# TLS termination proxy

> Mediated Wiki article. Canonical URL: https://mediated.wiki/source/TLS_termination_proxy
> Markdown URL: https://mediated.wiki/source/TLS_termination_proxy.md
> Source: https://en.wikipedia.org/wiki/TLS_termination_proxy
> Source revision: 1343194680
> License: Creative Commons Attribution-ShareAlike 4.0 International (https://creativecommons.org/licenses/by-sa/4.0/)

Proxy server acting as an intermediary between client and server

Incoming HTTPS traffic gets decrypted and forwarded to a web service in the private network.

A **TLS termination proxy** (or **SSL termination proxy**,[1] or **SSL offloading**[2]) is a [proxy server](/source/Proxy_server) that acts as an [intermediary](/source/Intermediary) point between [client](/source/Client_(computing)) and [server](/source/Server_(computing)) applications. It is used to terminate and/or establish [TLS](/source/Transport_Layer_Security) (or [DTLS](/source/Datagram_Transport_Layer_Security)) [tunnels](/source/Tunneling_protocol) by decrypting and/or encrypting communications. This differs from **TLS pass-through proxies**, which forward encrypted (D)TLS traffic between clients and servers without terminating the tunnel.

## Uses

TLS termination proxies can be used to:

- secure [plaintext](/source/Plaintext) communications over untrusted networks by tunnelling them in (D)TLS,

- allow inspection of encrypted traffic by an [intrusion detection system](/source/Intrusion_detection_system) to detect and block malicious activities,

- allow [network surveillance](/source/Computer_and_network_surveillance) and analysis of encrypted traffic,

- enable otherwise unsupported integration with other applications that provide additional capabilities such as [content filtering](/source/Content-control_software) or [Hardware security modules](/source/Hardware_security_module),

- enable (D)TLS protocol versions, extensions, or capabilities (e.g., [OCSP stapling](/source/OCSP_stapling), [ALPN](/source/Application-Layer_Protocol_Negotiation), [DANE](/source/DNS-based_Authentication_of_Named_Entities), [CT](/source/Certificate_Transparency) validation, etc.) unsupported by client or server applications to enhance their compatibility and/or security,

- work around buggy or insecure (D)TLS implementations in client or server applications to improve their compatibility and/or security,

- provide additional [certificate-based authentication](/source/Transport_Layer_Security#Client-authenticated_TLS_handshake) unsupported by server and/or client applications or protocols,

- provide an additional [defense-in-depth](/source/Defense_in_depth_(computing)) layer for centralised control and consistent management of (D)TLS configuration and associated security policies, and

- reduce the [load](/source/Load_(computing)) on the main servers by [offloading](/source/Computation_offloading) the cryptographic processing to another machine.

## Types

TLS termination proxies can provide three connectivity patterns:[3]

- **TLS Offloading**: Terminates an inbound encrypted (D)TLS connection from a client and forwards communications over a plaintext connection to the server.

- **TLS Encryption**: Accepts an inbound plaintext connection from a client and forwards communications over an encrypted (D)TLS connection to the server.

- **TLS Bridging**: Terminates two encrypted (D)TLS connections to allow inspection and filtering of traffic. The proxy decrypts the inbound (D)TLS connection from the client and re-encrypts it using a separate (D)TLS connection to the server.

Combining a TLS Encrypting proxy in front of a client with a TLS Offloading proxy in front of a server can allow (D)TLS encryption and authentication for protocols and applications that do not otherwise support it, with the two proxies maintaining a secure (D)TLS tunnel over untrusted network segments between client and server.

A proxy used by clients as an intermediary gateway for all outbound connections is typically called a [Forward proxy](/source/Forward_proxy), while a proxy used by servers as an intermediary gateway for all inbound connections is typically called a [Reverse proxy](/source/Reverse_proxy). Forward TLS bridging proxies that allow an [intrusion detection system](/source/Intrusion_detection_system) to analyse all client traffic are typically marketed as "SSL Forward Proxy".[4][5][6]

TLS Offloading and TLS Bridging proxies typically need to authenticate themselves to clients with a digital certificate using either [PKIX](/source/X.509) or DANE authentication. Usually, the server operator supplies its reverse proxy with a valid certificate for use during the (D)TLS handshake with clients. A forward proxy operator, however, must create their own private [CA](/source/Certificate_authority), install it into the trust store of all clients, and have the proxy generate a new certificate signed by the private CA in real time for each server that a client attempts to connect to.

When network traffic between a client and server is routed via a proxy, it can operate in [transparent](/source/Proxy_server#Transparent_proxy) mode by using the client's [IP address](/source/IP_address) instead of its own when connecting to the server, and using the server's IP address when responding to the client. If a **Transparent TLS Bridging Proxy** possesses a valid server certificate, neither the client nor the server would be able to detect the proxy's presence. An adversary who has compromised the private key of the server's digital certificate, or who can use a compromised or coerced PKIX CA to issue a new valid certificate for the server, could perform a [man-in-the-middle attack](/source/Man-in-the-middle_attack) by routing TLS traffic between the client and server through a Transparent TLS Bridging Proxy. This would grant the adversary the ability to copy decrypted communications (including logon credentials) and modify the content of communications on the fly without detection.

## See also

- [TLS acceleration](/source/TLS_acceleration)

## References

1. **[^](#cite_ref-1)** ["What is SSL Termination?"](https://www.f5.com/glossary/ssl-termination). F5 Networks. [Archived](https://web.archive.org/web/20240608073948/https://www.f5.com/glossary/ssl-termination) from the original on 2024-06-08. Retrieved 2024-06-08.

1. **[^](#cite_ref-2)** ["Setup IIS with URL Rewrite as a reverse proxy"](https://docs.microsoft.com/fr-fr/archive/blogs/friis/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps). Microsoft. 25 August 2016. [Archived](https://web.archive.org/web/20220815002534/https://docs.microsoft.com/fr-fr/archive/blogs/friis/setup-iis-with-url-rewrite-as-a-reverse-proxy-for-real-world-apps) from the original on 15 August 2022. Retrieved 8 June 2024.

1. **[^](#cite_ref-3)** ["Infrastructure Layouts Involving TLS"](https://www.haproxy.com/documentation/hapee/latest/deployment-guides/tls-infrastructure/). HAProxy Technologies.

1. **[^](#cite_ref-4)** ["SSL Forward Proxy Overview"](https://www.juniper.net/documentation/us/en/software/nm-apps23.1/junos-space-security-director/topics/concept/junos-space-ssl-forward-proxy-overview.html). [Juniper Networks](/source/Juniper_Networks). 2023-10-16. [Archived](https://web.archive.org/web/20240608073611/https://www.juniper.net/documentation/us/en/software/nm-apps23.1/junos-space-security-director/topics/concept/junos-space-ssl-forward-proxy-overview.html) from the original on 2024-06-08. Retrieved 2024-06-08.

1. **[^](#cite_ref-5)** ["SSL Forward Proxy"](https://web.archive.org/web/20171201081116/https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/ssl-forward-proxy). Palo Alto Networks. Archived from [the original](https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/decryption/ssl-forward-proxy) on 2017-12-01. Retrieved 2017-11-24.

1. **[^](#cite_ref-6)** ["Overview: SSL forward proxy client and server authentication"](https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-6-0/13.html). F5 Networks. [Archived](https://web.archive.org/web/20240608073110/https://techdocs.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/bigip-ssl-administration-11-6-0/13.html) from the original on 2024-06-08. Retrieved 2017-11-24.

---
Adapted from the Wikipedia article [TLS termination proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) by Wikipedia contributors ([contributor history](https://en.wikipedia.org/wiki/TLS_termination_proxy?action=history)). Available under [Creative Commons Attribution-ShareAlike 4.0 International](https://creativecommons.org/licenses/by-sa/4.0/). Changes may have been made.
