tlsrp

TLS reverse proxy
git clone git://git.rr3.xyz/tlsrp
Log | Files | Refs | README | LICENSE

tlsrp.1 (2288B)

      1 .TH "TLSRP" "1" "2024-07-15" "tlsrp" "User Commands"
      2 .SH NAME
      3 tlsrp \- TLS reverse proxy
      4 .SH SYNOPSIS
      5 \fBtlsrp\fR \fIconfig_path\fR \fIsource\fR...
      6 .P
      7 Each nonempty line in \fIconfig_path\fR has one of the following formats:
      8 .EX
      9 	\fBcert\fR \fIcrt_path\fR \fIkey_path\fR \fIhostname\fR...
     10 	\fBsink\fR \fBtcp\fR [\fIhost\fR]\fB:\fIport\fR \fIhostname\fR...
     11 	\fBsink\fR \fBunix\fR \fIpath\fR \fIhostname\fR...
     12 .EE
     13 .P
     14 \fIsource\fR
     15 = \fBtcp:\fR[\fIhost\fR]\fB:\fR[\fIport\fR]
     16 | \fBunix:\fIpath\fR
     17 .SH DESCRIPTION
     18 \fBtlsrp\fR accepts TLS-secured connections on one or more source sockets and
     19 tunnels the decrypted bytes to one of many sink sockets. \fBtlsrp\fR chooses
     20 the certificate and sink socket for each client (among those listed in the
     21 configuration file) based on the hostname specified by the client using the
     22 Server Name Indication (SNI) TLS extension. More specifically, the first
     23 \fBcert\fR (resp., \fBsink\fR) entry in the configuration file that matches
     24 the client's requested hostname is chosen. Clients without SNI support are
     25 handled using the first \fBcert\fR entry and the first \fBsink\fR entry in
     26 the configuration file.
     27 .P
     28 For TCP sinks, \fIhost\fR defaults to the local system. For TCP sources,
     29 \fIhost\fR defaults to all available unicast and anycast IP addresses of the
     30 local system, and \fIport\fR defaults to being automatically chosen (and
     31 logged to stderr).
     32 .P
     33 The entire configuration file (in particular, all certificates within) is
     34 reloaded upon receipt of \fBSIGHUP\fR.
     35 .SH NOTES
     36 While certificates and sinks may be updated dynamically with zero down time by
     37 sending \fBSIGHUP\fR, the same is not possible for sources. Indeed, it's
     38 difficult, if not sometimes impossible, to change source sockets without down
     39 time. Changing sources with zero down time is best handled in other ways.
     40 .SH EXAMPLE
     41 Assume the following situation:
     42 .EX
     43 
     44 	$ \fBls /srv\fR
     45 	config.tlsrp  crt.pem  http.sock  key.pem
     46 
     47 	$ \fBcat config.tlsrp\fR
     48 	cert /srv/crt.pem /srv/key.pem example.com
     49 	sink unix /srv/http.sock example.com
     50 
     51 .EE
     52 Then to proxy all local connections at \fIexample.com\fR from TCP port 443 to
     53 the HTTP (not HTTPS!) server listening on \fIhttp.sock\fR, run
     54 .EX
     55 
     56 	# \fBtlsrp config.tlsrp tcp::443\fR
     57 .EE
     58 .SH "SEE ALSO"
     59 RFC 3546 <https://www.rfc-editor.org/rfc/rfc3546>