TLS (Backend)
| Block name | Context | Label |
|---|---|---|
tls | Backend Block | no |
Couper has a command-line argument to add a ca-file to the backend CA-Pool for all backends.
However, this tls block allows a more specific pool configuration per backend if the server_ca_certificate or
server_ca_certificate_file is provided.
mTLS
Additionally the client_certificate(or client_certificate_file) and client_private_key (or client_private_key_file)
attributes allow the backend to present certificate and key during a TLS handshake to an origin which requires them due to an mTLS setup.
Example
backend "secured" {
origin = "https://localhost"
tls {
server_ca_certificate_file = "rootCA.crt"
# optional
client_certificate_file = "client.crt"
client_private_key_file = "client.key"
}
}
Attributes
| Name | Type | Default | Description |
|---|---|---|---|
client_certificate | string | - | Public part of the client certificate in DER or PEM format. Mutually exclusive with |
client_certificate_file | string | - | Reference to a file containing the public part of the client certificate file in DER or PEM format. Mutually exclusive with |
client_private_key | string | - | Private part of the client certificate in DER or PEM format. Required to complete an mTLS handshake. Mutually exclusive with |
client_private_key_file | string | - | Reference to a file containing the private part of the client certificate file in DER or PEM format. Required to complete an mTLS handshake. Mutually exclusive with |
server_ca_certificate | string | - | Public part of the certificate authority in DER or PEM format. Mutually exclusive with |
server_ca_certificate_file | string | - | Reference to a file containing the public part of the certificate authority file in DER or PEM format. Mutually exclusive with |