Server Encryption, TLS & SSL
Server Encryption, TLS & SSL
Vaults can be used by specific protocol bindings, such as tls, to negotiate shared encryption keys. It is easy to add the necessary routing logic and encryption keys.
Using a filesystem vault, you can see how a pkcs12 certificate on the host is configured to be stored securely by the Zilla runtime. This keystore can then be used by the tls binding to decrypt incoming traffic.
vaults:
my_servers:
type: filesystem
options:
keys:
store: my_servers.p12
type: pkcs12
password: ${{env.KEYSTORE_PASSWORD}}
The tcp binding can be configured for both encrypted and unencrypted traffic on separate ports. Take the SSL example with ports 80 and 443. The tls binding will use the keys as the certificate aliases and the Server Name Indication (sni) as the SSL server names. These will likely be the same. Since this example is over http the Application-Layer Protocol Negotiation (ALPN) will need to handle both HTTP/1.1 and HTTP/2, but the tls binding can be configured for any of the alpn protocols supported by Zilla.
bindings:
tcp_server:
type: tcp
kind: server
options:
host: 0.0.0.0
port:
- 80
- 443
routes:
- when:
- port: 80
exit: http_server
- when:
- port: 443
exit: tls_server
tls_server:
type: tls
kind: server
vault: my_servers
options:
keys:
- my_server.com
sni:
- my_server.com
alpn:
- http/1.1
- h2
exit: http_server