pub struct TlsConfig {
pub enabled: bool,
pub intercepted_ports: Vec<u16>,
pub bypass: Vec<String>,
pub verify_upstream: bool,
pub block_quic_on_intercept: bool,
pub upstream_ca_cert: Vec<PathBuf>,
pub scoped_upstream_ca_cert: Vec<ScopedUpstreamCaCert>,
pub scoped_verify_upstream: Vec<ScopedVerifyUpstream>,
pub intercept_ca: InterceptCaConfig,
pub cache: CertCacheConfig,
}Expand description
TLS interception configuration. Carried in NetworkSpec::tls.
The local network engine terminates TCP at its in-process stack, so TLS MITM is handled by proxy tasks — these fields configure which ports/domains are intercepted and how the interception CA is sourced.
Fields§
§enabled: boolWhether TLS interception is enabled.
intercepted_ports: Vec<u16>TCP ports subject to TLS interception (default: [443]).
bypass: Vec<String>Domains to bypass (no MITM). Supports exact match and *.suffix wildcards.
verify_upstream: boolWhether to verify the upstream server’s TLS certificate.
block_quic_on_intercept: boolDrop UDP to intercepted ports when TLS interception is active, forcing QUIC traffic to fall back to TCP/TLS.
upstream_ca_cert: Vec<PathBuf>CA certificate PEM files to trust for upstream server verification.
scoped_upstream_ca_cert: Vec<ScopedUpstreamCaCert>Host-scoped CA certificate PEM files to trust for upstream server verification.
scoped_verify_upstream: Vec<ScopedVerifyUpstream>Host-scoped upstream verification overrides.
intercept_ca: InterceptCaConfigInterception CA configuration. The TLS proxy uses this CA to sign per-domain certs it presents to the guest during interception.
cache: CertCacheConfigPer-domain certificate cache configuration.