-
Notifications
You must be signed in to change notification settings - Fork 211
Tls Proxying
Illarion Kovalchuk edited this page Mar 20, 2017
·
1 revision
(since 0.4.0)
In some rare cases it is needed to expose a service that lacks configuration or is a third-party system and the only way to connect to it is via TLS/SSL. When tls proxying is configured, gobetween acts as a configured tls client, that connects to backends and proxies data in both directions between real client and selected backend. Real client can use another TLS certificate or connect via plain tcp, depending on gobetween configuration (see Protocols )
Configuration:
[servers.default.backends_tls] # (optional) backends tls options (if present -- conntect to backends via tls)
ignore_verify = false # (optional) insecure, disable tls certificate verification while connecting to backends
root_ca_cert_path = "/path/to/file.pem" # (optional) path to series of root PEM encoded certificates.
# By default the host's root CA set is used (on many linux distros it's /etc/ssl/cert.pem)
# Client certificate used by gobetween to make authenticated requests to backends.
# Use this only if required by backends
cert_path = "/path/to/file.crt" # (optional) path to crt file
key_path = "/path/to/file.key" # (optional) path to key file
min_version = "tls1" # (optional) "ssl3" | "tls1" | "tls1.1" | "tls1.2" - minimum allowed tls version
max_version = "tls1.2" # (optional) maximum allowed tls version
ciphers = [] # (optional) list of supported ciphers. Empty means all supported.
# For a list see https://golang.org/pkg/crypto/tls/#pkg-constants
prefer_server_ciphers = false # (optional) if true server selects server's most preferred cipher
session_tickets = true # (optional) if true enables session tickets
All settings are optional and it is possible to reduce TLS Proxying configuration just to enabling backends tls:
[servers.default.backends_tls]
Tls proxying supports both tcp and tls in server.protocol setting, but does not support udp.