I use a combination of services for this. I keep Apache2 listening only on localhost, while I have Pound listen to the outside world. I've setup Pound to use my self-signed cert, and it will then forward the requests to Apache2. Pound is similar to Squid, but does no caching. Clinton Pound: http://www.apsis.ch/pound/