tlsrp

TLS reverse proxy
git clone git://git.rr3.xyz/tlsrp
Log | Files | Refs | README | LICENSE

README (2389B)

      1 TLSRP(1)                      User Commands                           TLSRP(1)
      2 
      3 NAME
      4        tlsrp - TLS reverse proxy
      5 
      6 SYNOPSIS
      7        tlsrp config_path source...
      8 
      9        Each nonempty line in config_path has one of the following formats:
     10            cert crt_path key_path hostname...
     11            sink tcp [host]:port hostname...
     12            sink unix path hostname...
     13 
     14        source = tcp:[host]:[port] | unix:path
     15 
     16 DESCRIPTION
     17        tlsrp accepts TLS-secured connections on one or more source sockets and
     18        tunnels the decrypted bytes to one of many sink sockets. tlsrp chooses
     19        the certificate and sink socket for each client (among those listed in
     20        the configuration file) based on the hostname specified by the client
     21        using the Server Name Indication (SNI) TLS extension. More
     22        specifically, the first cert (resp., sink) entry in the configuration
     23        file that matches the client's requested hostname is chosen. Clients
     24        without SNI support are handled using the first cert entry and the
     25        first sink entry in the configuration file.
     26 
     27        For TCP sinks, host defaults to the local system. For TCP sources, host
     28        defaults to all available unicast and anycast IP addresses of the local
     29        system, and port defaults to being automatically chosen (and logged to
     30        stderr).
     31 
     32        The entire configuration file (in particular, all certificates within)
     33        is reloaded upon receipt of SIGHUP.
     34 
     35 NOTES
     36        While certificates and sinks may be updated dynamically with zero down
     37        time by sending SIGHUP, the same is not possible for sources. Indeed,
     38        it's difficult, if not sometimes impossible, to change source sockets
     39        without down time. Changing sources with zero down time is best handled
     40        in other ways.
     41 
     42 EXAMPLE
     43        Assume the following situation:
     44 
     45            $ ls /srv
     46            config.tlsrp  crt.pem  http.sock  key.pem
     47 
     48            $ cat config.tlsrp
     49            cert /srv/crt.pem /srv/key.pem example.com
     50            sink unix /srv/http.sock example.com
     51 
     52        Then to proxy all local connections at example.com from TCP port 443 to
     53        the HTTP (not HTTPS!) server listening on http.sock, run
     54 
     55            # tlsrp config.tlsrp tcp::443
     56 
     57 SEE ALSO
     58        RFC 3546 <https://www.rfc-editor.org/rfc/rfc3546>
     59 
     60 tlsrp                              2024-07-15                           TLSRP(1)