Reference

tls

  • Default value: n/a
  • Hot reloadable: Yes

Values

TypeDescriptionChoices
objectAn object with a set of explicit properties that can be set.-

Properties

NameDescriptionTypeDefault
cert_fileTLS certificate file.string-
key_fileTLS certificate key file.string-
ca_fileTLS certificate authority file. Defaults to system trust store.string-
cipher_suitesWhen set, only the specified TLS cipher suites will be allowed. Values must match the golang version used to build the server.string-
curve_preferencesList of TLS cipher curves to use in order.string-
insecureSkip certificate verification. This only applies to outgoing connections, NOT incoming client connections. not recommended.boolean-
timeoutTLS handshake timeout.duration500ms
verifyIf true, require and verify client certificates. Does not apply to monitoring.booleanfalse
verify_and_mapIf true, require and verify client certificates and map certificate values for authentication. Does not apply to monitoring.booleanfalse
verify_cert_and_check_known_urlsOnly used in a non-client context where verify is true, such as cluster and gateway configurations. The incoming connection's certificate x509v3 Subject Alternative Name DNS entries will be matched against all URLs. If a match is found, the connection is accepted and rejected otherwise. For gateways, the server will match all names in the certificate against the gateway URLs. For clusters, the server will match all names in the certificate against the route URLs. A consequence of this, is that dynamic cluster growth may require config changes in other clusters where this option is true. DNS name checking is performed according to RFC6125. Only the full wildcard is supported for the the left most domain.boolean-
connection_rate_limitinteger-
pinned_certsList of hex-encoded SHA256 of DER-encoded public key fingerprints. When present, during the TLS handshake, the provided certificate's fingerprint is required to be present in the list, otherwise the connection will be closed.string-
Previous
listen