Skip to main content

SNI-based TLS reverse proxy with termination and passthrough modes

Project description

tls-switch

A TLS reverse proxy that routes incoming TLS connections to backend servers based on the requested hostname using SNI (Server Name Indication). Supports both TLS termination and TLS passthrough on a per-host basis.

tls-switch sits in front of your services on port 443 and inspects the TLS ClientHello to determine which hostname the client is requesting. SNI is a TLS extension that allows the client to indicate which hostname it is trying to connect to before the TLS handshake completes — this is how tls-switch knows where to route the connection without needing a separate IP address per service. It then routes the connection to the appropriate backend, either terminating TLS and forwarding plaintext, or passing the encrypted stream through unmodified.

Features

  • SNI-based routing — route TLS connections to different backends based on hostname
  • TLS termination — terminate TLS with your certificates and forward plaintext to backends
  • TLS passthrough — forward the raw TLS stream to a backend that handles its own TLS
  • Hot reload — config and certificate changes take effect on new connections without interrupting existing ones
  • Zero buffering — data is forwarded immediately with no processing, filtering, or modification
  • PROXY protocol — optional v1/v2 header emission per host so backends can see the original client IP
  • Zero runtime dependencies — single statically-linked Go binary, no Python or libc required at runtime

Use Cases

  • Run multiple HTTPS services on a single IP address, each with its own certificate
  • Put a TLS-terminating proxy in front of plain HTTP services
  • Route some domains through to their own TLS servers while terminating others locally
  • Consolidate port 443 across multiple services without a full reverse proxy

Requirements

  • Python 3.12+ (only required to install from PyPI; the binary itself has no runtime dependencies)
  • Root/administrator privileges (if binding to port 443)

Installation

pip install tls-switch

Or run directly with uv:

uvx tls-switch

Quick Start

Create a config file (config.json):

{
  "listen": ":443",
  "hosts": {
    "app.example.com": {
      "mode": "terminate",
      "cert": "/etc/tls-switch/app.example.com.crt",
      "key": "/etc/tls-switch/app.example.com.key",
      "backend": "127.0.0.1:8080"
    },
    "legacy.example.com": {
      "mode": "passthrough",
      "backend": "10.0.0.5:443",
      "proxy_protocol": "v2"
    }
  }
}

Run the server:

tls-switch -c config.json

In this example:

  • Connections to app.example.com have TLS terminated by tls-switch, and plaintext HTTP is forwarded to 127.0.0.1:8080
  • Connections to legacy.example.com are forwarded as raw TLS to 10.0.0.5:443, which handles its own certificates

How It Works

  1. A client connects to port 443 and begins a TLS handshake
  2. tls-switch reads the TLS ClientHello message and extracts the SNI (Server Name Indication) hostname
  3. The hostname is looked up in the configuration
  4. Depending on the mode:
    • terminate: tls-switch completes the TLS handshake using the configured certificate and key, then opens a plaintext TCP connection to the backend and copies data bidirectionally with no buffering or processing
    • passthrough: tls-switch opens a TCP connection to the backend, replays the original ClientHello, and then copies data bidirectionally — the backend server handles the TLS handshake itself
  5. If the hostname is not found in the configuration, tls-switch completes a TLS handshake using any available configured certificate and returns an HTTP 421 Misdirected Request error page — browsers display a clear error rather than a cryptic "can't connect" message

Configuration

Config File

The config file is JSON with the following structure:

{
  "listen": ":443",
  "hosts": {
    "hostname": {
      "mode": "terminate|passthrough",
      "cert": "/path/to/cert.pem",
      "key": "/path/to/key.pem",
      "backend": "host:port",
      "proxy_protocol": "v1|v2"
    }
  }
}
Field Description
listen Address to listen on (e.g. :443, 0.0.0.0:8443)
hosts Map of hostname to route configuration
mode terminate (TLS termination) or passthrough (forward raw TLS)
cert Path to PEM certificate file (terminate mode only)
key Path to PEM private key file (terminate mode only)
backend Backend address as host:port
proxy_protocol Optional. v1 (text) or v2 (binary) to emit a PROXY protocol header to the backend so it sees the original client IP. Works in both modes. The backend must be configured to expect it, and only to trust PROXY headers from the tls-switch listener address — otherwise clients can spoof their source IP. Omit to disable (default).

Hot Reload

tls-switch watches the config file and certificate files for changes. When a change is detected:

  • The new config is validated
  • If valid, new connections use the updated config
  • Existing connections continue with their original config until they close naturally
  • If invalid, the change is rejected and the current config remains active

Development

# Set up development environment
make dev

# Cross-compile Go binaries
make go-build

# Run format check and lint
make check

# Auto-format code
make format

# Build wheel and docs
make build

Architecture

tls-switch is a single statically-linked Go binary with no runtime dependencies. It bundles:

  • TCP listener and accept loop
  • TLS ClientHello parsing and SNI extraction
  • TLS termination via the Go crypto/tls standard library
  • Raw passthrough using io.Copy for zero-copy forwarding where supported by the OS
  • Optional PROXY protocol v1/v2 header emission to the backend
  • Config + certificate file watching for hot reload
  • Coloured terminal logging

The binary is built with CGO_ENABLED=0 and works across macOS, Linux, and Windows on amd64 + arm64. It is distributed as platform-specific Python wheels for ease of installation via pip / uvx, but no Python is required to run it.

Licence

Released under the Unlicense — public domain.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distributions

If you're not sure about the file name format, learn more about wheel file names.

tls_switch-1.1.1-py3-none-win_arm64.whl (2.0 MB view details)

Uploaded Python 3Windows ARM64

tls_switch-1.1.1-py3-none-win_amd64.whl (2.3 MB view details)

Uploaded Python 3Windows x86-64

tls_switch-1.1.1-py3-none-manylinux_2_17_x86_64.whl (2.2 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ x86-64

tls_switch-1.1.1-py3-none-manylinux_2_17_aarch64.whl (2.0 MB view details)

Uploaded Python 3manylinux: glibc 2.17+ ARM64

tls_switch-1.1.1-py3-none-macosx_11_0_arm64.whl (2.1 MB view details)

Uploaded Python 3macOS 11.0+ ARM64

tls_switch-1.1.1-py3-none-macosx_10_9_x86_64.whl (2.3 MB view details)

Uploaded Python 3macOS 10.9+ x86-64

File details

Details for the file tls_switch-1.1.1-py3-none-win_arm64.whl.

File metadata

  • Download URL: tls_switch-1.1.1-py3-none-win_arm64.whl
  • Upload date:
  • Size: 2.0 MB
  • Tags: Python 3, Windows ARM64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for tls_switch-1.1.1-py3-none-win_arm64.whl
Algorithm Hash digest
SHA256 ea9cfb8f3811d1f639deb414de4f6be6750b3040aa745570a62f0403eaaecfc1
MD5 e13d584c0536a3bf1e0dab9301e5eb0d
BLAKE2b-256 b72d9445fee003989d03ca4b71152330f0d03c1996a1954d4be44b7558fc3e76

See more details on using hashes here.

File details

Details for the file tls_switch-1.1.1-py3-none-win_amd64.whl.

File metadata

  • Download URL: tls_switch-1.1.1-py3-none-win_amd64.whl
  • Upload date:
  • Size: 2.3 MB
  • Tags: Python 3, Windows x86-64
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.14.5

File hashes

Hashes for tls_switch-1.1.1-py3-none-win_amd64.whl
Algorithm Hash digest
SHA256 d448fb139e9a8db7f9a4ad9d16d10abd88aa7eee97d87e787f256e1a87287860
MD5 b95defe431fd26e1223cb5b9f430d97d
BLAKE2b-256 0ef01fc40a3f8de08435e3a9b1f50cb6993c56b0901af1b97dc78f375b7fdd41

See more details on using hashes here.

File details

Details for the file tls_switch-1.1.1-py3-none-manylinux_2_17_x86_64.whl.

File metadata

File hashes

Hashes for tls_switch-1.1.1-py3-none-manylinux_2_17_x86_64.whl
Algorithm Hash digest
SHA256 7351949d48f5ce6eda5640c179b8685da71a0539d56bc6d929268be20ed973d2
MD5 48f31e4676f9202f37a6ab4817a1e4cd
BLAKE2b-256 09e2bc9ea321bd437f214b0357a5d87eb992312d6dadb2e04b7139bc17b784bd

See more details on using hashes here.

File details

Details for the file tls_switch-1.1.1-py3-none-manylinux_2_17_aarch64.whl.

File metadata

File hashes

Hashes for tls_switch-1.1.1-py3-none-manylinux_2_17_aarch64.whl
Algorithm Hash digest
SHA256 ee35291e4d37964baa7ad837fd239d1c4f3b2e7921c0f31708f17098c35763d8
MD5 5f76e064c4fc945602d75409d527a4dd
BLAKE2b-256 394942b1418ed0a5fab62ce5477750f1a556471129da8e7c4457f658a27c1874

See more details on using hashes here.

File details

Details for the file tls_switch-1.1.1-py3-none-macosx_11_0_arm64.whl.

File metadata

File hashes

Hashes for tls_switch-1.1.1-py3-none-macosx_11_0_arm64.whl
Algorithm Hash digest
SHA256 61e0c8ed5d2e91e09c43f301aba52b948151f32d1c807b664591407b66d80a92
MD5 d44ffc6bae4efb03c4cd098047d4d6aa
BLAKE2b-256 7d7a1a85f206d5c22e066e13c9655421f96cab6dee09d9ffb02abcdf8e284e6c

See more details on using hashes here.

File details

Details for the file tls_switch-1.1.1-py3-none-macosx_10_9_x86_64.whl.

File metadata

File hashes

Hashes for tls_switch-1.1.1-py3-none-macosx_10_9_x86_64.whl
Algorithm Hash digest
SHA256 c0fa27216282a740c5b836069eb4f021727250f8cc3b61982dfb0062eb9fd640
MD5 f344e9b2baf5cd8e69030017f7a110a2
BLAKE2b-256 3aa26082e3b1034e9ab685cd99425bd837fbdccfd5ba0f5771424868622015e7

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page