Skip to main content

HTTP(S)

HTTP(S) is a widely used application protocol that USP can securely proxy between external clients and internal services. When acting as an HTTP or HTTPS reverse proxy, USP breaks the session in the DMZ, optionally authenticates the partner, and establishes a new outbound connection to the internal target.

HTTPS connections add a TLS layer on both inbound and outbound legs, allowing USP to authenticate servers (and optionally clients) using certificates while preserving standard HTTP request and response semantics.

Connection Flow

  1. The partner sends an HTTP or HTTPS request to the Listener's port on the USP Server.
  2. USP evaluates the incoming connection against the Listener's associated Route and selects the appropriate Inbound Node based on peer address and priority. If no Inbound Node matches, the connection is rejected.
  3. For HTTPS settings, USP can:
    • Establish a standard one-way TLS connection where USP Server is authenticated.
    • Enforce mTLS, where both the USP Server and the partner are authenticated.
  4. USP optionally authenticates client credentials (username and password).
  5. After authentication succeeds, USP creates a new HTTP(S) connection to the internal server using the configuration defined in the Outbound Node.
  6. If the internal target uses HTTPS:
    • Establish a standard one-way TLS connection where the internal target is authenticated.
    • Enforce mTLS, where both the USP Server and the internal target are authenticated.
  7. USP authenticates to the internal target passing the username and password presented by the partner or using a different set of credentials.
  8. Once both sessions are established, USP links the inbound and outbound HTTP(S) control channels.
  9. USP forwards HTTP requests and responses between the client and the internal target.

Authentication

HTTP(S) authentication operates at two layers:

  1. TLS layer, where USP establishes a secure transport channel. See Inbound and Outbound mTLS.
  2. Protocol layer, where partners authenticate using standard HTTP(S) commands. See Partner Authentication to USP and the Internal Target.

Inbound and Outbound mTLS

USP can mTLS on both inbound and outbound HTTPS connections, ensuring that both the partner's client and the internal target are fully authenticated at the TLS layer.

For more information, refer to Inbound and Outbound Authentication for HTTP(S).

Partner Authentication to USP and the Internal Target

Partner authentication applies both to the inbound connection to USP and to the outbound connection to the internal target.

HTTP(S) allows the following authentication options at the protocol layer:

  • Basic (Password): The partner authenticates using an HTTPAuthorization: Basic header, which USP validates against the configured Inbound Authentication Source (Account Repository or LDAP).
  • None: No protocol-layer authentication. The connection may still be protected by TLS.

When Authentication at the Proxy is enabled, USP validates these credentials using the configured Inbound Authentication Source (Account Repository or LDAP).

After this optional inbound authentication, USP can either forward the partner's username and password to the internal target or use a different set of credentials explicitly configured in the HTTP(S) Rule.

For more information, refer to Rules.