Skip to content
Huginn Proxy Huginn Proxy

TLS

The [tls] section configures server-side TLS: certificate paths, ALPN, TLS version bounds, cipher suites, curves, session resumption, and mTLS client certificate trust. Static — changing it requires a restart (certificate and key file contents can still be reloaded when the implementation watches those paths).

Scope: the proxy uses one certificate and key per process. Per-SNI (multiple certificates by server name) is not implemented. The feature is out of scope for this proxy, not a temporary gap.

Minimal HTTPS

Section titled “Minimal HTTPS”
tls:
  cert_path: "/config/certs/server.crt"
  key_path: "/config/certs/server.key"
  alpn:
    - "h2"
    - "http/1.1"

Options

Section titled “Options”

Use [tls.options] for allowed TLS versions, cipher suites, and curve preferences.

tls:
  options:
    versions:
      - "1.2"
      - "1.3"
    cipher_suites:
      - "TLS13_AES_128_GCM_SHA256"
      - "TLS13_AES_256_GCM_SHA384"
      - "TLS13_CHACHA20_POLY1305_SHA256"
      - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
      - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
    curve_preferences:
      - "X25519"
      - "secp256r1"
      - "secp384r1"

See the examples directory in the repository for full files such as config/compose.toml / compose.yaml.

Client authentication (mTLS)

Section titled “Client authentication (mTLS)”

Omit [tls.client_auth] to disable. Static.

tls:
  client_auth:
    required:
      ca_cert_path: "/config/certs/ca.crt"

Session resumption

Section titled “Session resumption”
tls:
  session_resumption:
    enabled: true
    max_sessions: 256
Section titled “Related”