 2024-06-08. Retrieved 2024-06-08.
  2. ^ "Setup IIS with URL Rewrite as a reverse proxy". Microsoft. 25 August 2016. Archived from the original on 15 August 2022. Retrieved 8 June 2024.
  3. ^ "Infrastructure Layouts Involving TLS". HAProxy Technologies.
  4. ^ "SSL Forward Proxy Overview". Juniper Networks. 2023-10-16. Archived from the original on 2024-06-08. Retrieved 2024-06-08.
  5. ^ "SSL Forward Proxy". Palo Alto Networks. Archived from the original on 2017-12-01. Retrieved 2017-11-24.
  6. ^ "Overview: SSL forward proxy client and server authentication". F5 Networks. Archived from the original on 2024-06-08. Retrieved 2017-11-24.

📚 Artikel Terkait di Wikipedia

Reverse proxy

perform TLS encryption itself, but instead offload the task to a reverse proxy that may be equipped with TLS acceleration hardware. (See TLS termination proxy

Traefik Proxy

features: Automatically obtaining a TLS certificate through the ACME protocol, thus acting as a TLS termination proxy. WebSocket, gRPC, and HTTP/2 Dynamic

Transport Layer Security

Transport Layer Security (TLS) is a cryptographic protocol designed to provide communications security over a computer network, such as the Internet.

HAProxy

Multi-factor stickiness URL rewriting Rate limiting SSL/TLS termination proxy Gzip compression Caching PROXY Protocol support Scriptable multi-layer Health checking

Session Initiation Protocol

network links, the protocol may be encrypted with Transport Layer Security (TLS). For the transmission of media streams (voice, video) the SDP payload carried

Transmission Control Protocol

rely on TCP, which is part of the transport layer of the TCP/IP suite. SSL/TLS often runs on top of TCP. Today, TCP remains a core protocol for most Internet

RADIUS

RADIUS/UDP security by "wrapping" the RADIUS protocol in TLS. However, the packets inside of the TLS transport still use MD5 for packet integrity checks and

Comparison of webmail providers

or download your email". Retrieved February 27, 2024. "Opportunistic SSL/TLS encryption on outgoing emails". Fastmail. January 29, 2010. "New Security