Reverse proxy
A reverse proxy is the server-side counterpart to TON Proxy. It accepts inbound ADNL connections from TON Sites users and forwards them as HTTP requests to a local web server. It is what makes a .ton domain addressable without the hoster ever exposing HTTPS, TLS certificates, or a public web port.
What it does
Section titled “What it does”A TON Site is reached over ADNL, not TCP/443. To serve one, a reverse proxy sits between the public ADNL endpoint and the local web server:
- A client resolves the .ton domain to an ADNL address via TON DNS.
- The client opens an ADNL connection to the reverse proxy’s public IP on the UDP port bound to that ADNL address.
- The reverse proxy decodes the RLDP-HTTP payload and forwards the plain HTTP request to a local web server (usually
127.0.0.1:80). - The response path is inverted: the local server replies in plain HTTP, the reverse proxy wraps the response back into RLDP-HTTP, and the client receives it over ADNL.
The operator never exposes HTTP/HTTPS on a public port. Ownership of the site is proven on-chain: whoever controls the .ton domain’s site record controls which ADNL address serves requests for that name.
When to use it
Section titled “When to use it”- Host a TON Site. A reverse proxy is the only way to make a web server reachable by .ton domain name.
- Replace TLS with on-chain identity. Authentication, routing, and ownership all come from the .ton NFT and the ADNL address, not from a certificate authority.
- Expose a local service on TON. Any HTTP service running on
127.0.0.1can be proxied to an ADNL endpoint without touching the public TCP network.
Implementations
Section titled “Implementations”Two implementations are in production use:
rldp-http-proxy: reference implementation from the TON monorepo. Requires manual ADNL key generation and explicit CLI flags.tonutils-reverse-proxy: Go implementation with automatic key generation and a QR-code flow for binding the ADNL address to a .ton domain. Friendlier for one-off deployments.
Both follow the same protocol and are interoperable at the network level.
Set up
Section titled “Set up”Step-by-step installation, key generation, domain binding, and troubleshooting for both implementations are in How to set up TON Proxy → Reverse proxy.
Related pages
Section titled “Related pages”- TON Proxy: forward and reverse proxy architecture
- How to set up TON Proxy: full installation guide
- TON Sites: what a TON Site is
- TON DNS: binding the ADNL address to a .ton domain