SSL/TLS for incoming connections

Automatic configuration

Since v5.10.0 automatic configuration is very easy, proxy will generate TLS certificate and private key. Files (cert.pem and cert_key.pem) will be stored in current working directory or data directory (--data-dir). Once files generated TLS is ready to use, no additional configuration required, you can skip the remaining article, unless you need custom configuration. To disable automatic TLS configuration, use global config option "tls": false, or manually configure it.

Certificate

Best option is obtain trusted certificate from Let's Encrypt . If it is not possible you can use a self-signed certificate, created by yourself or generated by the proxy.

Bind

Example bind configuration:

"bind": [
    {
        "host": "0.0.0.0",
        "port": 443,
        "tls": true
    }
],

Command line equivalent is --tls-bind 0.0.0.0:443.

Since v5.10.0 meaning of tls option changed:

false TLS autodetection, was disable TLS, default if not specified.
true always use TLS.

Advanced TLS options

Example global tls configuration:

"tls": {
    "enabled": true,
    "cert": "/etc/letsencrypt/live/donate.ssl.xmrig.com/fullchain.pem",
    "cert_key": "/etc/letsencrypt/live/donate.ssl.xmrig.com/privkey.pem",
    "dhparam": "dhparam.pem",
    "protocols": null,
    "ciphers": null,
    "ciphersuites": null
},

Command line equivalent is --tls-cert /etc/letsencrypt/live/donate.ssl.xmrig.com/fullchain.pem --tls-cert-key /etc/letsencrypt/live/donate.ssl.xmrig.com/privkey.pem --tls-dhparam dhparam.pem.

Options cert and cert_key is required, you must property configure it to use TLS, dhparam is optional, but recommended to use for enhanced security. All other options for advanced usage only, usually don't need change it.

Options list

load TLS certificate chain from a file in the PEM format.

Syntax	`"tls": { "cert": file }` `--tls-cert file`
Default	`null`
Example	`"/etc/letsencrypt/live/<domain>/fullchain.pem"`
OpenSSL	SSL_CTX_use_certificate_chain_file

load TLS certificate private key from a file in the PEM format.

Syntax	`"tls": { "cert_key": file }` `--tls-cert-key file`
Default	`null`
Example	`"/etc/letsencrypt/live/<domain>/privkey.pem"`
OpenSSL	SSL_CTX_use_PrivateKey_file

load DH parameters for DHE ciphers from a file in the PEM format.

Syntax	`"tls": { "dhparam": file }` `--tls-dhparam file`
Default	`null`
Example	`"dhparam.pem"`
OpenSSL	SSL_CTX_set_tmp_dh

Optional, but recommended to use for enhanced security. Since v5.10.0 if do not specify this option, proxy will use builtin predefined DH parameters.
To generate your dhparam.pem file, run in the terminal: openssl dhparam -out dhparam.pem 2048

enable specified TLS protocols.

Syntax	`"tls": { "protocols": protocols }` `--tls-protocols protocols`
Default	`null`
Example	`"TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"`

The TLSv1.1 and TLSv1.2 parameters work only when OpenSSL 1.0.1 or higher is used.

The TLSv1.3 parameter works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.

If protocol list not specified, OpenSSL defaults will be use. SSLv2 and SSLv3 is always disabled as unsecure.

set list of available ciphers (TLSv1.2 and below).

Syntax	`"tls": { "ciphers": ciphers }` `--tls-ciphers ciphers`
Default	`null`
Example	`"HIGH:!aNULL:!MD5"`
OpenSSL	SSL_CTX_set_cipher_list

set list of available TLSv1.3 ciphersuites.

Syntax	`"tls": { "ciphersuites": ciphersuites }` `--tls-ciphersuites ciphersuites`
Default	`null`
Example	`"TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"`
OpenSSL	SSL_CTX_set_ciphersuites

This option works only when OpenSSL 1.1.1 built with TLSv1.3 support is used.

SSL/TLS for incoming connections

Automatic configuration

Certificate

Bind

Advanced TLS options

Options list

cert load TLS certificate chain from a file in the PEM format.

cert_key load TLS certificate private key from a file in the PEM format.

dhparam load DH parameters for DHE ciphers from a file in the PEM format.

protocols enable specified TLS protocols.

ciphers set list of available ciphers (TLSv1.2 and below).