TLSΒΆ

Hint

Looking for mutual TLS? Check out the mTLS documentation.

TLS terminationΒΆ

Whenever possible, we’re doing TLS termination on our proxies.

However, there are some reasons why we can’t terminate TLS on the Proxy:

  • The protocol isn’t supported

  • ALPN is used during the handshake

  • The upstream service validates the certificate (e.g. Certificate authority)

Hint

Right now, we mostly use our Proxy to do TLS termination for HTTPS.

TLS certificatesΒΆ

The renewal of TLS certificates is fully automated via Proxy, resp. via ACME against Let’s Encrypt.

Where the TLS termination isn’t possible via Proxy, we’re leveraging xtraktr to automatically extract the TLS certificates.

Hint

We prefer the TLS-ALPN-01 challenge, but also use HTTP-01 for mTLS services. For wildcard certificates, we’re using the DNS-01 challenge.

Certificate authorityΒΆ

We’re running our own CA (certificate authority) for the following usage:

  1. To create certificates for our privately hosted services

  2. To create client certificates for mTLS

Note

The deployment, and all documentation for the CA can be found in the GitLab CA project.