plain_tls_port
This server exposes a TLS listening port in front of another local server.
It terminates TLS locally and then forwards the decrypted TCP stream to another server.
The following common keys are supported:
-
This is required for this server.
listen
required, type: tcp listen
Listening configuration for this server.
The instance count setting will be ignored if listen_in_worker is correctly enabled.
server
required, type: str
Name of the next server to which accepted connections are forwarded.
The next server must be able to accept TLS connections.
Despite the older wording, the config only requires a downstream server name. This server itself is responsible for the client-side TLS handshake.
proxy_protocol
optional, type: proxy protocol version
PROXY Protocol version expected on incoming TCP connections.
If set, connections with no matched PROXY Protocol message will be dropped.
The TLS handshake with the client will happen after we receive the PROXY Protocol message.
Note
The ingress_network_filter option on this server always applies to
the real socket client address.
default: not set, which means PROXY protocol won’t be used
Added in version 1.7.19.
proxy_protocol_read_timeout
optional, type: humanize duration
Timeout for reading a complete PROXY Protocol message.
default: 5s
Added in version 1.7.19.
Example
listen: 0.0.0.0:443
tls_server:
cert_pairs:
- certificate: server.crt
private_key: server.key
server: tcp-stream-in