Expand description
TLS Configuration and SNI Support
This module provides TLS configuration with Server Name Indication (SNI) support for serving multiple certificates based on the requested hostname.
§Features
- SNI-based certificate selection
- Wildcard certificate matching (e.g.,
*.example.com) - Default certificate fallback
- Certificate validation at startup
- mTLS client certificate verification
- Certificate hot-reload on SIGHUP
- OCSP stapling support
§Example KDL Configuration
listener "https" {
address "0.0.0.0:443"
protocol "https"
tls {
cert-file "/etc/certs/default.crt"
key-file "/etc/certs/default.key"
// SNI certificates
sni {
hostnames "example.com" "www.example.com"
cert-file "/etc/certs/example.crt"
key-file "/etc/certs/example.key"
}
sni {
hostnames "*.api.example.com"
cert-file "/etc/certs/api-wildcard.crt"
key-file "/etc/certs/api-wildcard.key"
}
// mTLS configuration
ca-file "/etc/certs/ca.crt"
client-auth true
// OCSP stapling
ocsp-stapling true
}
}Structs§
- Certificate
Reloader - Certificate reload manager
- HotReloadable
SniResolver - Hot-reloadable SNI certificate resolver
- Ocsp
Cache Entry - OCSP response cache entry
- Ocsp
Stapler - OCSP stapling manager
- SniResolver
- SNI-aware certificate resolver
Enums§
- TlsError
- Error type for TLS operations
Functions§
- build_
server_ config - Build a TLS ServerConfig from our configuration
- build_
upstream_ tls_ config - Build a TLS client configuration for upstream connections with mTLS
- load_
client_ ca - Load CA certificates for client verification (mTLS)
- validate_
tls_ config - Validate TLS configuration files exist and are readable
- validate_
upstream_ tls_ config - Validate upstream TLS configuration