openssl_proxy
A layer-4 TLS reverse proxy server based on Rustls.
The following common keys are supported:
listen
optional, type: tcp listen
Set the listen config for this server.
The instance count setting will be ignored if listen_in_worker is correctly enabled.
default: not set
client_hello_recv_timeout
optional, type: humanize duration
Set the timeout value for the wait of initial client hello data.
default: 10s
client_hello_max_size
optional, type: humanize u32
Set the max allowed Client Hello Handshake message size.
default: 16K
Added in version 0.3.7.
accept_timeout
optional, type: humanize duration
Set the timeout value for the accept of the full TLS handshake.
default: 60s
spawn_task_unconstrained
optional, type: bool
Set if we should spawn tasks in tokio unconstrained way.
default: false
alert_unrecognized_name
optional, type: bool
Set if we should send TLS alert when no host config can be recognized.
default: false
tls_no_async_mode
optional, type: bool
Set to true to disable the use of OpenSSL async engine if openssl-async-job feature is enabled.
default: false
Added in version 0.3.7.
virtual_hosts
required, type: host matched object <host>
Set the list of hosts we should handle based on host match rules.
If not set, all requests will be handled.
Example:
hosts:
name: bench
exact_match: bench.example.net
cert_pairs:
certificate: bench.example.net-ec256.crt
private_key: bench.example.net-ec256.key
backends:
- http
default: not set
Host
This set the config for a OpenSSl virtual host.
name
required, type: metric node name
Set the name of this virtual host.
default: not set
cert_pairs
optional, type: tls cert pair or seq
Set certificate and private key pairs for this TLS server.
If not set, TLS protocol will be disabled.
default: not set
tlcp_cert_pairs
optional, type: tlcp cert pair or seq
Set certificate and private key pairs for this TLCP server.
If not set, TLCP protocol will be disabled.
enable_client_auth
optional, type: bool
Set if you want to enable client auth.
default: disabled
session_id_context
optional, type: str
A string that will be added to the prefix when calculate the session id context sha1 hash.
default: not set
no_session_ticket
optional, type: bool
Set if we should disable TLS session ticket (stateless session resumption by Session Ticket).
default: false
Added in version 0.3.3.
no_session_cache
optional, type: bool
Set if we should disable TLS session cache (stateful session resumption by Session ID).
default: false
Added in version 0.3.3.
ca_certificate
optional, type: tls certificates
A list of certificates for client auth. If not set, the system default ca certificates will be used.
default: not set
request_rate_limit
optional, type: rate limit quota
Set rate limit on request.
default: no limit
request_max_alive
optional, type: usize, alias: request_alive_max
Set max alive requests at virtual host level.
Even if not set, the max alive requests should not be more than usize::MAX.
default: no limit
tcp_sock_speed_limit
optional, type: tcp socket speed limit
Set speed limit for each tcp socket.
This will overwrite the server level tcp_sock_speed_limit.
default: no set
task_idle_max_count
optional, type: usize
The task will be closed if the idle check return IDLE the times as this value.
This will overwrite the server level task_idle_max_count.
default: not set
backends
required, type: alpn matched object <backend>
Set the list of backends we should handle based on ALPN match rules.
Example:
A single ALPN value:
backends: protocol: HTTP/1.1 backend: foo
Two single ALPN values:
backends: - protocol: HTTP/1.1 backend: foo - protocol: H2 backend: bar
No ALPN value:
backends: - foo
default: not set
Backend
This is the backend config to be used in host backends.
It can be a map value, the keys are:
backend
required, type: metric node name
Set the name of the backend to use.
It can also be written as a metric node name value when needed.