https --> http lightweight proxy

Solution 1:

I believe you are looking for stunnel:

Stunnel is a proxy designed to add TLS encryption functionality to existing clients and servers without any changes in the programs' code.

Solution 2:

I'd personally look at Hitch - rather than running a full fat webserver (Apache) Hitch is purpose-built to terminate TLS connections.

It's built by the Varnish team and has an excellent security track record, along with being async IO driven so it is much leaner/faster than Apache2's process per connection model.

https://hitch-tls.org/

Solution 3:

As I understood this, you want tinyproxy to terminate TLS and speak plain HTTP to the backend.

It seems that this is unsupported by tinyproxy:

No, tinyproxy does not support transparent HTTPS proxying. Only transparent HTTP proxy. Rerouting port 443 to port 80 will not work; those are two very different protocols. The only way is to manually set up proxy in the system/environment, or in the browser.

If HTTPS transparent proxying is a must, consider using Squid.

But you can use Apache (packages httpd and mod_ssl) to do this:

Note: I'm assuming that your backend server binds to port 8080 (as it makes things easier with SELinux). For details see semanage port, httpd_selinux.

• Set up Apache to use TLS (see e.g. Digicert's guide, plus security recommendations)
• You should end up with something like this: <VirtualHost *:443> DocumentRoot /var/www/html ServerName www.yourdomain.com SSLEngine on SSLCertificateFile /path/to/your_domain_name.crt SSLCertificateKeyFile /path/to/your_private.key SSLCertificateChainFile /path/to/chain.crt </VirtualHost>
• Add the directives for proxying: [...] SSLCertificateChainFile /path/to/chain.crt ProxyEngine on SSLProxyEngine on ProxyPass / http://localhost:8080/ ProxyPassReverse / http://localhost:8080/ <Proxy http://localhost:8080/> Require all granted </Proxy>
• Set up SELinux: setsebool -P httpd_can_network_relay=1
• Restart httpd: systemctl restart httpd