I have a particular task I need to accomplish in which an HTTP-only caching proxy server is to accept SSL. The architecture in mind is as follows:

- Receive request { HTTP request: - Received by caching proxy at localhost:80

HTTPS request: - Received by Pound - Decoded to HTTP - X-FROM-SSL header added - Forwarded to localhost:80 (caching proxy) }

Proxy receives HTTP request - Perform caching - If X-FROM-SSL, forward to localhost:8088 - Else forward to HTTP server

It is at this point that two design options come into play, both using stunnel. Either use SNI or use stunnel and HTTP. Via SNI, this would appear as follows:

Stunnel receives HTTP request - Forward to https://http-server:443/ with SNI

This of course requires that stunnel can read the 'Host' header out of an HTTP request and use that for SNI automatically (there's some 300 virtual hosts on that server). If not, this is infeasible.

Which is my question, of course: can this be done?

If this isn't an option, then the next logical way to handle this problem is:

Stunnel receives HTTP request: - SSL encrypt - Forward to http-server:8443

http-server receives HTTP over stunnel - stunnel receives on http-server:8443 - Decrypt and forward to http://localhost:80/

In this way the entire connection would be encrypted, and the HTTP server would see the Host: header and use that to figure out the virtual host etc.

Is that the better/only way?