Skip to main content

tls Binding

Bindingtlsserverclient

tls Binding

Defines a binding with tls protocol support, with server, client or proxy behavior.

server

Full config

The server kind tls binding decodes encrypted TLS protocol on the inbound network stream, producing higher level cleartext application streams for each request.

Certificates and keys required to complete the TLS handshake are provided by a vault referenced in the binding configuration.

Conditional routes based on tls hostname authority or negotiated ALPN protocol are used to route these streams to an exit binding.

tls_server:
  type: tls
  kind: server
  vault: server
  exit: default_server
  options:
    keys:
      - localhost
    sni:
      - localhost
    alpn:
      - echo
  routes:
    - when:
        - alpn: echo
      exit: echo_server

client

Full config

The client kind tls binding receives inbound application streams and encodes each as an encrypted network stream via TLS protocol.

Certificates and keys required to complete the TLS handshake are provided by a vault referenced in the binding configuration.

Conditional routes based on tls hostname authority or negotiated ALPN protocol are used to route these streams to an exit binding.

tls_client:
  type: tls
  kind: client

proxy

Full config

The proxy kind tls binding detects ClientHello server_name extension to provide TLS virtual hosting by routing based on server name.

A vault is not required to proxy TLS protocol as the handshake is only observed read-only as it routes through the tls proxy binding.

tls_proxy:
  type: tls
  kind: proxy
© aklivity, inc. 2023-2025