TCP services

TCP service are special kind of otoroshi services meant to proxy pure TCP connections (ssh, database, http, etc)

Global information

• Id: generated unique identifier
• TCP service name: the name of your TCP service
• Enabled: enable and disable the service
• TCP service port: the listening port
• TCP service interface: network interface listen by the service
• Tags: list of tags associated to the service
• Metadata: list of metadata associated to the service

TLS

this section controls the TLS exposition of the service

• TLS mode
  • Disabled: no TLS
  • PassThrough: as the target exposes TLS, the call will pass through otoroshi and use target TLS
  • Enabled: the service will be exposed using TLS and will chose certificate based on SNI
• Client Auth.
  • None no mTLS needed to pass
  • Want pass with or without mTLS
  • Need need mTLS to pass

Server Name Indication (SNI)

this section control how SNI should be treated

• SNI routing enabled: if enabled, the server will use the SNI hostname to determine which certificate to present to the client
• Forward to target if no SNI match: if enabled, a call without any SNI match will be forward to the target
• Target host: host of the target called if no SNI
• Target ip address: ip of the target called if no SNI
• Target port: port of the target called if no SNI
• TLS call: encrypt the communication with TLS

Rules

for any listening TCP proxy, it is possible to route to multiple targets based on SNI or extracted http host (if proxying http)

• Matching domain name: regex used to filter the list of domains where the rule will be applied
• Target host: host of the target
• Target ip address: ip of the target
• Target port: port of the target
• TLS call: enable this flag if the target is exposed using TLS