going with hitch for TLS termination I think

stunnel is still in the running, need to compare build complexity

@xj9 I was going to say "I haven't been using it because they don't support PROXY protocol so backends can get the connecting IP address", but I see on their front page that they support it now!!!

@sjw @xj9 Hitch is an extremely tiny program that accepts TLS connections and converts them to a regular unencrypted data socket. the goal is to move TLS handling out of applications like web servers etc and reduce vulnerability footprint.

In the past I didn't use it because, when you put it in front of a web server, you lose the original IP address.

But, there is a protocol called PROXY protocol that lets you do raw TCP streams but it prepends info about the connection (originating IP, port) so that the backend has access to that information.

Hitch used to not have support for that, now it does.

@moonman @sjw

do you have any suggestions for a caching reverse proxy? i've been looking at squid for that. right now i have nginx doing ssl termination, reverse proxy, and static file hosting. so depending on the thing i'd like to split things up based on a role:

net -> hitch -> quark
net -> hitch -> squid? -> yggdrasil -> tinyproxy? -> service
net <- tinyproxy <- yggdrasil <- service

the problem with tinyproxy is that it doesn't cache anything, works better as an outbound proxy for pleroma and other things.