SSL/TLS Termination

Optional SSL/TLS termination in Qpoint Proxy allows the proxy to inject Middleware Stacks for various purposes such as deep packet inspection (DPI), metrics collection, performance recording, and other custom functionalities using WebAssembly (WASM) modules.

Configuration File Structure for SSL/TLS Termination

SSL/TLS termination settings are specified under the global proxy settings or individual endpoint configurations.

Global Settings

Define the global CA certificate and key used for terminating SSL and enabling Middleware Stack functionality.

proxy:
  tls_ca_crt: "PEM or file://"  # Path or inline CA certificate
  tls_ca_key: "PEM or file://"  # Path or inline CA key
  ...

  • tls_ca_crt: Specifies the CA certificate in PEM format or as a file path.

  • tls_ca_key: Specifies the CA private key in PEM format or as a file path.

  • default_domain_action: Sets the default action for domain requests not explicitly defined in the endpoints section.

Endpoint Settings

For each endpoint, you can specify SSL/TLS certificates and keys. These settings override the global settings if defined.

endpoints:
  - domain: "api.example.com"
    action: DENY
    allow:
      - ip: 172.17.0.1
    cert:
      ca: "PEM or file://"  # Inline or path to CA certificate
      crt: "PEM or file://"  # Inline or path to domain certificate
      key: "PEM or file://"  # Inline or path to private key
    stack: complete  # Optional: Reference to a middleware stack

  • domain: The specific domain to which the rule applies.

  • action: Default action for this domain (ALLOW or DENY).

  • allow/deny: Conditions to override the default action based on IP addresses, user credentials, or JWT claims.

  • cert: SSL/TLS certificate configurations for the endpoint.

    • ca: Path or inline CA certificate for the endpoint.

    • crt: Path or inline server certificate for the endpoint.

    • key: Path or inline private key for the endpoint.

  • stack: Name of a middleware stack to apply additional processing (optional).

Examples of SSL/TLS Termination Configurations

Without SSL/TLS Termination & Without Stack

This configuration does not use SSL/TLS termination and does not apply any middleware stack.

endpoints:
  - domain: "api.github.com"
    action: DENY
    allow:
      - ip: 172.17.0.1

With Global SSL/TLS Termination & With Stack

This configuration uses global CA certificate and key for SSL/TLS termination across all endpoints and applies a middleware stack for additional processing.

proxy:
  audit_logs: stdout # Where to publish Audit Logs
  tls_ca_crt: "PEM or file://global_ca_cert.pem"  # Path or inline CA certificate
  tls_ca_key: "PEM or file://global_ca_key.pem"  # Path or inline CA key
  default_domain_action: ALLOW
  
  endpoints:
    - domain: "api.example.com"
      action: DENY
      allow:
        - ip: 172.17.0.1
      stack: complete

With Endpoint-Specific SSL/TLS Termination & With Stack

This configuration uses specific certificates and keys for each endpoint, overriding the global settings, and applies a middleware stack for additional processing.

proxy:
  audit_logs: stdout # Where to publish Audit Logs
  default_domain_action: ALLOW
  
  endpoints:
    - domain: "api.github.com"
      action: DENY
      allow:
        - ip: 172.17.0.1
      cert:
        ca: "PEM or file://"  # Path or inline CA certificate
        crt: "PEM or file://"  # Path or inline domain certificate
        key: "PEM or file://"  # Path or inline private key
      stack: complete # Reference to a middleware stack

Last updated