tls_stream

This server terminates TLS on the frontend side and then forwards the inner TCP stream to a remote upstream.

The following common keys are supported:

listen

optional, type: tcp listen

Listening configuration for this server.

The instance count setting will be ignored if listen_in_worker is correctly enabled.

default: not set

Added in version 1.7.20: change listen config to be optional

upstream

required, type: upstream str | seq

Remote address or addresses and port. The port is always required.

For seq value, each of its element must be weighted upstream addr.

alias: proxy_pass

Example:

upstream:
  - addr: app-a.internal.example:443
    weight: 2
  - addr: app-b.internal.example:443
    weight: 1

upstream_pick_policy

optional, type: selective pick policy

Policy used to select the upstream address.

The key for ketama/rendezvous/jump hash is <client-ip><server-ip>.

default: random

tls_client

optional, type: bool | openssl tls client config

Controls whether a TLS handshake is performed with the upstream.

When set to true, vey-proxy creates a default OpenSSL client configuration with per-site session caching. When set to a map, the supplied TLS client configuration is used.

default: disabled

upstream_tls_name

optional, type: tls name

Explicit TLS server name used for upstream certificate verification.

If not set, the host of upstream address will be used.

When tls_client is enabled and this key is not set, the host from the first configured upstream entry is used automatically.

default: not set

auth_by_client_ip

optional, type: bool, conflict: auth_by_server_ip

Enables fact-based user authentication using the client IP address as the authentication fact.

If enabled, user_group must also be set.

default: false

Added in version 1.13.0.