tlstunnel/tlstunnel.1.scd

tlstunnel(1)

# NAME

tlstunnel - TLS reverse proxy

# SYNOPSIS

*tlstunnel* [options...]

# DESCRIPTION

tlstunnel is a TLS reverse proxy with support for automatic TLS certificate
retrieval via the ACME protocol.

# OPTIONS

*-h*, *-help*
	Show help message and quit.

*-config* <path>
	Path to the configuration file.

# CONFIG FILE

The config file has one directive per line. Directives have a name, followed
by parameters separated by space characters. Directives may have children in
blocks delimited by "{" and "}". Lines beginning with "#" are comments.

tlstunnel will reload the config file when it receives the HUP signal.

Example:

```
frontend example.org:443 {
    backend localhost:8080
}
```

The following directives are supported:

*frontend* <address>... { ... }
	Addresses to listen on for incoming TLS connections.

	Each address is in the form _<name>:<port>_. The name may be omitted to
	match all hosts. The name can contain a wildcard, but only to represent the
	first label of the hostname (e.g. _\*.example.org_ works, matches
	_foo.example.org_ but doesn't match _foo.bar.example.org_).

	The frontend directive supports the following sub-directives:

	*listen* <address>...
		Additional addresses to listen on.

	*backend* <uri> { ... }
		Backend to forward incoming connections to.

		The following URIs are supported:

		- _[tcp://]<host>:<port>_ connects to a TCP server
		- _tls://<host>:<port>_ connects to a TLS over TCP server
		- _unix://<path>_ connects to a Unix socket

		The _+proxy_ suffix can be added to the URI scheme to forward
		connection metadata via the PROXY protocol.

		The backend directive supports the following sub-directives:

		*tls_certfp* sha-256 <fingerprint>
			Instead of using CAs to check the TLS certificate provided by the
			backend, check that the certificate matches the provided
			fingerprint. This can be used to connect to servers with a
			self-signed certificate, for instance.

			The fingerprint of a certificate can be obtained via *openssl*(1):

			```
			openssl x509 -fingerprint -sha256 -noout <certificate>
			```

		*proxy_version* <version>
			PROXY protocol version to use, if _+proxy_ is specified.
			The supported versions are 1 and 2.
			If not specified, the PROXY version used defaults to version 2.

	*tls* { ... }
		Customise frontend-specific TLS configuration.

		The tls directive supports the following sub-directives:

		*load* <cert> <key>
			Load certificates and private keys from PEM files.

			This disables automatic TLS.

	*protocol* <name>...
		List of supported application-layer protocols.

		The first protocol which is also supported by the client is negociated.
		The backend can inspect the negotiated protocol via the PROXY protocol.

		The protocols will be advertised via the TLS ALPN extension. See the
		IANA registry for a list of protocol names:
		https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids

		For instance, for an HTTP server supporting HTTP/1 and HTTP/2:

		```
		protocol h2 http/1.1 http/1.0
		```

*tls* { ... }
	Customise global TLS configuration.

	The tls directive supports the following sub-directives:

	*acme_ca* <url>
		ACME Certificate Authority endpoint.

	*email* <address>
		The email address to use when creating or selecting an existing ACME
		server account

	*on_demand* { ... }
		Enable on-demand TLS.

		When enabled, a TLS handshake may trigger maintenance for the relevant
		certificate. If no existing certificate is available, a new certificate
		is obtained and the connection is blocked until it's available. If an
		existing certificate is available, the certificate is renewed in the
		background if necessary.

		Warning: to prevent abuse, you should specify a _validate_command_
		sub-directive.

		The on_demand directive supports the following optional sub-directives:

		*validate_command* command [arguments...]
			Command to run before an on-demand certificate is obtained. If the
			command returns a non-zero exit status, the request is denied.

			The environment will contain a *TLSTUNNEL_NAME* variable with the
			domain name to be validated.

	*acme_dns_command* command [arguments...]
		Configure the ACME DNS challenge using the specified command.

		The command must implement _deploy_challenge_ and _clean_challenge_
		as specified by dehydrated's hooks:
		https://github.com/dehydrated-io/dehydrated

# FILES

_/etc/tlstunnel/config_
	Default configuration file location.

_/var/lib/tlstunnel_
	State files such as certificates are stored in this directory.

# AUTHORS

Maintained by Simon Ser <contact@emersion.fr>, who is assisted by other
open-source contributors. For more information about tlstunnel development, see
<https://git.sr.ht/~emersion/tlstunnel>.
Add man page 2020-09-09 15:13:39 +02:00			`tlstunnel(1)`

			`# NAME`

			`tlstunnel - TLS reverse proxy`

			`# SYNOPSIS`

			`tlstunnel [options...]`

			`# DESCRIPTION`

			`tlstunnel is a TLS reverse proxy with support for automatic TLS certificate`
			`retrieval via the ACME protocol.`

			`# OPTIONS`

			`-h, -help`
			`Show help message and quit.`

			`-config <path>`
			`Path to the configuration file.`

			`# CONFIG FILE`

			`The config file has one directive per line. Directives have a name, followed`
			`by parameters separated by space characters. Directives may have children in`
			`blocks delimited by "{" and "}". Lines beginning with "#" are comments.`

Add config reloading Instead of updating the configuration, we configure a new Server instance and then migrate Listeners that still exist to it. Open client connections are left completely untouched. Closes https://todo.sr.ht/~emersion/tlstunnel/1 2020-12-22 12:06:14 +01:00			`tlstunnel will reload the config file when it receives the HUP signal.`

Add man page 2020-09-09 15:13:39 +02:00			`Example:`

			```
			`frontend example.org:443 {`
			`backend localhost:8080`
			`}`
			```

			`The following directives are supported:`

			`frontend <address>... { ... }`
			`Addresses to listen on for incoming TLS connections.`

man: expand on wildcards and ALPN 2021-08-03 12:17:26 +02:00			`Each address is in the form _<name>:<port>_. The name may be omitted to`
			`match all hosts. The name can contain a wildcard, but only to represent the`
man: fix scdoc syntax error 2021-08-16 15:50:07 +02:00			`first label of the hostname (e.g. _\*.example.org_ works, matches`
man: expand on wildcards and ALPN 2021-08-03 12:17:26 +02:00			`_foo.example.org_ but doesn't match _foo.bar.example.org_).`
Add man page 2020-09-09 15:13:39 +02:00
			`The frontend directive supports the following sub-directives:`

Add listen directive This provides a multi-line way to list addresses. 2022-06-25 11:43:16 +02:00			`listen <address>...`
			`Additional addresses to listen on.`

Add support for backend PROXY protocol v1 This is enabled with backend /* ... */ { proxy_version 1 } 2023-02-09 15:19:29 +01:00			`backend <uri> { ... }`
Add man page 2020-09-09 15:13:39 +02:00			`Backend to forward incoming connections to.`

			`The following URIs are supported:`

			`- _[tcp://]<host>:<port>_ connects to a TCP server`
Add support for TLS backends Closes: https://todo.sr.ht/~emersion/tlstunnel/6 2020-10-31 10:34:02 +01:00			`- _tls://<host>:<port>_ connects to a TLS over TCP server`
Add man page 2020-09-09 15:13:39 +02:00			`- _unix://<path>_ connects to a Unix socket`

			`The _+proxy_ suffix can be added to the URI scheme to forward`
			`connection metadata via the PROXY protocol.`

Add support for certificate fingerprint pinning 2023-01-27 10:55:53 +01:00			`The backend directive supports the following sub-directives:`

			`tls_certfp sha-256 <fingerprint>`
			`Instead of using CAs to check the TLS certificate provided by the`
			`backend, check that the certificate matches the provided`
			`fingerprint. This can be used to connect to servers with a`
			`self-signed certificate, for instance.`

			`The fingerprint of a certificate can be obtained via openssl(1):`

			```
			`openssl x509 -fingerprint -sha256 -noout <certificate>`
			```

Add support for backend PROXY protocol v1 This is enabled with backend /* ... */ { proxy_version 1 } 2023-02-09 15:19:29 +01:00			`proxy_version <version>`
			`PROXY protocol version to use, if _+proxy_ is specified.`
			`The supported versions are 1 and 2.`
			`If not specified, the PROXY version used defaults to version 2.`

Add "tls load" frontend directive 2020-10-19 17:27:29 +02:00			`tls { ... }`
			`Customise frontend-specific TLS configuration.`

			`The tls directive supports the following sub-directives:`

			`load <cert> <key>`
			`Load certificates and private keys from PEM files.`

			`This disables automatic TLS.`
Add man page 2020-09-09 15:13:39 +02:00
Add support for ALPN Closes: https://todo.sr.ht/~emersion/tlstunnel/11 2020-10-19 10:53:36 +02:00			`protocol <name>...`
			`List of supported application-layer protocols.`

			`The first protocol which is also supported by the client is negociated.`
man: expand on wildcards and ALPN 2021-08-03 12:17:26 +02:00			`The backend can inspect the negotiated protocol via the PROXY protocol.`
Add support for ALPN Closes: https://todo.sr.ht/~emersion/tlstunnel/11 2020-10-19 10:53:36 +02:00
			`The protocols will be advertised via the TLS ALPN extension. See the`
			`IANA registry for a list of protocol names:`
			`https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml#alpn-protocol-ids`

			`For instance, for an HTTP server supporting HTTP/1 and HTTP/2:`

			```
			`protocol h2 http/1.1 http/1.0`
			```

Add man page 2020-09-09 15:13:39 +02:00			`tls { ... }`
Add "tls load" frontend directive 2020-10-19 17:27:29 +02:00			`Customise global TLS configuration.`
Add man page 2020-09-09 15:13:39 +02:00
			`The tls directive supports the following sub-directives:`

man: fix acme_ca directive name Fixes: e2f4dddfefbc ("Change `tls ca` to `tls acme_ca`") 2020-09-15 09:44:57 +02:00			`acme_ca <url>`
Add man page 2020-09-09 15:13:39 +02:00			`ACME Certificate Authority endpoint.`

Add the "tls.email" directive To receive expiration warnings from Let's Encrypt. 2020-10-02 15:51:43 +02:00			`email <address>`
			`The email address to use when creating or selecting an existing ACME`
			`server account`

Add `tls on_demand validate_command` 2021-02-17 19:44:57 +01:00			`on_demand { ... }`
Add `tls on_demand` 2021-02-17 18:34:13 +01:00			`Enable on-demand TLS.`

Expand on_demand docs 2021-02-17 18:43:36 +01:00			`When enabled, a TLS handshake may trigger maintenance for the relevant`
			`certificate. If no existing certificate is available, a new certificate`
			`is obtained and the connection is blocked until it's available. If an`
			`existing certificate is available, the certificate is renewed in the`
			`background if necessary.`

Add `tls on_demand validate_command` 2021-02-17 19:44:57 +01:00			`Warning: to prevent abuse, you should specify a _validate_command_`
			`sub-directive.`

			`The on_demand directive supports the following optional sub-directives:`

			`validate_command command [arguments...]`
			`Command to run before an on-demand certificate is obtained. If the`
			`command returns a non-zero exit status, the request is denied.`

			`The environment will contain a TLSTUNNEL_NAME variable with the`
			`domain name to be validated.`

Add support for ACME DNS hooks Closes: https://todo.sr.ht/~emersion/tlstunnel/2 2023-01-12 16:55:05 +01:00			`acme_dns_command command [arguments...]`
			`Configure the ACME DNS challenge using the specified command.`

			`The command must implement _deploy_challenge_ and _clean_challenge_`
			`as specified by dehydrated's hooks:`
			`https://github.com/dehydrated-io/dehydrated`

man: add a "files" section 2020-09-15 09:42:12 +02:00			`# FILES`

			`_/etc/tlstunnel/config_`
			`Default configuration file location.`

			`_/var/lib/tlstunnel_`
			`State files such as certificates are stored in this directory.`

Add man page 2020-09-09 15:13:39 +02:00			`# AUTHORS`

			`Maintained by Simon Ser <contact@emersion.fr>, who is assisted by other`
			`open-source contributors. For more information about tlstunnel development, see`
man: add some hand-holding for terminal URL recognition 2021-03-06 09:42:14 +01:00			`<https://git.sr.ht/~emersion/tlstunnel>.`