Forward == bad<p>Reverse == good<p>> Offloading the SSL (https) security to a particular web server. This server will store the private key of your certificate and terminate the SSL connections. It will then forward the requests to the internal web servers using plain HTTP.<p>Don't do this if you're passing secrets (OAuth tokens, user/pass, etc.). Use an SSL cert between the RP and target server. SSL sessions can stay open/re-negotiation isn't required. Feel free to decrypt on the RP to perform inspection functions, i.e. web app firewall.<p>RPs are fun! My favorite combination is OpenBSD leveraging CARP and HAProxy. Chefs kiss of RPs.