I’ve been working on a TLS proxy/TLS terminator that can handle 3000 TLS handshakes per second (basically an stunnel replacement, but stunnel crashes at under 100 handshakes per second) as a pet project, but I’ve realized that with some polishing this can be really useful.

https://github.com/novotimo/tlsproxy

This is still in development (todo are privilege dropping, in place config reloads, log burst suppression, multiple listen sockets (which paired with the Linux kernel gives free load balancing capabilities), and detailed TLS configurability), but it already matches both nginx and HAProxy’s speed (entirely bottlenecked by OpenSSL crypto by this point) at a tiny fraction of the attack surface and memory footprint (10-15kb per worker process last time I checked).

If anyone wants to take a look, please roast my code :)