TLS termination proxy

From Wikipedia, the free encyclopedia
Jump to navigation Jump to search
Incoming HTTPS traffic gets decrypted and forwarded to a webservice in the private network.

A TLS termination proxy (or SSL termination proxy[1], or SSL offloading[2]) is a proxy server that is used by an institution to handle incoming TLS connections, decrypting the TLS and passing on the unencrypted request to the institution's other servers (it is assumed that the institution's own network is secure so the user's session data does not need to be encrypted on that part of the link). TLS termination proxies are used to reduce the load on the main servers by offloading the cryptographic processing to another machine, and to support servers that do not support SSL, like Varnish.

A variant configuration is where encryption is done on the "front-end" towards the Internet, and on the private "back-end" network as well. This is generally referred to as "SSL/TLS forward proxy".[3][4][5] It is usually done to allow an intrusion detection system to analyze the traffic.

Another advantage of a forward TLS proxy is that it can reduce client latency if they would otherwise be geographically distant from the servers behind the proxy. This is because in most cases, with the exception of TLS1.3 0-RTT, there are several round trips involved in negotiating the TLS connection.[citation needed]


  1. ^ SSL Termination, F5 Networks.
  2. ^ "Setup IIS with URL Rewrite as a reverse proxy". Microsoft.
  3. ^ "SSL Forward Proxy Overview". Juniper Networks.
  4. ^ "SSL Forward Proxy". Palo Alto Networks.
  5. ^ "Overview: SSL forward proxy client and server authentication". F5 Networks.