plain_tls_port

This server exposes a TLS listening port in front of another local server.

It terminates TLS locally and then forwards the decrypted TCP stream to another server.

The following common keys are supported:

listen

required, type: tcp listen

Listening configuration for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

server

required, type: str

Name of the next server to which accepted connections are forwarded.

The next server must be able to accept TLS connections.

Despite the older wording, the config only requires a downstream server name. This server itself is responsible for the client-side TLS handshake.

proxy_protocol

optional, type: proxy protocol version

PROXY Protocol version expected on incoming TCP connections.

If set, connections with no matched PROXY Protocol message will be dropped.

The TLS handshake with the client will happen after we receive the PROXY Protocol message.

Note

The ingress_network_filter option on this server always applies to the real socket client address.

default: not set, which means PROXY protocol won’t be used

Added in version 1.7.19.

proxy_protocol_read_timeout

optional, type: humanize duration

Timeout for reading a complete PROXY Protocol message.

default: 5s

Added in version 1.7.19.

Example

listen: 0.0.0.0:443
tls_server:
  cert_pairs:
    - certificate: server.crt
      private_key: server.key
server: tcp-stream-in