2020-09-09 15:13:39 +02:00
|
|
|
tlstunnel(1)
|
|
|
|
|
|
|
|
# NAME
|
|
|
|
|
|
|
|
tlstunnel - TLS reverse proxy
|
|
|
|
|
|
|
|
# SYNOPSIS
|
|
|
|
|
|
|
|
*tlstunnel* [options...]
|
|
|
|
|
|
|
|
# DESCRIPTION
|
|
|
|
|
|
|
|
tlstunnel is a TLS reverse proxy with support for automatic TLS certificate
|
|
|
|
retrieval via the ACME protocol.
|
|
|
|
|
|
|
|
# OPTIONS
|
|
|
|
|
|
|
|
*-h*, *-help*
|
|
|
|
Show help message and quit.
|
|
|
|
|
|
|
|
*-config* <path>
|
|
|
|
Path to the configuration file.
|
|
|
|
|
|
|
|
# CONFIG FILE
|
|
|
|
|
|
|
|
The config file has one directive per line. Directives have a name, followed
|
|
|
|
by parameters separated by space characters. Directives may have children in
|
|
|
|
blocks delimited by "{" and "}". Lines beginning with "#" are comments.
|
|
|
|
|
2020-12-22 12:06:14 +01:00
|
|
|
tlstunnel will reload the config file when it receives the HUP signal.
|
|
|
|
|
2020-09-09 15:13:39 +02:00
|
|
|
Example:
|
|
|
|
|
|
|
|
```
|
|
|
|
frontend example.org:443 {
|
|
|
|
backend localhost:8080
|
|
|
|
}
|
|
|
|
```
|
|
|
|
|
|
|
|
The following directives are supported:
|
|
|
|
|
|
|
|
*frontend* <address>... { ... }
|
|
|
|
Addresses to listen on for incoming TLS connections.
|
|
|
|
|
2021-08-03 12:17:26 +02:00
|
|
|
Each address is in the form _<name>:<port>_. The name may be omitted to
|
|
|
|
match all hosts. The name can contain a wildcard, but only to represent the
|
2021-08-16 15:50:07 +02:00
|
|
|
first label of the hostname (e.g. _\*.example.org_ works, matches
|
2021-08-03 12:17:26 +02:00
|
|
|
_foo.example.org_ but doesn't match _foo.bar.example.org_).
|
2020-09-09 15:13:39 +02:00
|
|
|
|
|
|
|
The frontend directive supports the following sub-directives:
|
|
|
|
|
2022-06-25 11:43:16 +02:00
|
|
|
*listen* <address>...
|
|
|
|
Additional addresses to listen on.
|
|
|
|
|
2023-02-09 15:19:29 +01:00
|
|
|
*backend* <uri> { ... }
|
2020-09-09 15:13:39 +02:00
|
|
|
Backend to forward incoming connections to.
|
|
|
|
|
|
|
|
The following URIs are supported:
|
|
|
|
|
|
|
|
- _[tcp://]<host>:<port>_ connects to a TCP server
|
2020-10-31 10:34:02 +01:00
|
|
|
- _tls://<host>:<port>_ connects to a TLS over TCP server
|
2020-09-09 15:13:39 +02:00
|
|
|
- _unix://<path>_ connects to a Unix socket
|
|
|
|
|
|
|
|
The _+proxy_ suffix can be added to the URI scheme to forward
|
|
|
|
connection metadata via the PROXY protocol.
|
|
|
|
|
2023-01-27 10:55:53 +01:00
|
|
|
The backend directive supports the following sub-directives:
|
|
|
|
|
|
|
|
*tls_certfp* sha-256 <fingerprint>
|
|
|
|
Instead of using CAs to check the TLS certificate provided by the
|
|
|
|
backend, check that the certificate matches the provided
|
|
|
|
fingerprint. This can be used to connect to servers with a
|
|
|
|
self-signed certificate, for instance.
|
|
|
|
|
|
|
|
The fingerprint of a certificate can be obtained via *openssl*(1):
|
|
|
|
|
|
|
|
```
|
|
|
|
openssl x509 -fingerprint -sha256 -noout <certificate>
|
|
|
|
```
|
|
|
|
|
2023-02-09 15:19:29 +01:00
|
|
|
*proxy_version* <version>
|
|
|
|
PROXY protocol version to use, if _+proxy_ is specified.
|
|
|
|
The supported versions are 1 and 2.
|
|
|
|
If not specified, the PROXY version used defaults to version 2.
|
|
|
|
|
2020-10-19 17:27:29 +02:00
|
|
|
*tls* { ... }
|
|
|
|
Customise frontend-specific TLS configuration.
|
|
|
|
|
|
|
|
The tls directive supports the following sub-directives:
|
|
|
|
|
|
|
|
*load* <cert> <key>
|
|
|
|
Load certificates and private keys from PEM files.
|
|
|
|
|
|
|
|
This disables automatic TLS.
|
2020-09-09 15:13:39 +02:00
|
|
|
|
2020-10-19 10:53:36 +02:00
|
|
|
*protocol* <name>...
|
|
|
|
List of supported application-layer protocols.
|
|
|
|
|
|
|
|
The first protocol which is also supported by the client is negociated.
|
2021-08-03 12:17:26 +02:00
|
|
|
The backend can inspect the negotiated protocol via the PROXY protocol.
|
2020-10-19 10:53:36 +02:00
|
|
|
|
|
|
|
The protocols will be advertised via the TLS ALPN extension. See the
|
|
|
|
IANA registry for a list of protocol names:
|
|
|
|
https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids
|
|
|
|
|
|
|
|
For instance, for an HTTP server supporting HTTP/1 and HTTP/2:
|
|
|
|
|
|
|
|
```
|
|
|
|
protocol h2 http/1.1 http/1.0
|
|
|
|
```
|
|
|
|
|
2020-09-09 15:13:39 +02:00
|
|
|
*tls* { ... }
|
2020-10-19 17:27:29 +02:00
|
|
|
Customise global TLS configuration.
|
2020-09-09 15:13:39 +02:00
|
|
|
|
|
|
|
The tls directive supports the following sub-directives:
|
|
|
|
|
2020-09-15 09:44:57 +02:00
|
|
|
*acme_ca* <url>
|
2020-09-09 15:13:39 +02:00
|
|
|
ACME Certificate Authority endpoint.
|
|
|
|
|
2020-10-02 15:51:43 +02:00
|
|
|
*email* <address>
|
|
|
|
The email address to use when creating or selecting an existing ACME
|
|
|
|
server account
|
|
|
|
|
2021-02-17 19:44:57 +01:00
|
|
|
*on_demand* { ... }
|
2021-02-17 18:34:13 +01:00
|
|
|
Enable on-demand TLS.
|
|
|
|
|
2021-02-17 18:43:36 +01:00
|
|
|
When enabled, a TLS handshake may trigger maintenance for the relevant
|
|
|
|
certificate. If no existing certificate is available, a new certificate
|
|
|
|
is obtained and the connection is blocked until it's available. If an
|
|
|
|
existing certificate is available, the certificate is renewed in the
|
|
|
|
background if necessary.
|
|
|
|
|
2021-02-17 19:44:57 +01:00
|
|
|
Warning: to prevent abuse, you should specify a _validate_command_
|
|
|
|
sub-directive.
|
|
|
|
|
|
|
|
The on_demand directive supports the following optional sub-directives:
|
|
|
|
|
|
|
|
*validate_command* command [arguments...]
|
|
|
|
Command to run before an on-demand certificate is obtained. If the
|
|
|
|
command returns a non-zero exit status, the request is denied.
|
|
|
|
|
|
|
|
The environment will contain a *TLSTUNNEL_NAME* variable with the
|
|
|
|
domain name to be validated.
|
|
|
|
|
2023-01-12 16:55:05 +01:00
|
|
|
*acme_dns_command* command [arguments...]
|
|
|
|
Configure the ACME DNS challenge using the specified command.
|
|
|
|
|
|
|
|
The command must implement _deploy_challenge_ and _clean_challenge_
|
|
|
|
as specified by dehydrated's hooks:
|
|
|
|
https://github.com/dehydrated-io/dehydrated
|
|
|
|
|
2023-11-20 15:46:32 +01:00
|
|
|
*acme_dns_update* <address>
|
|
|
|
Configure the ACME DNS challenge using the specified DNS UPDATE server.
|
|
|
|
|
|
|
|
The DNS server must implement DNS UPDATE as specified by RFC 2136.
|
|
|
|
|
2020-09-15 09:42:12 +02:00
|
|
|
# FILES
|
|
|
|
|
|
|
|
_/etc/tlstunnel/config_
|
|
|
|
Default configuration file location.
|
|
|
|
|
|
|
|
_/var/lib/tlstunnel_
|
|
|
|
State files such as certificates are stored in this directory.
|
|
|
|
|
2020-09-09 15:13:39 +02:00
|
|
|
# AUTHORS
|
|
|
|
|
|
|
|
Maintained by Simon Ser <contact@emersion.fr>, who is assisted by other
|
|
|
|
open-source contributors. For more information about tlstunnel development, see
|
2021-03-06 09:42:14 +01:00
|
|
|
<https://git.sr.ht/~emersion/tlstunnel>.
|