🔓 TLS Termination proxies

artistical representation of rama TLS Termination proxy as llama unlocking cargo to move it forward unprotected
A TLS termination proxy is a proxy server that acts as an intermediary point between client and server applications, and is used to terminate and/or establish TLS (or DTLS) tunnels by decrypting and/or encrypting communications. This is different to TLS pass-through proxies that forward encrypted (D)TLS traffic between clients and servers without terminating the tunnel.

— Wikipedia

Examples:

  • /examples/tls_rustls_termination.rs: Spawns a mini handmade http server, as well as a TLS termination proxy, forwarding the plain text stream to the first.
  • /examples/mtls_tunnel_and_service.rs: Example of how to do mTLS (mutual TLS, where the client also needs a certificate) using rama, as well as how one might use this concept to provide a tunnel service build with these concepts;

Description

%3clientclientproxy (rama)proxy (rama)client->proxy (rama)  httpsserver Aserver Aproxy (rama)->server A  httpserver Bserver Bproxy (rama)->server B  http

Reverse proxies are a superset of proxies that also include TLS Termination Proxies. It's very common for a reverse proxy to also terminate the TLS tunnel.

HTTP Strict Transport Security (HSTS)

HTTP Strict Transport Security (HSTS), defined in RFC 6797, lets a website declare that it must only be accessed over HTTPS. A server does this by sending a Strict-Transport-Security response header over a secure connection.

nce a browser (user agent) receives this header, it marks the host as an HSTS host and automatically enforces HTTPS for future requests—refusing to load the site over plain HTTP or when certificate errors occur. This protects users against downgrade attacks and cookie hijacking over insecure connections.

Flow of operation:

  1. The client first connects via HTTPS.
  2. The server responds with Strict-Transport-Security: max-age=… [; includeSubDomains].
  3. The browser caches this rule for the max-age duration.
  4. All future HTTP requests to that host (and optionally its subdomains) are upgraded to HTTPS automatically.
  5. If a TLS or certificate error occurs, the connection is aborted without user override.

This ensures that, after the first secure visit, the browser always enforces secure transport for that domain.

This is usually also coupled with an http-to-https redirect to ensure clients that connect via insecure http do still land on the same resource but over a secure connection instead.

Examples: