Server Encryption, TLS & SSL

Vaults can be used by specific protocol bindings, such as tls, to negotiate shared encryption keys. It is easy to add the necessary routing logic and encryption keys.

Using a filesystem vault, you can see how a pkcs12 certificate on the host is configured to be stored securely by the Zilla runtime. This keystore can then be used by the tls binding to decrypt incoming traffic.

vaults:
  my_servers:
    type: filesystem
    options:
      keys:
        store: my_servers.p12
        type: pkcs12
        password: ${{env.KEYSTORE_PASSWORD}}

The tcp binding can be configured for both encrypted and unencrypted traffic on separate ports. Take the SSL example with ports 80 and 443. The tls binding will use the keys as the certificate aliases and the Server Name Indication (sni/) as the SSL server names. These will likely be the same. Since this example is over http the Application-Layer Protocol Negotiation (ALPN/) will need to handle both HTTP/1.1 and HTTP/2, but the tls binding can be configured for any of the alpn protocols supported by Zilla.

bindings:
  tcp_server:
    type: tcp
    kind: server
    options:
      host: 0.0.0.0
      port:
        - 80
        - 443
    routes:
        - when:
            - port: 80
          exit: http_server
        - when:
            - port: 443
          exit: tls_server
  tls_server:
    type: tls
    kind: server
    vault: my_servers
    options:
      keys:
        - my_server.com
      sni:
        - my_server.com
      alpn:
        - http/1.1
        - h2
    exit: http_server