tls_stream
This server terminates TLS on the frontend side and then forwards the inner TCP stream to a remote upstream.
The following common keys are supported:
-
The user group must use fact-based authentication. It is used only when
auth_by_client_ipis enabled.Added in version 1.13.0.
-
This is required.
listen
optional, type: tcp listen
Listening configuration for this server.
The instance count setting will be ignored if listen_in_worker is correctly enabled.
default: not set
Added in version 1.7.20: change listen config to be optional
upstream
required, type: upstream str | seq
Remote address or addresses and port. The port is always required.
For seq value, each of its element must be weighted upstream addr.
alias: proxy_pass
Example:
upstream:
- addr: app-a.internal.example:443
weight: 2
- addr: app-b.internal.example:443
weight: 1
upstream_pick_policy
optional, type: selective pick policy
Policy used to select the upstream address.
The key for ketama/rendezvous/jump hash is <client-ip><server-ip>.
default: random
tls_client
optional, type: bool | openssl tls client config
Controls whether a TLS handshake is performed with the upstream.
When set to true, vey-proxy creates a default OpenSSL client
configuration with per-site session caching. When set to a map, the supplied
TLS client configuration is used.
default: disabled
upstream_tls_name
optional, type: tls name
Explicit TLS server name used for upstream certificate verification.
If not set, the host of upstream address will be used.
When tls_client is enabled and this key is not set, the host from the first
configured upstream entry is used automatically.
default: not set
auth_by_client_ip
optional, type: bool, conflict: auth_by_server_ip
Enables fact-based user authentication using the client IP address as the authentication fact.
If enabled, user_group must also be set.
default: false
Added in version 1.13.0.