tlsrp

TLS reverse proxy
git clone git://git.rr3.xyz/tlsrp
Log | Files | Refs | README | LICENSE
commit 2d45a8d1d6e6e8eb767d13bb6403a441461bc362
parent 2e55e2f8444fafd5e86d8fd18db619f706f97808
Author: Robert Russell <robertrussell.72001@gmail.com>
Date:   Tue, 16 Jul 2024 17:30:43 -0700

Derive a README from the man page

Diffstat:

AREADME | 60++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


1 file changed, 60 insertions(+), 0 deletions(-)

diff --git a/README b/README
@@ -0,0 +1,60 @@
+TLSRP(1)			 User Commands			      TLSRP(1)
+
+NAME
+       tlsrp - TLS reverse proxy
+
+SYNOPSIS
+       tlsrp config_path source...
+
+       Each nonempty line in config_path has one of the following formats:
+           cert crt_path key_path hostname...
+           sink tcp [host]:port hostname...
+           sink unix path hostname...
+
+       source = tcp:[host]:[port] | unix:path
+
+DESCRIPTION
+       tlsrp accepts TLS-secured connections on one or more source sockets and
+       tunnels the decrypted bytes to one of many sink sockets. tlsrp chooses
+       the certificate and sink socket for each client (among those listed in
+       the configuration file) based on the hostname specified by the client
+       using the Server Name Indication (SNI) TLS extension. More
+       specifically, the first cert (resp., sink) entry in the configuration
+       file that matches the client's requested hostname is chosen. Clients
+       without SNI support are handled using the first cert entry and the
+       first sink entry in the configuration file.
+
+       For TCP sinks, host defaults to the local system. For TCP sources, host
+       defaults to all available unicast and anycast IP addresses of the local
+       system, and port defaults to being automatically chosen (and logged to
+       stderr).
+
+       The entire configuration file (in particular, all certificates within)
+       is reloaded upon receipt of SIGHUP.
+
+NOTES
+       While certificates and sinks may be updated dynamically with zero down
+       time by sending SIGHUP, the same is not possible for sources. Indeed,
+       it's difficult, if not sometimes impossible, to change source sockets
+       without down time. Changing sources with zero down time is best handled
+       in other ways.
+
+EXAMPLE
+       Assume the following situation:
+
+           $ ls /srv
+           config.tlsrp  crt.pem  http.sock  key.pem
+
+           $ cat config.tlsrp
+           cert /srv/crt.pem /srv/key.pem example.com
+           sink unix /srv/http.sock example.com
+
+       Then to proxy all local connections at example.com from TCP port 443 to
+       the HTTP (not HTTPS!) server listening on http.sock, run
+
+           # tlsrp config.tlsrp tcp::443
+
+SEE ALSO
+       RFC 3546 <https://www.rfc-editor.org/rfc/rfc3546>
+
+tlsrp				  2024-07-15			      TLSRP(1)