slt - multiplex a port for multiple TLS applications with SNI
slt config-file
slt is a TLS reverse-proxy which allows an administrator to run
multiple TLS applications on a single port. slt multiplexes incoming
connections by inspecting the Server Name Indication (SNI) extension
data and appropriately forwarding the connection to the appropriate
upstream server.
Configure slt with a simple YAML file. Specify a bind_addr to instuct slt
where it should listen for incoming connections. slt may listen for any number
of frontends. Each frontend is identified by the name to match in the SNI
data. Each frontend forwards to any number of backends. You may specify each
backend with a hash of values. The only required attribute is addr. When
more than one backend is enumerated, slt performs simple round-robin load
balancing among them.
An example configuration follows for listening on port 443 of all local interfaces multiplexing traffic for two applications, v1.example.com and v2.example.com. v1.example.com forwards to a single upstream server on port 1234. v2.example.com forwards to two upstream hosts on different addresses:
bind_addr: ":443"
frontends:
v1.example.com:
backends:
- addr: ":1234"
v2.example.com:
backends:
- addr: "192.168.0.2:443"
- addr: "192.168.0.1:443"
By default, slt does not terminate any TLS traffic. slt only inspects
connections for their SNI data before being forwarded upstream. slt may
terminate TLS traffic for any frontend by providing paths to the TLS
public certificate and private key files, like so:
frontends:
v1.example.com:
tls_key: /path/to/v1.example.com.key
tls_crt: /path/to/v1.example.com.crt
Designate one frontend to be the default in the case that no
SNI data is present in the connection like so:
frontends:
v1.example.com:
default: true
Exit status is 0 on success, non-zero on failure.
Source code and documentationServer Name IndicationAlan Shreve (@inconshreveable)
ssl(3) stunnel(8)