slt is a dead-simple TLS reverse-proxy with SNI multiplexing (TLS virtual hosts).
That means you can send TLS/SSL connections for multiple different applications to the same port and forward them all to the appropriate backend hosts depending on the intended destination.
slt multiplexes connections to a single TLS port by inspecting the name in the SNI extension field of each connection.
You configure slt with a simple YAML configuration file:
bind_addr: ":443"
frontends:
v1.example.com:
backends:
-
addr: ":4443"
v2.example.com:
backends:
-
addr: "192.168.0.2:443"
-
addr: "192.168.0.1:443"
Sometimes, you don't actually want to terminate the TLS traffic, you just want to forward it elsewhere. slt only terminates the TLS traffic if you specify a private key and certificate file like so:
frontends:
v1.example.com:
tls_key: /path/to/v1.example.com.key
tls_crt: /path/to/v1.example.com.crt
You can restrict a frontend to only forward connections that advertise a specific ALPN protocol. If alpn is not specified, all connections are forwarded regardless of ALPN (default behavior).
Single ALPN:
frontends:
v1.example.com:
alpn: h2
backends:
-
addr: ":5443"
Multiple ALPNs:
frontends:
v1.example.com:
alpn:
- h2
- http/1.1
backends:
-
addr: ":5443"
Connections whose ClientHello does not contain any of the configured ALPN protocols will be rejected.
slt performs simple round-robin load balancing when more than one backend is available (other strategies will be available in the future):
frontends:
v1.example.com:
backends:
-
addr: ":8080"
-
addr: ":8081"
Running slt is also simple. It takes a single argument, the path to the configuration file:
./slt /path/to/config.yml
Just cd into the directory and "go build". It requires Go 1.1+.
goreleaser build --snapshot --clean
Just cd into the directory and "go test".
I run slt in production handling hundreds of thousands of connections daily.
Apache