[READ ONLY MIRROR] Envoy REST/proto API definitions and documentation. (grpc依赖)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 
 

82 lines
2.7 KiB

.. _config_cluster_manager_cluster_ssl:
TLS context
===========
.. code-block:: json
{
"alpn_protocols": "...",
"cert_chain_file": "...",
"private_key_file": "...",
"ca_cert_file": "...",
"verify_certificate_hash": "...",
"verify_subject_alt_name": [],
"cipher_suites": "...",
"ecdh_curves": "...",
"sni": "..."
}
alpn_protocols
*(optional, string)* Supplies the list of ALPN protocols that connections should request. In
practice this is likely to be set to a single value or not set at all:
* "h2" If upstream connections should use HTTP/2. In the current implementation this must be set
alongside the *http2* cluster :ref:`features <config_cluster_manager_cluster_features>` option.
The two options together will use ALPN to tell a server that expects ALPN that Envoy supports
HTTP/2. Then the *http2* feature will cause new connections to use HTTP/2.
cert_chain_file
*(optional, string)* The certificate chain file that should be served by the connection. This is
used to provide a client side TLS certificate to an upstream host.
private_key_file
*(optional, string)* The private key that corresponds to the certificate chain file.
ca_cert_file
*(optional, string)* A file containing certificate authority certificates to use in verifying
a presented server certificate.
verify_certificate_hash
*(optional, string)* If specified, Envoy will verify (pin) the hash of the presented server
certificate.
verify_subject_alt_name
*(optional, array)* An optional list of subject alt names. If specified, Envoy will verify
that the server certificate's subject alt name matches one of the specified values.
cipher_suites
*(optional, string)* If specified, the TLS connection will only support the specified `cipher list
<https://commondatastorage.googleapis.com/chromium-boringssl-docs/ssl.h.html#Cipher-suite-configuration>`_.
If not specified, the default list:
.. code-block:: none
[ECDHE-ECDSA-AES128-GCM-SHA256|ECDHE-ECDSA-CHACHA20-POLY1305]
[ECDHE-RSA-AES128-GCM-SHA256|ECDHE-RSA-CHACHA20-POLY1305]
ECDHE-ECDSA-AES128-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-ECDSA-AES128-SHA
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-ECDSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-ECDSA-AES256-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-ECDSA-AES256-SHA
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
will be used.
ecdh_curves
*(optional, string)* If specified, the TLS connection will only support the specified ECDH curves.
If not specified, the default curves (X25519, P-256) will be used.
sni
*(optional, string)* If specified, the string will be presented as the SNI during the TLS
handshake.